Backdoor.Win32.PcClient_24f041f340

by malwarelabrobot on October 25th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.MultiPlug.bwof (Kaspersky), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Backdoor, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 24f041f340e2d78a5022c85a9c3bd6c4
SHA1: 0f2baf1749392f920bb3408e9d2cad290fbeda95
SHA256: ba2994a2fc1b4401af1035247d1eb8ca0c1a92ddbf6b9b3b0574dcfd7e6388ec
SSDeep: 6144:urcbUzkuvcBYC47l2x6VhrsvjcGUk6u2EOhB6nzuY5/:urhkuveY3bGkz6zuY5/
Size: 323176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: FreeWorldApp
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

usetup.exe:2892
putfu.exe:1480
rundll32.exe:2424
rundll32.exe:1908
%original file name%.exe:1496
Upd Inst.exe:2932
Upd Inst.exe:3156

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process usetup.exe:2892 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\Upd Inst.exe (26080 bytes)

The process putfu.exe:1480 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\Assistant.dll (264574 bytes)
%Program Files%\AssistantSvc.dll (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

The process %original file name%.exe:1496 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\agup[1].exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.usetup.exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1[1].txt (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.ico (4 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.dat (16944 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\1_1[1].txt (6 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.1.ini (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Custom.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\_Setup.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\_Setup.dll (6360 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tpq[1].exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.putfu.exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F2ED9AF8.dat (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuF5BB3F7D.dll (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.1_1.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinFE67.bat (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Custom.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\24f041f340e2d78a5022c85a9c3bd6c4.log (1662468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358} (4 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\r1_loversion_com[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Readme.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Addons\putfu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x64\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Custom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.putfu.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Addons\usetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\_Setup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Addons (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.1_1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F2ED9AF8.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuF5BB3F7D.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinFE67.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\r1_loversion_com[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1496.usetup.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x86 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x86\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358} (0 bytes)

The process Upd Inst.exe:2932 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\2218554572.ini (35280 bytes)
%WinDir%\Tasks\Upd Inst-S-2218554572.job (660 bytes)

Registry activity

The process usetup.exe:2892 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 FF 64 A6 07 EA 0A FE 56 C3 F9 F0 F0 B2 64 31"

The process putfu.exe:1480 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"data.1" = "7e0RLkCZxj91434567VaWfnCS6Xzvh7u2zWpA4G Keo221v5QcV8uo72i3FuN6TBrHbME9fWywlXfnVaT6jbU7xktJNcxwS9ZBhLRX6Y"
"date" = "1414106513"
"data.0" = "FD3FwIhc7Uxr7Apnik8gThELlv5JrdkEU4RGaCxTqdbZ2FWsBfPeTHT6I/uNmO1Ia8fJ0WHGhabc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"CategoryName" = ""

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf/B//VP/j/Cx/V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"usr.0" = "jHIce4abcdefABCDWY"
"usr.1" = "dRQbdhOQIKEG xztvq"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"916e5338" = "%Program Files%\Assistant.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\ASSIST~1.DLL,_uninstall /un /uq"
"NoRepair" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"uuid" = "baadc0de-baadbeef-d8cc41db"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c5705860" = "Vx////%%"
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0e93c3f3" = "///%"
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f0bf0bde" = "///%"
"3c09c42b" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"65114b36" = "Vl/l////"
"e46c271e" = "///%"
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"dlpath" = "c:\progra~1\assist~1.dll"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svi" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a2e3b941" = "///%"
"0dc3ee96" = "/P////%%"
"7367429f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svpath" = "c:\progra~1\AssistantSvc.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0e93c3f3" = "///%"
"f0bf0bde" = "///%"
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"NoModify" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\ASSIST~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 13 BA 87 11 0E 46 12 01 77 9B A7 53 96 0C 40"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Install_Dir" = "%Program Files%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"iiid" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"2d71d5ab" = "V/////%%"
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0c230bcb" = "///%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf/B//VP/j/Cx/V/////%%"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"iiid" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\assist~1.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"LRTS" = "0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"n" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"data.0" = "FD3FwIhc7Uxr7Apnik8gThELlv5JrdkEU4RGaCxTqdbZ2FWsBfPeTHT6I/uNmO1Ia8fJ0WHGhabc"
"data.1" = "7e0RLkCZxj91434567VaWfnCS6Xzvh7u2zWpA4G Keo221v5QcV8uo72i3FuN6TBrHbME9fWywlXfnVaT6jbU7xktJNcxwS9ZBhLRX6Y"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a2e3b941" = "///%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"Publisher" = "Genuine P Software"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"InstallDate" = "20131024"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"414bc593" = "///%"
"587b5709" = "V/////%%"
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"usr.1" = "dRQbdhOQIKEG xztvq"
"usr.0" = "jHIce4abcdefABCDWY"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"7f69fa1f" = "///%"
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"uuid" = "baadc0de-baadbeef-d8cc41db"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"d1abcdb6" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"8b9e4cbc" = "V/////%%"

