Skip to main content

TROJANPSW.WIN32.ZBOT.4_64bit_6547c20e2c


Trojan.Win32.Bublik.caqm (Kaspersky), Trojan.GenericKD.1588089 (B) (Emsisoft), Trojan.GenericKD.1588089 (AdAware), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6547c20e2ce10eed3739af76becbae17

SHA1: d7f45d7f003ce9ca20a8f31004730be73f31a22c

SHA256: 771e93819c7edc041e078d81e24e17646fdf75c601ef9b5eaec0770668ee7619

SSDeep: 96:BPosVfXYEI3k8 rd2HGkRiDtrQ57fShKn9vwAl17q8d7ZH1YI2op:a4fXYEI3X rd0fiJY809YkvdVVRtp

Size: 6746 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-04-15 18:24:28

Analyzed on: Windows7 SP1 64-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The TROJAN-PSW creates the following process(es):

WMIADAP.EXE:332
bcdedit.exe:1608
bcdedit.exe:1312
bcdedit.exe:1324
bcdedit.exe:2904
bcdedit.exe:2920
bcdedit.exe:908
bcdedit.exe:2916
bcdedit.exe:1464
bcdedit.exe:1296
bcdedit.exe:944
dutit.exe:2860
systeminfo.exe:2032
WatAdminSvc.exe:2880
WatAdminSvc.exe:2864
TrustedInstaller.exe:3224
reader_sl.exe:2744
sppsvc.exe:1136
wsqmcons.exe:3028
opera_autoupdater.exe:2676
wueva.exe:2124
WinMail.exe:2640

The TROJAN-PSW injects its code into the following process(es):

butit.exe:2828
cmd.exe:1556

File activity

The process WMIADAP.EXE:332 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (1846 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Windows\System32\wbem\Performance\WmiApRpl.h (0 bytes)

The process butit.exe:2828 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (15 bytes)
C:\Windows\client64.dll (278 bytes)
C:\Windows\zlib1.dll (59 bytes)
C:\Windows\aplib64.dll (12 bytes)
C:\Windows\client.dll (227 bytes)
C:\Windows\aplib.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\298383.cmd (105 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (0 bytes)

The process dutit.exe:2860 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LKF94D.bat (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)

The process WatAdminSvc.exe:2880 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail (4 bytes)
C:\Windows\SysWOW64 (128 bytes)
C:\Users\adm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.pml (549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp (4 bytes)
C:\Windows (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData (20 bytes)
C:\$Directory (2904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders (4 bytes)
C:\Windows\System32 (1616 bytes)

The process WatAdminSvc.exe:2864 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (852 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6 (561 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6 (780 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (336 bytes)

The process TrustedInstaller.exe:3224 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (416 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (1368 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (280 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\Logs\CBS\CBS.log (15573 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (3310 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (256 bytes)

The process reader_sl.exe:2744 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (5760 bytes)
C:\$Directory (192 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (7320 bytes)
C:\Windows\System32 (264 bytes)

The process sppsvc.exe:1136 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat (115 bytes)

The process opera_autoupdater.exe:2676 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dutit.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHXUT0BO\Test[1].fb2 (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F9QIXL85\27UKp[1].fb2 (469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe (660 bytes)

The process wueva.exe:2124 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\System32\drivers\4b7ba.sys (1725 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (1 bytes)
C:\ (192 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (16896 bytes)
C:\Windows (292 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (13544 bytes)
C:\$Directory (392 bytes)
C:\Windows\System32 (7408 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (0 bytes)

The process WinMail.exe:2640 makes changes in the file system.


The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (27880 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)

Registry activity

The process bcdedit.exe:1608 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1312 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1324 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:2904 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:2920 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:908 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:2916 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1464 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1296 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:944 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process butit.exe:2828 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "21 2F 6D ED CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

To automatically run itself each time Windows is booted, the TROJAN-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"forfPING" = "rundll32 C:\Windows\client64.dll,CreateProcessNotify"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process dutit.exe:2860 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "40 C9 77 EE CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process systeminfo.exe:2032 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"mlang.dll,-4386" = "English (United States)"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

The process WatAdminSvc.exe:2880 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

