MD5: 7d383f960ea5508c2ad305078de38b84
SHA1: d3c9a364fb9e3ad9fb190ce82d92b01aac7293bc
SHA256: a86e0f50ef8d02a97c80270c57a712e68d7f4ce335f2d4f6d9a7480929a0c203
SSDeep: 49152:2m/kdj9Z2906F3rTJxabQTfsmBHy tI4IdT:2msRZ2906F7Ly fsmBHc4U
Size: 2260992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Kuzyakov Artur
Created at: 2017-05-09 17:31:08
Analyzed on: Windows7 SP1 32-bit

Summary:

Keylogger. Tracking software that records keyboard and/or mouse activity. Keyloggers typically either store the recorded keystrokes for later retrieval or they transmit them to the remote process or person employing the keylogger. While there are some legitimate uses of keyloggers, but they are often used maliciously by attackers to surreptitiously track behavior to perform unwanted or unauthorized actions included but not limited to identity theft.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2692

The Trojan injects its code into the following process(es):

QOS.exe:2788

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\QDLNQJ\QOS.00 (1 bytes)
C:\ProgramData\QDLNQJ\QOS.exe (148 bytes)
C:\ProgramData\QDLNQJ\QOS.02 (55 bytes)
C:\crack.txt (1 bytes)
C:\ProgramData\QDLNQJ\QOS.01 (81 bytes)

The process QOS.exe:2788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\QDLNQJ\QOS.01 (81 bytes)
C:\ProgramData\QDLNQJ\QOS.02 (57 bytes)
C:\ProgramData\DPT\QOS.004 (3021 bytes)

Registry activity

The process %original file name%.exe:2692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process QOS.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QOS Start" = "C:\ProgramData\QDLNQJ\QOS.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

SSh8BS

udPh

SSh@ S

PSSSSSSh

PSSSSSSh!

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

.EKSWU

FTPG

FTPj

FtPS

=KNILw.tT=RCNEw

_0 _8 _4;_,

SHA1 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

SHA256 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

DlSHA512 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro@openssl.org>

Camellia for x86 by <appro@openssl.org>

RC4 for x86, CRYPTOGAMS by <appro@openssl.org>

FRegDeleteKeyExW

gmail.com

MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}</STYLE></HEAD><META http-equiv=Content-Type content="text/html; charset=utf-8"><BODY>

mail@domain.com

Date: %d %s %d %d:%d:%d

EHLO %s

,qop=%s

,response=%s

,digest-uri="%s"

,cnonce="%s"

,nc=%s

,nonce="%s"

,realm="%s"

charset=utf-8,username="%s"

smtp/

AUTH PLAIN %s

^%s^%s

AUTH LOGIN

LOGIN

--%s--

RCPT TO:<%s>

MAIL FROM:<%s>

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

portuguese-brazilian

ADVAPI32.DLL

kernel32.dll

UxTheme.dll

OLEACC.dll

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

lhash part of OpenSSL 1.0.0d 8 Feb 2011

Stack part of OpenSSL 1.0.0d 8 Feb 2011

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

Big Number part of OpenSSL 1.0.0d 8 Feb 2011

ASN.1 part of OpenSSL 1.0.0d 8 Feb 2011

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

len>=0 && len<=(int)sizeof(ctx->key)

j <= (int)sizeof(ctx->key)

keylength

keyfunc

EVP part of OpenSSL 1.0.0d 8 Feb 2011

.\crypto\pkcs12\p12_key.c

SHA1 part of OpenSSL 1.0.0d 8 Feb 2011

SHA-256 part of OpenSSL 1.0.0d 8 Feb 2011

SHA-512 part of OpenSSL 1.0.0d 8 Feb 2011

RSA part of OpenSSL 1.0.0d 8 Feb 2011

RAND part of OpenSSL 1.0.0d 8 Feb 2011

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

cert_info

hexkey

rsa_keygen_pubexp

rsa_keygen_bits

NETAPI32.DLL

KERNEL32.DLL

value.single

value.set

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

%d.%d.%d.%d/%d.%d.%d.%d

%*s%s:

