Gen.Variant.Razy.91228_7fb39c905b
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Razy.91228 (B) (Emsisoft), Gen:Variant.Razy.91228 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7fb39c905bd5e82697d330e24826af51
SHA1: a8b911680a4b942dc7912128a3e9f22d050d87c2
SHA256: 4b81c549e258ba69155b9a704d0b597a93d4251f25a4d3ee81a934e52be7c643
SSDeep: 1536:txz5QDav0/4aox9jm/F/Tf20abr3H0lQG:tx92dox9W/TfAbzUlQ
Size: 90112 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-10 15:09:37
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2696
%original file name%.exe:1048
The Trojan injects its code into the following process(es):
svchost.exe:2548
iexplore.exe:2968
Mutexes
The following mutexes were created/opened: No objects were found.
File activity
The process %original file name%.exe:2696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (601 bytes)
The process %original file name%.exe:1048 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)
Registry activity
The process %original file name%.exe:2696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"
The process %original file name%.exe:1048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\XtremeRAT]
"Mutex" = "--((Mutex))--"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2696
%original file name%.exe:1048 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (601 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: ingsgfsd.exe
Internal Name: ingsgfsd.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Chinese (Simplified, PRC)
Company Name: Product Name: Product Version: 0.0.0.0 Legal Copyright: Legal Trademarks: Original Filename: ingsgfsd.exe Internal Name: ingsgfsd.exe File Version: 0.0.0.0 File Description: Comments: Language: Chinese (Simplified, PRC)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 70468 | 73728 | 4.77458 | b4cb5a50c3cfcbcbe6cf3ca93bc44018 |
| .sdata | 81920 | 103 | 4096 | 0.17733 | eb8888836e61c24d10eaf77133d71668 |
| .rsrc | 90112 | 680 | 4096 | 0.470968 | 30eef3fbcaf74211943e4232c5adebc9 |
| .reloc | 98304 | 12 | 4096 | 0.011373 | 1a0748cb79dd392e61372c45e3d83325 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.google.com/ |  172.217.20.196 |
| micropdz13.ddns.net |  41.100.192.252 |
| www.google.com.ua | |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google.com
Connection: Keep-Alive
Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA
Content-Length: 262
Date: Fri, 31 Mar 2017 03:52:16 GMT
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA..Content-Length: 262..Date: Fri, 31 Mar 2017 03:52:16 GMT..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=cNLdWNOoJ83i8Aea_qWADA">here</A>...</BODY></HTML>....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
iexplore.exe_2544:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
Bv.TBv
Bv.TBv
>.uzf
>.uzf
.us;}
.us;}
IEFRAME.dll
IEFRAME.dll
MLANG.dll
MLANG.dll
iertutil.dll
iertutil.dll
urlmon.dll
urlmon.dll
ole32.dll
ole32.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
UrlApplySchemeW
UrlApplySchemeW
PathIsURLW
PathIsURLW
UrlCanonicalizeW
UrlCanonicalizeW
UrlCreateFromPathW
UrlCreateFromPathW
iexplore.pdb
iexplore.pdb
KEYW
KEYW
KEYWh
KEYWh
KEYWD
KEYWD
.ENNNG.
.ENNNG.
a.ry.v
a.ry.v
l.igM4
l.igM4
?1%SGf
?1%SGf
xh.JW^
xh.JW^
.97777"7" " " !
.97777"7" " " !
3.... ))
3.... ))
8888888888888
8888888888888
8888888888
8888888888
.lPV)
.lPV)
úW1
úW1
.ApX/
.ApX/
H.ZAf
H.ZAf
ð[U
ð[U
%s!FK
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
888777777
Y.hilkRROMLK=C,
Y.hilkRROMLK=C,
..(((($$
..(((($$
3...((((%
3...((((%
3....(.''$
3....(.''$
3.2...((((%
3.2...((((%
33.2....(,'
33.2....(,'
55323222...
55323222...
(%&'00443445?
(%&'00443445?
00.,,,4(
00.,,,4(
000.,,9(
000.,,9(
0020..9(
0020..9(
003200;(
003200;(
(#'( (''''!'!
(#'( (''''!'!
