Trojan.Win32.Bublik.caqm (Kaspersky), Trojan.GenericKD.1588089 (B) (Emsisoft), Trojan.GenericKD.1588089 (AdAware), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6547c20e2ce10eed3739af76becbae17
SHA1: d7f45d7f003ce9ca20a8f31004730be73f31a22c
SHA256: 771e93819c7edc041e078d81e24e17646fdf75c601ef9b5eaec0770668ee7619
SSDeep: 96:BPosVfXYEI3k8 rd2HGkRiDtrQ57fShKn9vwAl17q8d7ZH1YI2op:a4fXYEI3X rd0fiJY809YkvdVVRtp
Size: 6746 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-04-15 18:24:28
Analyzed on: Windows7 SP1 64-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The TROJAN-PSW creates the following process(es):
WMIADAP.EXE:332
bcdedit.exe:1608
bcdedit.exe:1312
bcdedit.exe:1324
bcdedit.exe:2904
bcdedit.exe:2920
bcdedit.exe:908
bcdedit.exe:2916
bcdedit.exe:1464
bcdedit.exe:1296
bcdedit.exe:944
dutit.exe:2860
systeminfo.exe:2032
WatAdminSvc.exe:2880
WatAdminSvc.exe:2864
TrustedInstaller.exe:3224
reader_sl.exe:2744
sppsvc.exe:1136
wsqmcons.exe:3028
opera_autoupdater.exe:2676
wueva.exe:2124
WinMail.exe:2640
The TROJAN-PSW injects its code into the following process(es):
butit.exe:2828
cmd.exe:1556
File activity
The process WMIADAP.EXE:332 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (1846 bytes)
The TROJAN-PSW deletes the following file(s):
C:\Windows\System32\wbem\Performance\WmiApRpl.h (0 bytes)
The process butit.exe:2828 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (15 bytes)
C:\Windows\client64.dll (278 bytes)
C:\Windows\zlib1.dll (59 bytes)
C:\Windows\aplib64.dll (12 bytes)
C:\Windows\client.dll (227 bytes)
C:\Windows\aplib.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\298383.cmd (105 bytes)
The TROJAN-PSW deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (0 bytes)
The process dutit.exe:2860 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LKF94D.bat (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
The process WatAdminSvc.exe:2880 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail (4 bytes)
C:\Windows\SysWOW64 (128 bytes)
C:\Users\adm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.pml (549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp (4 bytes)
C:\Windows (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData (20 bytes)
C:\$Directory (2904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders (4 bytes)
C:\Windows\System32 (1616 bytes)
The process WatAdminSvc.exe:2864 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (852 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6 (561 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6 (780 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (336 bytes)
The process TrustedInstaller.exe:3224 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (416 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (1368 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (280 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\Logs\CBS\CBS.log (15573 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (3310 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (256 bytes)
The process reader_sl.exe:2744 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (5760 bytes)
C:\$Directory (192 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (7320 bytes)
C:\Windows\System32 (264 bytes)
The process sppsvc.exe:1136 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat (115 bytes)
The process opera_autoupdater.exe:2676 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dutit.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHXUT0BO\Test[1].fb2 (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F9QIXL85\27UKp[1].fb2 (469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe (660 bytes)
The process wueva.exe:2124 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Windows\System32\drivers\4b7ba.sys (1725 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (1 bytes)
C:\ (192 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (16896 bytes)
C:\Windows (292 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (13544 bytes)
C:\$Directory (392 bytes)
C:\Windows\System32 (7408 bytes)
The TROJAN-PSW deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (0 bytes)
The process WinMail.exe:2640 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (27880 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
The TROJAN-PSW deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
Registry activity
The process bcdedit.exe:1608 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:1312 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:1324 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:2904 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:2920 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:908 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:2916 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:1464 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:1296 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process bcdedit.exe:944 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"
The process butit.exe:2828 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "21 2F 6D ED CA 4C CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2C 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"
To automatically run itself each time Windows is booted, the TROJAN-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"forfPING" = "rundll32 C:\Windows\client64.dll,CreateProcessNotify"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The TROJAN-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"
The process dutit.exe:2860 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "40 C9 77 EE CA 4C CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2D 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The TROJAN-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"
The process systeminfo.exe:2032 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"mlang.dll,-4386" = "English (United States)"