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

AUTHORITY_KEYID

keyid

X509_CERT_PAIR

X509_CERT_AUX

%d.%d.%d.%d

EC part of OpenSSL 1.0.0d 8 Feb 2011

ECDSA part of OpenSSL 1.0.0d 8 Feb 2011

.\crypto\ec\ec_key.c

DSA part of OpenSSL 1.0.0d 8 Feb 2011

Diffie-Hellman part of OpenSSL 1.0.0d 8 Feb 2011

.\crypto\dh\dh_key.c

\X

<unsupported>

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:<unsupported>

X400Name:<unsupported>

othername:<unsupported>

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

ddddddZ

ddddddZ

pubkey

priv_key

pub_key

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

.\crypto\evp\evp_pkey.c

ECDH part of OpenSSL 1.0.0d 8 Feb 2011

%'%1$=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

X.509 part of OpenSSL 1.0.0d 8 Feb 2011

OPENSSL_ALLOW_PROXY_CERTS

x%s

%s - d:d:d%.*s %d%s

'() ,-./:=?

CONF part of OpenSSL 1.0.0d 8 Feb 2011

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

MD5 part of OpenSSL 1.0.0d 8 Feb 2011

PROXY_CERT_INFO_EXTENSION

D:/Projects/openssl-10.0d/ssl/certs

D:/Projects/openssl-10.0d/ssl/cert.pem

SSL_CERT_DIR

SSL_CERT_FILE

Basis Type: %s

Field Type: %s

ASN1 OID: %s

%s %s%lu (%s0x%lx)

%lu:%s:%s:%d:%s

CONF_def part of OpenSSL 1.0.0d 8 Feb 2011

[[%s]]

[%s] %s=%s

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

certs

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

%s.dll

PEM part of OpenSSL 1.0.0d 8 Feb 2011

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

TRUSTED CERTIFICATE

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

CERTIFICATE

X509 CERTIFICATE

PRIVATE KEY

ENCRYPTED PRIVATE KEY

ANY PRIVATE KEY

.\crypto\evp\evp_key.c

nkey <= EVP_MAX_KEY_LENGTH

?456789:;<=

!"#$%&'()* ,-./0123

Verifying - %s

OpenSSL 1.0.0d 8 Feb 2011

%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s

EXPORT56

EXPORT40

EXPORT

.\ssl\ssl_cert.c

SSLv3 part of OpenSSL 1.0.0d 8 Feb 2011

TLSv1 part of OpenSSL 1.0.0d 8 Feb 2011

SSLv2 part of OpenSSL 1.0.0d 8 Feb 2011

s->session->master_key_length >= 0 && s->session->master_key_length < (int)sizeof(s->session->master_key)

wrong number of key bits

unsupported status type

unsupported ssl version

unsupported protocol

unsupported elliptic curve

unsupported digest type

unsupported compression algorithm

unsupported cipher

unknown pkey type

unknown key exchange type

unknown certificate type

unable to find public key parameters

unable to extract public key

unable to decode ecdh certs

unable to decode dh certs

tried to use unsupported cipher

tls peer did not respond with certificate list

tls client cert req with anon cipher

tlsv1 unsupported extension

tlsv1 certificate unobtainable

tlsv1 bad certificate status response

tlsv1 bad certificate hash value

tlsv1 alert export restriction

sslv3 alert unsupported certificate

sslv3 alert no certificate

sslv3 alert certificate unknown

sslv3 alert certificate revoked

sslv3 alert certificate expired

sslv3 alert bad certificate

signature for non signing certificate

reuse cert type not zero

reuse cert length not zero

public key not rsa

public key is not rsa

public key encrypt error

peer error unsupported certificate type

peer error no certificate

peer error certificate

peer did not return a certificate

null ssl method passed

no publickey

no private key assigned

no privatekey

Peer haven't sent GOST certificate, required for selected ciphersuite

no client cert received

no client cert method

no ciphers passed

no certificate specified

no certificate set

no certificate returned

no certificate assigned

no certificates returned

missing tmp rsa pkey

missing tmp rsa key

missing tmp ecdh key

missing tmp dh key

missing rsa signing cert

missing rsa encrypting cert

missing rsa certificate

missing export tmp rsa key

missing export tmp dh key

missing dsa signing cert

missing dh rsa cert

missing dh key

missing dh dsa cert

krb5 server rd_req (keytab perms?)