Microsoft.InternetExplorer.Default
Microsoft.InternetExplorer.Default
9user32.dll
9user32.dll
Kernel32.DLL
Kernel32.DLL
9xfire.exe
9xfire.exe
wlmail.exe
wlmail.exe
winamp.exe
winamp.exe
waol.exe
waol.exe
sidebar.exe
sidebar.exe
psocdesigner.exe
psocdesigner.exe
np.exe
np.exe
netscape.exe
netscape.exe
netcaptor.exe
netcaptor.exe
neoplanet.exe
neoplanet.exe
msn.exe
msn.exe
mshtmpad.exe
mshtmpad.exe
mshta.exe
mshta.exe
loader42.exe
loader42.exe
infopath.exe
infopath.exe
iexplore.exe
iexplore.exe
iepreview.exe
iepreview.exe
groove.exe
groove.exe
explorer.exe
explorer.exe
dreamweaver.exe
dreamweaver.exe
contribute.exe
contribute.exe
aol.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
"%s" %s
Kernel32.dll
Kernel32.dll
\AppPatch\sysmain.sdb
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
kernel32.dll
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
shell:%s
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Frame_URLEntered
Imaging_CreateWebPagePreview
Imaging_CreateWebPagePreview
WS_ExecuteQuery
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
IEXPLORE.EXE
Windows
Windows
9.00.8112.16421
9.00.8112.16421
svchost.exe_2548:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Software\Microsoft\Windows NT\CurrentVersion\Svchost Software\Microsoft\Windows NT\CurrentVersion\Svchost Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost \PIPE\ \PIPE\ Host Process for Windows Services Host Process for Windows Services 6.1.7600.16385 (win7_rtm.090713-1255) 6.1.7600.16385 (win7_rtm.090713-1255) svchost.exe svchost.exe Windows Windows Operating System Operating System 6.1.7600.16385 6.1.7600.16385 svchost.exe_2548_rwx_10000000_0004D000:
`.rsrc `.rsrc ServerKeyloggerU ServerKeyloggerU 789:;
789:;
%SERVER% %SERVER% URLMON.DLL URLMON.DLL shell32.dll shell32.dll hXXp:// hXXp:// advapi32.dll advapi32.dll kernel32.dll kernel32.dll mpr.dll mpr.dll version.dll version.dll comctl32.dll comctl32.dll gdi32.dll gdi32.dll opengl32.dll opengl32.dll user32.dll user32.dll wintrust.dll wintrust.dll msimg32.dll msimg32.dll KWindows KWindows TServerKeylogger TServerKeylogger GetWindowsDirectoryW GetWindowsDirectoryW RegOpenKeyExW RegOpenKeyExW RegCreateKeyW RegCreateKeyW RegCloseKey RegCloseKey RegOpenKeyExA RegOpenKeyExA FindExecutableW FindExecutableW ShellExecuteW ShellExecuteW SHDeleteKeyW SHDeleteKeyW URLDownloadToCacheFileW URLDownloadToCacheFileW UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExW SetWindowsHookExW MapVirtualKeyW MapVirtualKeyW GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyboardType GetKeyboardType GetKeyboardState GetKeyboardState FtpPutFileW FtpPutFileW FtpSetCurrentDirectoryW FtpSetCurrentDirectoryW .idata .idata .rdata .rdata P.reloc P.reloc P.rsrc P.rsrc .LzraryAk .LzraryAk URLD URLD KERNEL32.DLL KERNEL32.DLL ntdll.dll ntdll.dll oleaut32.dll oleaut32.dll shlwapi.dll shlwapi.dll wininet.dll wininet.dll x.html x.html HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_USERS HKEY_USERS HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG [Execute] [Execute] KeyDelBackspace KeyDelBackspace .html .html XtremeKeylogger XtremeKeylogger Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run .functions .functions icon=shell32.dll,4 icon=shell32.dll,4 shellexecute= shellexecute= autorun.inf autorun.inf \Microsoft\Windows\ \Microsoft\Windows\ ÞFAULTBROWSER% ÞFAULTBROWSER% svchost.exe svchost.exe micropdz13.ddns.net micropdz13.ddns.net %Servers %Servers Server.exe Server.exe ÞFA ÞFA {5460C4DF-B266-909E-CB58-E32B79832EB2} {5460C4DF-B266-909E-CB58-E32B79832EB2} HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run 127.0.0.1 127.0.0.1 PTF.ftpserver.com PTF.ftpserver.com ftpuser ftpuser iexplore.exe_2592:
.text .text `.data `.data .rsrc .rsrc @.reloc @.reloc Bv.TBv Bv.TBv >.uzf >.uzf .us;} .us;} IEFRAME.dll IEFRAME.dll MLANG.dll MLANG.dll iertutil.dll iertutil.dll urlmon.dll urlmon.dll ole32.dll ole32.dll SHELL32.dll SHELL32.dll SHLWAPI.dll SHLWAPI.dll msvcrt.dll msvcrt.dll USER32.dll USER32.dll KERNEL32.dll KERNEL32.dll ADVAPI32.dll ADVAPI32.dll RegOpenKeyExW RegOpenKeyExW RegCloseKey RegCloseKey GetWindowsDirectoryW GetWindowsDirectoryW _amsg_exit _amsg_exit _wcmdln _wcmdln UrlApplySchemeW UrlApplySchemeW PathIsURLW PathIsURLW UrlCanonicalizeW UrlCanonicalizeW UrlCreateFromPathW UrlCreateFromPathW iexplore.pdb iexplore.pdb KEYW KEYW KEYWh KEYWh KEYWD KEYWD .ENNNG. .ENNNG. a.ry.v a.ry.v l.igM4 l.igM4 ?1%SGf ?1%SGf xh.JW^ xh.JW^ .97777"7" " " ! .97777"7" " " ! 3.... )) 3.... )) 8888888888888 8888888888888 8888888888 8888888888 .lPV) .lPV) úW1 úW1 .ApX/ .ApX/ H.ZAf H.ZAf ð[U ð[U %s!FK %s!FK 1YYYY1YY9GEAA=77YRNNNW:.VT1 1YYYY1YY9GEAA=77YRNNNW:.VT1 888777777 888777777 Y.hilkRROMLK=C, Y.hilkRROMLK=C, ..(((($$ ..(((($$ 3...((((% 3...((((% 3....(.''$ 3....(.''$ 3.2...((((% 3.2...((((% 33.2....(,' 33.2....(,' 55323222... 55323222... (%&'00443445? (%&'00443445? 00.,,,4( 00.,,,4( 000.,,9( 000.,,9( 0020..9( 0020..9( 003200;( 003200;( (#'( (''''!'! (#'( (''''!'! Microsoft.InternetExplorer.Default Microsoft.InternetExplorer.Default 9user32.dll 9user32.dll Kernel32.DLL Kernel32.DLL 9xfire.exe 9xfire.exe wlmail.exe wlmail.exe winamp.exe winamp.exe waol.exe waol.exe sidebar.exe sidebar.exe psocdesigner.exe psocdesigner.exe np.exe np.exe netscape.exe netscape.exe netcaptor.exe netcaptor.exe neoplanet.exe neoplanet.exe msn.exe msn.exe mshtmpad.exe mshtmpad.exe mshta.exe mshta.exe loader42.exe loader42.exe infopath.exe infopath.exe iexplore.exe iexplore.exe iepreview.exe iepreview.exe groove.exe groove.exe explorer.exe explorer.exe dreamweaver.exe dreamweaver.exe contribute.exe contribute.exe aol.exe aol.exe {28fb17e0-d393-439d-9a21-9474a070473a} {28fb17e0-d393-439d-9a21-9474a070473a} Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings DShell32.dll DShell32.dll Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} "%s" %s "%s" %s Kernel32.dll Kernel32.dll \AppPatch\sysmain.sdb \AppPatch\sysmain.sdb -extoff go.microsoft.com/fwlink/?LinkId=106323 -extoff go.microsoft.com/fwlink/?LinkId=106323 -extoff go.microsoft.com/fwlink/?LinkId=106322 -extoff go.microsoft.com/fwlink/?LinkId=106322 -extoff go.microsoft.com/fwlink/?LinkId=106320 -extoff go.microsoft.com/fwlink/?LinkId=106320 kernel32.dll kernel32.dll {00000000-0000-0000-0000-000000000000} {00000000-0000-0000-0000-000000000000} \\?