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"
The process WatAdminSvc.exe:2880 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"
The process TrustedInstaller.exe:3224 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package-MiniLP~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing]
"SessionIdHigh" = "30362827"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Spelling-Parent-Package-English~31bf3856ad364e35~~~10.2.9200.16437]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Hyphenation-Parent-Package-English~31bf3856ad364e35~~~10.2.9200.16437]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing]
"SessionIdLow" = "217541315"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Hyphenation-Package-English~31bf3856ad364e35~amd64~~6.2.9200.16437]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"
[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2014/3/31:10:21:59.212 6.1.7601.17592 (win7sp1_gdr.110408-1631)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Spelling-Package-English~31bf3856ad364e35~amd64~~6.2.9200.16437]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"
[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB958488~31bf3856ad364e35~amd64~~6.2.7600.16513]
"Trusted" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-VistaPlus-Update~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"
The TROJAN-PSW deletes the following value(s) in system registry:
[HKLM\COMPONENTS]
"ExecutionState"
"PendingXmlIdentifier"
"RepairTransactionPended"
"PoqexecFailure"
The process reader_sl.exe:2744 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Umdejugi]
"17h0c258" = "2725182190"
The process wsqmcons.exe:3028 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\SQMClient\Windows]
"WSqmConsLastEventTimeStamp" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Microsoft\SQMClient\Windows\AdaptiveSqm\ManifestInfo]
"Version" = "0"
[HKLM\SOFTWARE\Microsoft\SQMClient\Windows]
"WSqmConsLastRunTime" = "Type: REG_QWORD, Length: 8"
The process opera_autoupdater.exe:2676 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
The TROJAN-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"
The process wueva.exe:2124 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "BB 31 A2 F2 CA 4C CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "40 C9 77 EE CA 4C CF 01"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\Umdejugi]
"2i68e5jc" = "IfLCgV opXvh0JwoH"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Umdejugi]
"1bbjh9de" = "zPpZotmgo3CR0A==H"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2E 00 00 00 09 00 00 00 00 00 00 00"
To automatically run itself each time Windows is booted, the TROJAN-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wueva" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The TROJAN-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"
The process WinMail.exe:2640 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"
[HKCU\Identities\{3F6462B6-0D79-49A2-A5DF-1C1BA99503E4}]
"Identity Ordinal" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows Mail]
"Settings Upgraded" = "10"
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-VersionLow" = "0"
"Wow64-Revision" = "0"
"SubSysId" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VendorId" = "0"
[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"
[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "DE 07 03 00 01 00 1F 00 0A 00 15 00 1E 00 02 01"
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"SoftwareFallback" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-843" = "BitLocker Drive Encryption"
[HKCU\Software\Microsoft\Windows Mail]
"Running" = "1"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-DXFeatureLevel" = "0"
[HKCU\Software\Microsoft\Windows Mail]
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"
[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"
[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Revision" = "0"
"Wow64-SubSysId" = "0"
"Wow64-VersionHigh" = "0"
"Wow64-VendorId" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"
[HKCU\Identities]
"Identity Ordinal" = "2"
[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionHigh" = "0"
"DXFeatureLevel" = "0"
"Wow64-DeviceId" = "0"
[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"
[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{1EB81331-FC86-4AA6-8732-BE942D69423C}.oeaccount"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"DeviceID" = "0"
[HKCU\Software\Microsoft\IAM]
"Default LDAP Account" = "account{36371AF8-B4F9-4875-8144-FF4D5D7B9054}.oeaccount"
[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"
[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"
[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionLow" = "0"
The TROJAN-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\WAB]
"NamedPropCount"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Identities]
"Changing"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Identities]
"IncomingID"
"OutgoingID"
[HKCU\Software\Microsoft\WAB]
"NamedProps"
Dropped PE files
MD5 | File path |
---|---|
4437ea54e849d46273b260372c6dec20 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe |
7db604c446cb21b06b7673a9206914be | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\opera_autoupdater.exe |
046a9363a58f8c4105e5871a514b63cc | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2 |
7fe2b0b3fc2078130f20070a05daf8d5 | c:\Windows\aplib.dll |
3f4fe60b6d1e05144f6efa098ac381a8 | c:\Windows\aplib64.dll |
01c1e3ab46762ef23eb2ac898ea84c2c | c:\Windows\client.dll |
86bb1de30ba26a8d34e6568ab59b89e0 | c:\Windows\client64.dll |
80e41408f6d641dc1c0f5353a0cc8125 | c:\Windows\zlib1.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "UNKNOWN" the TROJAN-PSW controls loading executable images into a memory by installing the Load image notifier.