key arg too long

invalid ticket keys length

http request

https proxy request

error generating tmp rsa key

ecc cert should have sha1 signature

ecc cert should have rsa signature

ecc cert not for signing

ecc cert not for key agreement

cert length mismatch

certificate verify failed

bad ecc cert

bad dh pub key length

TLS1_SETUP_KEY_BLOCK

tls1_cert_verify_mac

SSL_VERIFY_CERT_CHAIN

SSL_use_RSAPrivateKey_file

SSL_use_RSAPrivateKey_ASN1

SSL_use_RSAPrivateKey

SSL_use_PrivateKey_file

SSL_use_PrivateKey_ASN1

SSL_use_PrivateKey

SSL_use_certificate_file

SSL_use_certificate_ASN1

SSL_use_certificate

SSL_SET_PKEY

SSL_SET_CERT

SSL_SESS_CERT_NEW

SSL_GET_SIGN_PKEY

SSL_GET_SERVER_SEND_CERT

SSL_CTX_use_RSAPrivateKey_file

SSL_CTX_use_RSAPrivateKey_ASN1

SSL_CTX_use_RSAPrivateKey

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_PrivateKey_ASN1

SSL_CTX_use_PrivateKey

SSL_CTX_use_certificate_file

SSL_CTX_use_certificate_chain_file

SSL_CTX_use_certificate_ASN1

SSL_CTX_use_certificate

SSL_CTX_set_client_cert_engine

SSL_CTX_check_private_key

SSL_CHECK_SRVR_ECC_CERT_AND_ALG

SSL_check_private_key

SSL_CERT_NEW

SSL_CERT_INSTANTIATE

SSL_CERT_INST

SSL_CERT_DUP

SSL_add_file_cert_subjects_to_stack

SSL_add_dir_cert_subjects_to_stack

SSL3_SETUP_KEY_BLOCK

SSL3_SEND_SERVER_KEY_EXCHANGE

SSL3_SEND_SERVER_CERTIFICATE

SSL3_SEND_CLIENT_KEY_EXCHANGE

SSL3_SEND_CLIENT_CERTIFICATE

SSL3_SEND_CERTIFICATE_REQUEST

SSL3_OUTPUT_CERT_CHAIN

SSL3_GET_SERVER_CERTIFICATE

SSL3_GET_KEY_EXCHANGE

SSL3_GET_CLIENT_KEY_EXCHANGE

SSL3_GET_CLIENT_CERTIFICATE

SSL3_GET_CERT_VERIFY

SSL3_GET_CERT_STATUS

SSL3_GET_CERTIFICATE_REQUEST

SSL3_GENERATE_KEY_BLOCK

SSL3_CHECK_CERT_AND_ALGORITHM

SSL3_ADD_CERT_TO_BUF

SSL2_SET_CERTIFICATE

SSL2_GENERATE_KEY_MATERIAL

REQUEST_CERTIFICATE

GET_CLIENT_MASTER_KEY

DTLS1_SEND_SERVER_KEY_EXCHANGE

DTLS1_SEND_SERVER_CERTIFICATE

DTLS1_SEND_CLIENT_KEY_EXCHANGE

DTLS1_SEND_CLIENT_CERTIFICATE

DTLS1_SEND_CERTIFICATE_REQUEST

DTLS1_OUTPUT_CERT_CHAIN

DTLS1_ADD_CERT_TO_BUF

CLIENT_MASTER_KEY

CLIENT_CERTIFICATE

key expansion

client write key

server write key

c->iv_len <= (int)sizeof(s->session->key_arg)