\Volume \\?\Volume shell:%s shell:%s Imaging_CreateWebPagePreview_Perftrack Imaging_CreateWebPagePreview_Perftrack Browseui_Tabs_Tearoff_BetweenWindows Browseui_Tabs_Tearoff_BetweenWindows Frame_URLEntered Frame_URLEntered Imaging_CreateWebPagePreview Imaging_CreateWebPagePreview WS_ExecuteQuery WS_ExecuteQuery Shdocvw_BaseBrowser_FireEvent_WindowStateChanged Shdocvw_BaseBrowser_FireEvent_WindowStateChanged IdleTask_Execution_Time IdleTask_Execution_Time 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) IEXPLORE.EXE IEXPLORE.EXE Windows Windows 9.00.8112.16421 9.00.8112.16421 iexplore.exe_2968:
.text .text `.data `.data .rsrc .rsrc @.reloc @.reloc Bv.TBv Bv.TBv >.uzf >.uzf .us;} .us;} IEFRAME.dll IEFRAME.dll MLANG.dll MLANG.dll iertutil.dll iertutil.dll urlmon.dll urlmon.dll ole32.dll ole32.dll SHELL32.dll SHELL32.dll SHLWAPI.dll SHLWAPI.dll msvcrt.dll msvcrt.dll USER32.dll USER32.dll KERNEL32.dll KERNEL32.dll ADVAPI32.dll ADVAPI32.dll RegOpenKeyExW RegOpenKeyExW RegCloseKey RegCloseKey GetWindowsDirectoryW GetWindowsDirectoryW _amsg_exit _amsg_exit _wcmdln _wcmdln UrlApplySchemeW UrlApplySchemeW PathIsURLW PathIsURLW UrlCanonicalizeW UrlCanonicalizeW UrlCreateFromPathW UrlCreateFromPathW iexplore.pdb iexplore.pdb KEYW KEYW KEYWh KEYWh KEYWD KEYWD .ENNNG. .ENNNG. a.ry.v a.ry.v l.igM4 l.igM4 ?1%SGf ?1%SGf xh.JW^ xh.JW^ .97777"7" " " ! .97777"7" " " ! 3.... )) 3.... )) 8888888888888 8888888888888 8888888888 8888888888 .lPV) .lPV) úW1 úW1 .ApX/ .ApX/ H.ZAf H.ZAf ð[U ð[U %s!FK %s!FK 1YYYY1YY9GEAA=77YRNNNW:.VT1 1YYYY1YY9GEAA=77YRNNNW:.VT1 888777777 888777777 Y.hilkRROMLK=C, Y.hilkRROMLK=C, ..(((($$ ..(((($$ 3...((((% 3...((((% 3....(.''$ 3....(.''$ 3.2...((((% 3.2...((((% 33.2....(,' 33.2....(,' 55323222... 55323222... (%&'00443445? (%&'00443445? 00.,,,4( 00.,,,4( 000.,,9( 000.,,9( 0020..9( 0020..9( 003200;( 003200;( (#'( (''''!'! (#'( (''''!'! Microsoft.InternetExplorer.Default Microsoft.InternetExplorer.Default 9user32.dll 9user32.dll Kernel32.DLL Kernel32.DLL 9xfire.exe 9xfire.exe wlmail.exe wlmail.exe winamp.exe winamp.exe waol.exe waol.exe sidebar.exe sidebar.exe psocdesigner.exe psocdesigner.exe np.exe np.exe netscape.exe netscape.exe netcaptor.exe netcaptor.exe neoplanet.exe neoplanet.exe msn.exe msn.exe mshtmpad.exe mshtmpad.exe mshta.exe mshta.exe loader42.exe loader42.exe infopath.exe infopath.exe iexplore.exe iexplore.exe iepreview.exe iepreview.exe groove.exe groove.exe explorer.exe explorer.exe dreamweaver.exe dreamweaver.exe contribute.exe contribute.exe aol.exe aol.exe {28fb17e0-d393-439d-9a21-9474a070473a} {28fb17e0-d393-439d-9a21-9474a070473a} Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings DShell32.dll DShell32.dll Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} "%s" %s "%s" %s Kernel32.dll Kernel32.dll \AppPatch\sysmain.sdb \AppPatch\sysmain.sdb -extoff go.microsoft.com/fwlink/?LinkId=106323 -extoff go.microsoft.com/fwlink/?LinkId=106323 -extoff go.microsoft.com/fwlink/?LinkId=106322 -extoff go.microsoft.com/fwlink/?LinkId=106322 -extoff go.microsoft.com/fwlink/?LinkId=106320 -extoff go.microsoft.com/fwlink/?LinkId=106320 kernel32.dll kernel32.dll {00000000-0000-0000-0000-000000000000} {00000000-0000-0000-0000-000000000000} \\?