The process TrustedInstaller.exe:3224 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package-MiniLP~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing]
"SessionIdHigh" = "30362827"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Spelling-Parent-Package-English~31bf3856ad364e35~~~10.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Hyphenation-Parent-Package-English~31bf3856ad364e35~~~10.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing]
"SessionIdLow" = "217541315"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Hyphenation-Package-English~31bf3856ad364e35~amd64~~6.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2014/3/31:10:21:59.212 6.1.7601.17592 (win7sp1_gdr.110408-1631)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Spelling-Package-English~31bf3856ad364e35~amd64~~6.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"

[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB958488~31bf3856ad364e35~amd64~~6.2.7600.16513]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-VistaPlus-Update~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKLM\COMPONENTS]
"ExecutionState"
"PendingXmlIdentifier"
"RepairTransactionPended"
"PoqexecFailure"

The process reader_sl.exe:2744 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Umdejugi]
"17h0c258" = "2725182190"

The process wsqmcons.exe:3028 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SQMClient\Windows]
"WSqmConsLastEventTimeStamp" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\SQMClient\Windows\AdaptiveSqm\ManifestInfo]
"Version" = "0"

[HKLM\SOFTWARE\Microsoft\SQMClient\Windows]
"WSqmConsLastRunTime" = "Type: REG_QWORD, Length: 8"

The process opera_autoupdater.exe:2676 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process wueva.exe:2124 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "BB 31 A2 F2 CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "40 C9 77 EE CA 4C CF 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Umdejugi]
"2i68e5jc" = "IfLCgV opXvh0JwoH"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Umdejugi]
"1bbjh9de" = "zPpZotmgo3CR0A==H"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2E 00 00 00 09 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the TROJAN-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wueva" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process WinMail.exe:2640 makes changes in the system registry.


The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Identities\{3F6462B6-0D79-49A2-A5DF-1C1BA99503E4}]
"Identity Ordinal" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Settings Upgraded" = "10"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-VersionLow" = "0"
"Wow64-Revision" = "0"
"SubSysId" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VendorId" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "DE 07 03 00 01 00 1F 00 0A 00 15 00 1E 00 02 01"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"SoftwareFallback" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKCU\Software\Microsoft\Windows Mail]
"Running" = "1"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-DXFeatureLevel" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Revision" = "0"
"Wow64-SubSysId" = "0"
"Wow64-VersionHigh" = "0"
"Wow64-VendorId" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionHigh" = "0"
"DXFeatureLevel" = "0"
"Wow64-DeviceId" = "0"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{1EB81331-FC86-4AA6-8732-BE942D69423C}.oeaccount"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"DeviceID" = "0"

[HKCU\Software\Microsoft\IAM]
"Default LDAP Account" = "account{36371AF8-B4F9-4875-8144-FF4D5D7B9054}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionLow" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

Dropped PE files

MD5 File path
4437ea54e849d46273b260372c6dec20c:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe
7db604c446cb21b06b7673a9206914bec:\Users\"%CurrentUserName%"\AppData\Local\Temp\opera_autoupdater.exe
046a9363a58f8c4105e5871a514b63ccc:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2
7fe2b0b3fc2078130f20070a05daf8d5c:\Windows\aplib.dll
3f4fe60b6d1e05144f6efa098ac381a8c:\Windows\aplib64.dll
01c1e3ab46762ef23eb2ac898ea84c2cc:\Windows\client.dll
86bb1de30ba26a8d34e6568ab59b89e0c:\Windows\client64.dll
80e41408f6d641dc1c0f5353a0cc8125c:\Windows\zlib1.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the TROJAN-PSW controls loading executable images into a memory by installing the Load image notifier.



Using the driver "UNKNOWN" the TROJAN-PSW controls operations with a system registry by installing the registry notifier.



Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WMIADAP.EXE:332
    bcdedit.exe:1608
    bcdedit.exe:1312
    bcdedit.exe:1324
    bcdedit.exe:2904
    bcdedit.exe:2920
    bcdedit.exe:908
    bcdedit.exe:2916
    bcdedit.exe:1464
    bcdedit.exe:1296
    bcdedit.exe:944
    dutit.exe:2860
    systeminfo.exe:2032
    WatAdminSvc.exe:2880
    WatAdminSvc.exe:2864
    TrustedInstaller.exe:3224
    reader_sl.exe:2744
    sppsvc.exe:1136
    wsqmcons.exe:3028
    opera_autoupdater.exe:2676
    wueva.exe:2124
    WinMail.exe:2640

  3. Delete the original TROJAN-PSW file.
  4. Delete or disinfect the following files created/modified by the TROJAN-PSW:

    C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
    C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (1846 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (15 bytes)
    C:\Windows\client64.dll (278 bytes)
    C:\Windows\zlib1.dll (59 bytes)
    C:\Windows\aplib64.dll (12 bytes)
    C:\Windows\client.dll (227 bytes)
    C:\Windows\aplib.dll (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\298383.cmd (105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe (1138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (672 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LKF94D.bat (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail (4 bytes)
    C:\Windows\SysWOW64 (128 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.pml (549 bytes)
    C:\$Directory (2904 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat (128 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders (4 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (852 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6 (561 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6 (780 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (336 bytes)
    C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (416 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (1368 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
    C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (280 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
    C:\Windows\Logs\CBS\CBS.log (15573 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (3310 bytes)
    C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (256 bytes)
    C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (5760 bytes)
    C:\Users\"%CurrentUserName%"\NTUSER.DAT (7320 bytes)
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat (115 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dutit.exe (1138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHXUT0BO\Test[1].fb2 (256 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F9QIXL85\27UKp[1].fb2 (469 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe (660 bytes)
    C:\Windows\System32\drivers\4b7ba.sys (1725 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (27880 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2 (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml:OECustomProperty (260 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "forfPING" = "rundll32 C:\Windows\client64.dll,CreateProcessNotify"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Wueva" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe"

  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096125915363.48941ea4a11f8ff9ed99ebc87aff02102a621
.data8192314635844.654096603bf6b43b300ad9e541effbd07fd89
.rsrc12288165120bf619eac0cdf3f68d496ea9344137e8b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

Strings from Dumps

butit.exe_2828_rwx_002E0000_00001000:

kernel32.dll

kernel32.dll

butit.exe_2828_rwx_02BF0000_0006D000:

.text

.text

`.data

`.data

.idata

.idata

@.reloc

@.reloc

PSSSSSSh

PSSSSSSh

bcdedit.exe -set TESTSIGNING ON

bcdedit.exe -set TESTSIGNING ON

%s\drivers\%s.sys

%s\drivers\%s.sys

\\.\NtSecureSys

\\.\NtSecureSys

ntdll.dll

ntdll.dll

svchost.exe

svchost.exe

EUDC\%d

EUDC\%d

KeDelayExecutionThread

KeDelayExecutionThread

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

RegFlushKey

RegFlushKey

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

msvcrt.dll

msvcrt.dll

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

=65!c

=65!c

8=6(0?5 &

8=6(0?5 &

svp%uec

svp%uec

{zfnmt==.eno

{zfnmt==.eno

0123456789

0123456789

`82uURL

`82uURL

`8.sC

`8.sC

G%c_|

G%c_|

.Oex=

.Oex=

".xF=

".xF=

.Ol (

.Ol (

cxa6.xb

cxa6.xb

X?(xg.TD

X?(xg.TD

x.Na<\}

x.Na<\}

xKx.QW

xKx.QW

!^!<!><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>HTTP/1.1</pre><pre>REPORT</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>RegDeleteKeyExW</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>t.Ht$HHt</pre><pre>w%fkN</pre><pre>L$$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>3'393 7%7</pre><pre>4&4-41484</pre><pre>7#7'7 7/737</pre><pre>8‚8C8O8_8k8s8{8</pre><pre>4%5x5<6</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>Wadvapi32.dll</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Roaming</pre><pre>C:\Users\"%CurrentUserName%"\AppData\LocalLow</pre><pre>Global\{773C504E-EDB3-4088-A815-C48790E0E79A}</pre><b>cmd.exe_1556:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>msvcrt.dll</pre><pre>ntdll.dll</pre><pre>KERNEL32.dll</pre><pre>api-ms-win-core-processthreads-l1-1-0.DLL</pre><pre>WINBRAND.dll</pre><pre>u.WhpF</pre><pre>SetConsoleInputExeNameW</pre><pre>APerformUnaryOperation: '%c'</pre><pre>APerformArithmeticOperation: '%c'</pre><pre>Ju.hl</pre><pre>ADVAPI32.dll</pre><pre>USER32.dll</pre><pre>SHELL32.dll</pre><pre>MPR.dll</pre><pre>RegEnumKeyW</pre><pre>ShellExecuteExW</pre><pre>_amsg_exit</pre><pre>_pipe</pre><pre>GetWindowsDirectoryW</pre><pre>NeedCurrentDirectoryForExePathW</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>CmdBatNotification</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>RegDeleteKeyExW</pre><pre>RegCreateKeyExW</pre><pre>cmd.pdb</pre><pre>del "butit.exe"</pre><pre>f exist "butit.exe" goto 298383</pre><pre>del 298383.cmd</pre><pre>383.cmd</pre><pre>CMD Internal Error %s</pre><pre>version="5.1.0.0"</pre><pre>name="Microsoft.Windows.FileSystem.CMD"</pre><pre><description>Windows Command Processor</description></pre><pre><requestedExecutionLevel><pre><windowsSettings></windowsSettings></pre><pre><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></pre><pre></pre><pre>=#=)=8={=</pre><pre>9%9-949>9</pre><pre>CMD.EXE</pre><pre>()|&=,;"</pre><pre>CMDCMDLINE</pre><pre>COPYCMD</pre><pre>\XCOPY.EXE</pre><pre>0123456789</pre><pre>DisableCMD</pre><pre>Software\Policies\Microsoft\Windows\System</pre><pre>eKERNEL32.DLL</pre><pre>cmd.exe</pre><pre>DIRCMD</pre><pre>%d.%d.d</pre><pre>/K %s</pre><pre>%WINDOWS_COPYRIGHT%</pre><pre>Ungetting: '%s'</pre><pre>GeToken: (%x) '%s'</pre><pre>NTDLL.DLL</pre><pre>%x %c</pre><pre>*** Unknown type: %x</pre><pre>Args: `%s'</pre><pre>Cmd: %s Type: %x</pre><pre>%s (%s) %s</pre><pre>KEYS</pre><pre>%s %s</pre><pre>%s %s%s</pre><pre>X-X</pre><pre>\CMD.EXE</pre><pre>CMDEXTVERSION</pre><pre><> -*/%()|^&=,</pre><pre>-%sd%sd%sd</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Local\Temp</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Local\Temp></pre><pre>butit.exe</pre><pre>.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC</pre><pre>ndows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;%Program Files% (x86)\Wireshark</pre><pre>tit.exe"</pre><pre>\Local\Temp\butit.exe</pre><pre>butit.exe"</pre><pre>-h "butit.exe"</pre><pre>d%sd%s</pre><pre>d%sd%sd</pre><pre>(%s) %s</pre><pre>%s=%s</pre><pre>.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC</pre><pre>&()[]{}^=;!%' ,`~</pre><pre>Windows Command Processor</pre><pre>6.1.7601.17514 (win7sp1_rtm.101119-1850)</pre><pre>Cmd.Exe</pre><pre>Windows</pre><pre>Operating System</pre><pre>6.1.7601.17514</pre><b>cmd.exe_1556_rwx_027C0000_0006D000:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>=65!c</pre><pre>8=6(0?5 &</pre><pre>svp%uec</pre><pre>{zfnmt==.eno</pre><pre>0123456789</pre><pre>`82uURL</pre><pre>`8.sC</pre><pre>G%c_|</pre><pre>.Oex=</pre><pre>".xF=</pre><pre>.Ol (</pre><pre>cxa6.xb</pre><pre>X?(xg.TD</pre><pre>x.Na<\}</pre><pre>xKx.QW</pre><pre>!^!<!><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>HTTP/1.1</pre><pre>REPORT</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>RegDeleteKeyExW</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>t.Ht$HHt</pre><pre>w%fkN</pre><pre>L$$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>3'393 7%7</pre><pre>4&4-41484</pre><pre>7#7'7 7/737</pre><pre>8‚8C8O8_8k8s8{8</pre><pre>4%5x5<6</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>Wadvapi32.dll</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>C:\Users\"%CurrentUserName%"\AppData\Roaming</pre><pre>C:\Users\"%CurrentUserName%"\AppData\LocalLow</pre><pre>Global\{773C504E-EDB3-4088-A815-C48790E0E79A}</pre></!></pre></requestedExecutionLevel></pre></!>