s->s2->key_material_length <= sizeof s->s2->key_material

Corrupt JPEG data: found marker 0xx instead of RST%d

Warning: unknown JFIF revision number %d.d

Corrupt JPEG data: %u extraneous bytes before marker 0xx

Inconsistent progression sequence for component %d coefficient %d

Unknown Adobe color transform code %d

Obtained XMS handle %u

Freed XMS handle %u

Unrecognized component IDs %d %d %d, assuming YCbCr

JFIF extension marker: RGB thumbnail image, length %u

JFIF extension marker: palette thumbnail image, length %u

JFIF extension marker: JPEG-compressed thumbnail image, length %u

Opened temporary file %s

Closed temporary file %s

Ss=%d, Se=%d, Ah=%d, Al=%d

Component %d: dc=%d ac=%d

Start Of Scan: %d components

Component %d: %dhx%dv q=%d

Start Of Frame 0xx: width=%u, height=%u, components=%d

Smoothing not supported with nonstandard sampling ratios

RST%d

At marker 0xx, recovery action %d

Selected %d colors for quantization

Quantizing to %d colors

Quantizing to %d = %d*%d*%d colors

%4u %4u %4u %4u %4u %4u %4u %4u

Unexpected marker 0xx

Miscellaneous marker 0xx, length %u

with %d x %d thumbnail image

JFIF extension marker: type 0xx, length %u

Warning: thumbnail image size does not match data length %u

JFIF APP0 marker: version %d.d, density %dx%d %d

= = = = = = = =

Obtained EMS handle %u

Freed EMS handle %u

Define Restart Interval %u

Define Quantization Table %d precision %d

Define Huffman Table 0xx

Define Arithmetic Table 0xx: 0xx

Unknown APP14 marker (not Adobe), length %u

Unknown APP0 marker (not JFIF), length %u

Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d

Unsupported marker type 0xx

Failed to create temporary file %s

Unsupported JPEG process: SOF type 0xx

Cannot quantize to more than %d colors

Cannot quantize to fewer than %d colors

Cannot quantize more than %d color components

Insufficient memory (case %d)

Not a JPEG file: starts with 0xx 0xx

Quantization table 0xx was not defined

Huffman table 0xx was not defined

Backing store not supported

Cannot transcode due to multiple use of quantization table %d

Maximum supported image dimension is %u pixels

Empty JPEG image (DNL not supported)

Bogus DQT index %d

Bogus DHT index %d

Bogus DAC value 0x%x

Bogus DAC index %d

Unsupported color conversion request

Too many color components: %d, max %d

Buffer passed to JPEG library is too small

JPEG parameter struct mismatch: library thinks size is %u, caller expects %u

Improper call to JPEG library in state %d

Invalid scan script at entry %d

Invalid progressive parameters at scan script entry %d

Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d

Unsupported JPEG data precision %d

Invalid memory pool code %d

Wrong JPEG library version: library is %d, caller expects %d

IDCT output block size %d not supported

Invalid component ID %d in SOS

Bogus message code %d

;Warning: highpass filter disabled. highpass frequency too small

hXXp://lame.sf.net

3.99.5

Opera

?INTERNAL ERROR IN VBR NEW CODE, please send bug report

@INTERNAL ERROR IN VBR NEW CODE (986), please send bug report

INTERNAL ERROR IN VBR NEW CODE (1313), please send bug report

maxbits=%d usedbits=%d

hip: invalid layer %d

hip: error audio data exceeds framesize by %d bytes

hip: bitstream problem, resyncing skipping %d bytes...

Sorry, layer %d not supported

hip: Can't rewind stream by %d bits!

hip: Bogus region length (%d)