Using the driver "UNKNOWN" the TROJAN-PSW controls operations with a system registry by installing the registry notifier.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WMIADAP.EXE:332
bcdedit.exe:1608
bcdedit.exe:1312
bcdedit.exe:1324
bcdedit.exe:2904
bcdedit.exe:2920
bcdedit.exe:908
bcdedit.exe:2916
bcdedit.exe:1464
bcdedit.exe:1296
bcdedit.exe:944
dutit.exe:2860
systeminfo.exe:2032
WatAdminSvc.exe:2880
WatAdminSvc.exe:2864
TrustedInstaller.exe:3224
reader_sl.exe:2744
sppsvc.exe:1136
wsqmcons.exe:3028
opera_autoupdater.exe:2676
wueva.exe:2124
WinMail.exe:2640 - Delete the original TROJAN-PSW file.
- Delete or disinfect the following files created/modified by the TROJAN-PSW:
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (1846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (15 bytes)
C:\Windows\client64.dll (278 bytes)
C:\Windows\zlib1.dll (59 bytes)
C:\Windows\aplib64.dll (12 bytes)
C:\Windows\client.dll (227 bytes)
C:\Windows\aplib.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\298383.cmd (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LKF94D.bat (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail (4 bytes)
C:\Windows\SysWOW64 (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.pml (549 bytes)
C:\$Directory (2904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders (4 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (852 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6 (561 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6 (780 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (336 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (416 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (1368 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (280 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\Logs\CBS\CBS.log (15573 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (3310 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (256 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (5760 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (7320 bytes)
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dutit.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHXUT0BO\Test[1].fb2 (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F9QIXL85\27UKp[1].fb2 (469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe (660 bytes)
C:\Windows\System32\drivers\4b7ba.sys (1725 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (27880 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"forfPING" = "rundll32 C:\Windows\client64.dll,CreateProcessNotify"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wueva" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1259 | 1536 | 3.48941 | ea4a11f8ff9ed99ebc87aff02102a621 |
.data | 8192 | 3146 | 3584 | 4.65409 | 6603bf6b43b300ad9e541effbd07fd89 |
.rsrc | 12288 | 16 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
butit.exe_2828_rwx_002E0000_00001000:
kernel32.dll
kernel32.dll
butit.exe_2828_rwx_02BF0000_0006D000:
.text
.text
`.data
`.data
.idata
.idata
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
%s\drivers\%s.sys
\\.\NtSecureSys
\\.\NtSecureSys
ntdll.dll
ntdll.dll
svchost.exe
svchost.exe
EUDC\%d
EUDC\%d
KeDelayExecutionThread
KeDelayExecutionThread
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
msvcrt.dll
msvcrt.dll
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
=65!c
=65!c
8=6(0?5 &
8=6(0?5 &
svp%uec
svp%uec
{zfnmt==.eno
{zfnmt==.eno
0123456789
0123456789
`82uURL
`82uURL
`8.sC
`8.sC
G%c_|
G%c_|
.Oex=
.Oex=
".xF=
".xF=
.Ol (
.Ol (
cxa6.xb
cxa6.xb
X?(xg.TD
X?(xg.TD
x.Na<\}
x.Na<\}
xKx.QW
xKx.QW