\Volume \\?\Volume shell:%s shell:%s Imaging_CreateWebPagePreview_Perftrack Imaging_CreateWebPagePreview_Perftrack Browseui_Tabs_Tearoff_BetweenWindows Browseui_Tabs_Tearoff_BetweenWindows Frame_URLEntered Frame_URLEntered Imaging_CreateWebPagePreview Imaging_CreateWebPagePreview WS_ExecuteQuery WS_ExecuteQuery Shdocvw_BaseBrowser_FireEvent_WindowStateChanged Shdocvw_BaseBrowser_FireEvent_WindowStateChanged IdleTask_Execution_Time IdleTask_Execution_Time 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) IEXPLORE.EXE IEXPLORE.EXE Windows Windows 9.00.8112.16421 9.00.8112.16421 iexplore.exe_2968_rwx_10000000_0004D000:
`.rsrc `.rsrc ServerKeyloggerU ServerKeyloggerU 789:;
789:;
%SERVER% %SERVER% URLMON.DLL URLMON.DLL shell32.dll shell32.dll hXXp:// hXXp:// advapi32.dll advapi32.dll kernel32.dll kernel32.dll mpr.dll mpr.dll version.dll version.dll comctl32.dll comctl32.dll gdi32.dll gdi32.dll opengl32.dll opengl32.dll user32.dll user32.dll wintrust.dll wintrust.dll msimg32.dll msimg32.dll KWindows KWindows TServerKeylogger TServerKeylogger GetWindowsDirectoryW GetWindowsDirectoryW RegOpenKeyExW RegOpenKeyExW RegCreateKeyW RegCreateKeyW RegCloseKey RegCloseKey RegOpenKeyExA RegOpenKeyExA FindExecutableW FindExecutableW ShellExecuteW ShellExecuteW SHDeleteKeyW SHDeleteKeyW URLDownloadToCacheFileW URLDownloadToCacheFileW UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExW SetWindowsHookExW MapVirtualKeyW MapVirtualKeyW GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyboardType GetKeyboardType GetKeyboardState GetKeyboardState FtpPutFileW FtpPutFileW FtpSetCurrentDirectoryW FtpSetCurrentDirectoryW .idata .idata .rdata .rdata P.reloc P.reloc P.rsrc P.rsrc .LzraryAk .LzraryAk URLD URLD KERNEL32.DLL KERNEL32.DLL ntdll.dll ntdll.dll oleaut32.dll oleaut32.dll shlwapi.dll shlwapi.dll wininet.dll wininet.dll x.html x.html HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_USERS HKEY_USERS HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG [Execute] [Execute] KeyDelBackspace KeyDelBackspace .html .html XtremeKeylogger XtremeKeylogger Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run .functions .functions icon=shell32.dll,4 icon=shell32.dll,4 shellexecute= shellexecute= autorun.inf autorun.inf \Microsoft\Windows\ \Microsoft\Windows\ ÞFAULTBROWSER% ÞFAULTBROWSER% svchost.exe svchost.exe micropdz13.ddns.net micropdz13.ddns.net %Servers %Servers Server.exe Server.exe ÞFA ÞFA {5460C4DF-B266-909E-CB58-E32B79832EB2} {5460C4DF-B266-909E-CB58-E32B79832EB2} HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run 127.0.0.1 127.0.0.1 PTF.ftpserver.com PTF.ftpserver.com ftpuser ftpuser c:\%original file name%.exe c:\%original file name%.exe %Program Files%\Internet Explorer\iexplore.exe %Program Files%\Internet Explorer\iexplore.exe