ADVAPI32.dll

F%D,3

QVisual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

%S#[k

?#%X.y

.\crypto\engine\eng_pkey.c

RSA PRIVATE KEY

DSA PRIVATE KEY

EC PRIVATE KEY

Load certs from files in a directory

%s%clx.%s%d

unsupported type

unsupported recpientinfo type

unsupported recipient type

unsupported kek algorithm

unsupported content type

signer certificate not found

private key does not match certificate

no public key

no private key

no msgsigdigest

no key or cert

no key

not supported for this key type

not key transport

msgsigdigest wrong length

msgsigdigest verification failure

msgsigdigest error

invalid key length

invalid encrypted key length

error setting key

error getting public key

certificate verify error

certificate has no keyid

certificate already present

CMS_SIGNERINFO_VERIFY_CERT

CMS_RecipientInfo_set0_pkey

CMS_RecipientInfo_set0_key

CMS_RecipientInfo_ktri_cert_cmp

cms_msgSigDigest_add1

CMS_GET0_CERTIFICATE_CHOICES

CMS_EncryptedData_set1_key

CMS_decrypt_set1_pkey

CMS_decrypt_set1_key

CMS_add1_recipient_cert

CMS_add0_recipient_key

CMS_add0_cert

unsupported requestorname type

no certificates in chain

error parsing url

PARSE_HTTP_LINE1

OCSP_parse_url

OCSP_cert_id_new

unimplemented public key method

invalid cmd number

invalid cmd name

failed loading public key

failed loading private key

cmd not executable

ENGINE_UNLOAD_KEY

ENGINE_load_ssl_client_cert

ENGINE_load_public_key

ENGINE_load_private_key

ENGINE_get_pkey_meth

ENGINE_get_pkey_asn1_meth

ENGINE_ctrl_cmd_string

ENGINE_ctrl_cmd

ENGINE_cmd_is_executable

unsupported version

unsupported md algorithm

invalid signer certificate purpose

ess signing certificate error

ess add signing cert error

TS_VERIFY_CERT

TS_TST_INFO_set_msg_imprint

TS_RESP_CTX_set_signer_cert

TS_RESP_CTX_set_certs

TS_REQ_set_msg_imprint

TS_MSG_IMPRINT_set_algo

TS_CHECK_SIGNING_CERTS

ESS_SIGNING_CERT_NEW_INIT

ESS_CERT_ID_NEW_INIT

ESS_ADD_SIGNING_CERT

functionality not supported

WIN32_JOINER

unsupported pkcs12 mode

key gen error

PKCS8_add_keyusage

PKCS12_PBE_keyivgen

PKCS12_newpass

PKCS12_MAKE_SHKEYBAG

PKCS12_MAKE_KEYBAG

PKCS12_key_gen_uni

PKCS12_key_gen_asc

PKCS12_add_localkeyid

unsupported option

unable to get issuer keyid

policy syntax not currently supported

operation not defined

no proxy cert policy language defined

no issuer certificate

extension setting not supported

V2I_EXTENDED_KEY_USAGE

V2I_AUTHORITY_KEYID

S2I_SKEY_ID

S2I_ASN1_SKEY_ID

R2I_CERTPOL

unsupported cipher type

unknown operation

unable to find certificate

signing not supported for this key type

operation not supported on this type

no recipient matches key

no recipient matches certificate

encryption not supported for this key type

decrypted key is wrong length

PKCS7_add_certificate

unsupported method

no port specified

no port defined

no accept port specified

broken pipe

BIO_get_port

ECDH_compute_key

data too large for key size

unsupported field

passed null parameter

not a supported NIST prime

missing private key

keys not set

invalid private key

PKEY_EC_SIGN

PKEY_EC_PARAMGEN

PKEY_EC_KEYGEN

PKEY_EC_DERIVE

PKEY_EC_CTRL_STR

PKEY_EC_CTRL

o2i_ECPublicKey

i2o_ECPublicKey

i2d_ECPrivateKey

EC_KEY_print_fp

EC_KEY_print

EC_KEY_new

EC_KEY_generate_key

EC_KEY_copy

EC_KEY_check_key

ECKEY_TYPE2PARAM

ECKEY_PUB_ENCODE

ECKEY_PUB_DECODE

ECKEY_PRIV_ENCODE

ECKEY_PRIV_DECODE

ECKEY_PARAM_DECODE

ECKEY_PARAM2TYPE

DO_EC_KEY_PRINT

d2i_ECPrivateKey

zlib not supported

wrong public key type

unsupported public key type

unsupported encryption algorithm

unsupported any defined by type

unknown public key type

unable to decode rsa private key

unable to decode rsa key

streaming not supported

private key header missing

digest and key type not supported

bad password read

X509_PKEY_new

i2d_RSA_PUBKEY