!^!<!><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>HTTP/1.1</pre><pre>REPORT</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>RegDeleteKeyExW</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>t.Ht$HHt</pre><pre>w%fkN</pre><pre>L$Â$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>3'393 7%7</pre><pre>4&4-41484</pre><pre>7#7'7 7/737</pre><pre>8‚8C8O8_8k8s8{8</pre><pre>4%5x5<6</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>Wadvapi32.dll</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Roaming</pre><pre>C:\Users\"%CurrentUserName%"\AppData\LocalLow</pre><pre>Global\{773C504E-EDB3-4088-A815-C48790E0E79A}</pre><b>cmd.exe_1556:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>msvcrt.dll</pre><pre>ntdll.dll</pre><pre>KERNEL32.dll</pre><pre>api-ms-win-core-processthreads-l1-1-0.DLL</pre><pre>WINBRAND.dll</pre><pre>u.WhpF</pre><pre>SetConsoleInputExeNameW</pre><pre>APerformUnaryOperation: '%c'</pre><pre>APerformArithmeticOperation: '%c'</pre><pre>Ju.hl</pre><pre>ADVAPI32.dll</pre><pre>USER32.dll</pre><pre>SHELL32.dll</pre><pre>MPR.dll</pre><pre>RegEnumKeyW</pre><pre>ShellExecuteExW</pre><pre>_amsg_exit</pre><pre>_pipe</pre><pre>GetWindowsDirectoryW</pre><pre>NeedCurrentDirectoryForExePathW</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>CmdBatNotification</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>RegDeleteKeyExW</pre><pre>RegCreateKeyExW</pre><pre>cmd.pdb</pre><pre>del "butit.exe"</pre><pre>f exist "butit.exe" goto 298383</pre><pre>del 298383.cmd</pre><pre>383.cmd</pre><pre>CMD Internal Error %s</pre><pre>version="5.1.0.0"</pre><pre>name="Microsoft.Windows.FileSystem.CMD"</pre><pre><description>Windows Command Processor</description></pre><pre><requestedExecutionLevel><pre><windowsSettings></windowsSettings></pre><pre><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></pre><pre></pre><pre>=#=)=8={=</pre><pre>9%9-949>9</pre><pre>CMD.EXE</pre><pre>()|&=,;"</pre><pre>CMDCMDLINE</pre><pre>COPYCMD</pre><pre>\XCOPY.EXE</pre><pre>0123456789</pre><pre>DisableCMD</pre><pre>Software\Policies\Microsoft\Windows\System</pre><pre>eKERNEL32.DLL</pre><pre>cmd.exe</pre><pre>DIRCMD</pre><pre>%d.%d.d</pre><pre>/K %s</pre><pre>%WINDOWS_COPYRIGHT%</pre><pre>Ungetting: '%s'</pre><pre>GeToken: (%x) '%s'</pre><pre>NTDLL.DLL</pre><pre>%x %c</pre><pre>*** Unknown type: %x</pre><pre>Args: `%s'</pre><pre>Cmd: %s Type: %x</pre><pre>%s (%s) %s</pre><pre>KEYS</pre><pre>%s %s</pre><pre>%s %s%s</pre><pre>X-X</pre><pre>\CMD.EXE</pre><pre>CMDEXTVERSION</pre><pre><> -*/%()|^&=,</pre><pre>-%sd%sd%sd</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Local\Temp</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Local\Temp></pre><pre>butit.exe</pre><pre>.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC</pre><pre>ndows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;%Program Files% (x86)\Wireshark</pre><pre>tit.exe"</pre><pre>\Local\Temp\butit.exe</pre><pre>butit.exe"</pre><pre>-h "butit.exe"</pre><pre>d%sd%s</pre><pre>d%sd%sd</pre><pre>(%s) %s</pre><pre>%s=%s</pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>Windows Command Processor</pre><pre>6.1.7601.17514 (win7sp1_rtm.101119-1850)</pre><pre>Cmd.Exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>6.1.7601.17514</pre><b>cmd.exe_1556_rwx_027C0000_0006D000:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>=65!c</pre><pre>8=6(0?5 &</pre><pre>svp%uec</pre><pre>{zfnmt==.eno</pre><pre>0123456789</pre><pre>`82uURL</pre><pre>`8.sC</pre><pre>G%c_|</pre><pre>.Oex=</pre><pre>".xF=</pre><pre>.Ol (</pre><pre>cxa6.xb</pre><pre>X?(xg.TD</pre><pre>x.Na<\}</pre><pre>xKx.QW</pre><pre>!^!<!><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>HTTP/1.1</pre><pre>REPORT</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>RegDeleteKeyExW</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>t.Ht$HHt</pre><pre>w%fkN</pre><pre>L$Â$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>3'393 7%7</pre><pre>4&4-41484</pre><pre>7#7'7 7/737</pre><pre>8‚8C8O8_8k8s8{8</pre><pre>4%5x5<6</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>Wadvapi32.dll</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Roaming</pre><pre>C:\Users\"%CurrentUserName%"\AppData\LocalLow</pre><pre>Global\{773C504E-EDB3-4088-A815-C48790E0E79A}</pre></!></pre></requestedExecutionLevel></pre></!>