i2d_PublicKey

i2d_PrivateKey

i2d_EC_PUBKEY

i2d_DSA_PUBKEY

d2i_X509_PKEY

d2i_PublicKey

d2i_PrivateKey

d2i_AutoPrivateKey

unsupported algorithm

unknown key type

unable to get certs public key

public key encode error

public key decode error

no cert set for us to verify

method not supported

loading cert dir

key values mismatch

key type mismatch

cert already in hash table

cant check dh key

X509_verify_cert

X509_STORE_add_cert

X509_REQ_check_private_key

X509_PUBKEY_set

X509_PUBKEY_get

X509_load_cert_file

X509_load_cert_crl_file

X509_get_pubkey_parameters

X509_check_private_key

GET_CERT_BY_SUBJECT

ADD_CERT_DIR

PKEY_DSA_KEYGEN

PKEY_DSA_CTRL

unsupported key components

unsupported encryption

read key

public key no rsa

problems getting password

keyblob too short

keyblob header parse error

expecting public key blob

expecting private key blob

error converting private key

PEM_WRITE_PRIVATEKEY

PEM_READ_PRIVATEKEY

PEM_READ_BIO_PRIVATEKEY

PEM_PK8PKEY

PEM_F_PEM_WRITE_PKCS8PRIVATEKEY

DO_PK8PKEY_FP

DO_PK8PKEY

d2i_PKCS8PrivateKey_fp

d2i_PKCS8PrivateKey_bio

unsupported salt type

unsupported private key algorithm

unsupported prf

unsupported key size

unsupported key derivation function

unsupported keylength

unsuported number of rounds

private key encode error

private key decode error

operaton not initialized

operation not supported for this keytype

no operation set

no key set

keygen failure

invalid operation

expecting a ec key

expecting a ecdsa key

expecting a dsa key

expecting a dh key

expecting an rsa key

different key types

ctrl operation not implemented

command not supported

camellia key setup failed

bn pubkey error

bad key length

aes key setup failed

PKEY_SET_TYPE

PKCS5_v2_PBE_keyivgen

PKCS5_PBE_keyivgen

EVP_PKEY_verify_recover_init

EVP_PKEY_verify_recover

EVP_PKEY_verify_init

EVP_PKEY_verify

EVP_PKEY_sign_init

EVP_PKEY_sign

EVP_PKEY_paramgen_init

EVP_PKEY_paramgen

EVP_PKEY_new

EVP_PKEY_keygen_init

EVP_PKEY_keygen

EVP_PKEY_get1_RSA

EVP_PKEY_get1_EC_KEY

EVP_PKEY_GET1_ECDSA

EVP_PKEY_get1_DSA

EVP_PKEY_get1_DH

EVP_PKEY_encrypt_old

EVP_PKEY_encrypt_init

EVP_PKEY_encrypt

EVP_PKEY_derive_set_peer

EVP_PKEY_derive_init

EVP_PKEY_derive

EVP_PKEY_decrypt_old

EVP_PKEY_decrypt_init

EVP_PKEY_decrypt

EVP_PKEY_CTX_dup

EVP_PKEY_CTX_ctrl_str

EVP_PKEY_CTX_ctrl

EVP_PKEY_copy_parameters

EVP_PKEY2PKCS8_broken

EVP_PKCS82PKEY_BROKEN

EVP_PKCS82PKEY

EVP_CIPHER_CTX_set_key_length

ECKEY_PKEY2PKCS8

ECDSA_PKEY2PKCS8

DSA_PKEY2PKCS8

DSAPKEY2PKCS8

D2I_PKEY

CAMELLIA_INIT_KEY

AES_INIT_KEY

invalid public key

PKEY_DH_KEYGEN

PKEY_DH_DERIVE

GENERATE_KEY

COMPUTE_KEY

rsa operations not supported

key size too small

invalid keybits

illegal or unsupported padding mode

digest too big for rsa key

data too small for key size

RSA_generate_key

RSA_check_key

RSA_BUILTIN_KEYGEN

PKEY_RSA_VERIFYRECOVER

PKEY_RSA_SIGN

PKEY_RSA_CTRL_STR

PKEY_RSA_CTRL

.pp@0

aEÐ

 (#EÚ

ÚE<<0

RC2 part of OpenSSL 1.0.0d 8 Feb 2011

IDEA part of OpenSSL 1.0.0d 8 Feb 2011

libdes part of OpenSSL 1.0.0d 8 Feb 2011

DES part of OpenSSL 1.0.0d 8 Feb 2011

NETSCAPE_CERT_SEQUENCE

.\crypto\asn1\x_pkey.c

RegDeleteKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventA

UrlIsW

SHLWAPI.dll

PSAPI.DLL

WS2_32.dll

COMCTL32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

FtpPutFileW

FtpCreateDirectoryW

FtpRemoveDirectoryW

FtpDeleteFileW

FtpSetCurrentDirectoryW

WININET.dll

MPR.dll

WINMM.dll

VERSION.dll

GetWindowsDirectoryW

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

KERNEL32.dll

UnregisterHotKey

RegisterHotKey

GetKeyNameTextW

MapVirtualKeyW

EnumWindows

EnumChildWindows

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

USER32.dll

GDI32.dll

COMDLG32.dll

ole32.dll

OLEAUT32.dll

.?AVECSmtp@@

zcÁ

R%Dwp`

?7%Cvd2

YL2Z%x

%SC7K%i`

.rk:`

\cmd'

.GL#!

*%S_A

nÂzj

h7.pO`

y7.aS`

7%U;a

`2T%F

A2S.fG

g#-%U

.jL\L}

<.KtU

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity version="1.0.0.0" processorArchitecture="x86" name="Test" type="win32"></assemblyIdentity><description>

</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><asmv3:application>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

\StringFileInfo\lx\%s

%Y-%m-%d_%H-%M-%S.mp3

smtps.uol.com.br

*@uol.com.br

smtp.aol.com

*@aol.com

smtps.bol.com.br

*@bol.com.br

smtp.comcast.net

*@comcast.net

smtp.mail.yahoo.com

*@yahoo.com

smtp.live.com

*@hotmail.com

smtp.ig.com.br

*@ig.com.br

smtp.gawab.com

*@gawab.com

smtp.googlemail.com

*@gmail.com;*@googlemail.com

smtp.aim.com

*@aim.com

smtp.gmx.com

*@gmx.com;*@gmx.us

smtp.mail.yahoo.com.br

*@yahoo.com.br

smtp.hotpop.com

*@hotpop.com

mail.messagingengine.com

*@fastmail.fm

Shell32.dll

RICHED20.DLL

WAdvapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

@uxtheme.dll

@()<>,;:\"[]

ASoftware\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion

test366.txt

TEST450.txt

TEST450.txt/test366.txt

All Files (*.*)

*.exe

Viewer.exe

\TEST980.txt

@USER32.DLL

4.6.2

®key=

4.6.2

\Install.exe

(*.exe)

S.ICO

\WinInit.Ini

wininet.dll

netmsg.dll

%Y-%m-%d_%H-%M-%S.jpg

@hXXp://

S%Y-%m-%d_%H-%M-%S

CWebcam_

Keys_

.html

comctl32.dll

DNSAPI.DLL

DWTL_CmdBar_InternalAutoPopupMsg

WTL_CmdBar_InternalGetBarMsg

mscoree.dll

V*(%F@4 F7*

72.JA1'

[,'&"?4-

C:\ProgramData\QDLNQJ\QOS.exe

NOTEPAD.EXE_3532:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

msvcrt.dll

COMDLG32.dll

SHELL32.dll

WINSPOOL.DRV

ole32.dll

SHLWAPI.dll

COMCTL32.dll

OLEAUT32.dll

VERSION.dll

ntdll.dll

RegCloseKey

RegCreateKeyW

RegOpenKeyExW

GetProcessHeap

SetViewportExtEx

GetKeyboardLayout

_amsg_exit

_acmdln

ShellExecuteExW

notepad.pdb

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

===111*!

'141133!/!(!(!""/""

;;;;4;3423332

keYM

,k<.KQ

.WF"hB

dx.Rl

V.xOx_T

<'<.<9<_<

/.SETUP

%s%c*.txt%c%s%c*.*%c

*.txt

mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231

\StringFileInfo\xx\OriginalFilename

\sppsvc.exe

\slui.exe

\sppuinotify.dll

Text Documents (*.txt)

C:\crack.txt

6.1.7600.16385 (win7_rtm.090713-1255)

NOTEPAD.EXE

Windows

Operating System

6.1.7600.16385

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2692
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\ProgramData\QDLNQJ\QOS.00 (1 bytes)
   C:\ProgramData\QDLNQJ\QOS.exe (148 bytes)
   C:\ProgramData\QDLNQJ\QOS.02 (55 bytes)
   C:\crack.txt (1 bytes)
   C:\ProgramData\QDLNQJ\QOS.01 (81 bytes)
   C:\ProgramData\DPT\QOS.004 (3021 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "QOS Start" = "C:\ProgramData\QDLNQJ\QOS.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.