"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Version" = "22021985"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"DisplayName" = "Install Supporter 1.80"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"date" = "1414106513"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svn" = "Install Supporter"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svx" = ""
"svt" = "1414106514"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
"d1abcdb6" = "///%"
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"State" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:2424 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 27 81 C1 01 24 1D AE 38 86 3D E0 C3 8A CB 2B"

The process rundll32.exe:1908 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"493c7345" = ""

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf/B//VP/j/Cx/V/////%%"
"a1dcff5b" = "V/////%%"
"7f69fa1f" = "///%"
"340d3099" = "/P////%%"
"587b5709" = "V/////%%"
"a2e3b941" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c6c5dd44" = "V/////%%"
"2d71d5ab" = "V/////%%"
"8b9e4cbc" = "V/////%%"
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"3c09c42b" = "///%"
"a0743acc" = "N/////%%"
"6185d035" = "VP/h/CP/V//l////"
"fe94ce1e" = "V/////%%"
"1520c6f1" = "V/////%%"
"f1f24e29" = "Vl/l/C/////%"
"f0bf0bde" = "///%"
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"c99a5f5c" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"65114b36" = "Vl/l////"
"72758a5d" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"0c230bcb" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 00 6D C7 A9 9A 13 2B 46 CC C8 3F 1E 61 EC 89"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c5705860" = "Vx////%%"
"d1abcdb6" = "///%"
"0e93c3f3" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
"27ddcf6f" = "///%"
"414bc593" = "///%"
"0dc3ee96" = "/P////%%"
"38583bc3" = "N//e/Ct/Vx/l/C/////%"
"c24899a6" = "MP/f/CF/Mx/l/C/////%"
"bbf88800" = "///%"
"e46c271e" = "///%"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"
"7367429f" = "///%"

The process %original file name%.exe:1496 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e05d5ba0-5f98-4d74-962a-821b350f277d]
"TizPath" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e05d5ba0-5f98-4d74-962a-821b350f277d]
"Language" = "1033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Addons]
"usetup.exe" = "usetup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EBF539D0-F45C-4138-9756-F390D12471F8}]
"388" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\TsuF5BB3F7D.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e05d5ba0-5f98-4d74-962a-821b350f277d]
"UninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{DC8E5~1\Setup.exe /remove /q0"
"TSAware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e05d5ba0-5f98-4d74-962a-821b350f277d]
"Version" = "16777216"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 2E 5C 7A 2D 08 25 EE 2C E6 1B DC 77 A4 5A 6B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e05d5ba0-5f98-4d74-962a-821b350f277d]
"VersionMajor" = "1"
"QuietUninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{DC8E5~1\Setup.exe /remove /q"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e05d5ba0-5f98-4d74-962a-821b350f277d]
"EstimatedSize" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e05d5ba0-5f98-4d74-962a-821b350f277d]
"VersionMinor" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Upd Inst.exe:2932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 tJp3sbqomjlSvJfgkDPgofAaSAq8LeS0XEI" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 iI0lv89/XZTpmaWCAW6XiF/xIowoplYxrEc" = "NP6yu5 z7vLgNfABCDER9"
"NP6yu5 xyxzUr xztv8XRDd4dOlw/ 0eLrMM" = "NP6yu5 p/RcQikg012CPtvY0JqomLb"
"NP6yu5 pNrKTFbcdefEjL8Z1TlnENCpBpb" = "NP6yu5 kF2gRPysurp2A3mtKSHZBR"
"NP6yu5 qmagWavqomjYke3rg3RaIWgtRR6ly542b" = "NP6yu5 nQOmflhabcdWsBCtqN48gSBuhAtqRL6O W5"
"NP6yu5 t p YmhabcdJfHSAepXR5o1j1c DKl8GWf2QPTqLd" = "NP6yu5 y3uczJLFHwyklcZssbbufc/Fa92u2"
"NP6yu5 u2C5SlhabcdKYXGD2X5Dtp " = "NP6yu5 nQOmflhabcdWsBCtqN48gSBuhAtqRL6O W5"
"NP6yu5 iqFGhLqomjlSrvHfNHJ3oZIgyJwy44WgZ8t" = "NP6yu5 uDBxDY xztvCu97ygBqNrrfVrpnPvtSossp0Bhp2tIt/rYySGdnV6r1XFuQ6sBRm572bMSSvAZ/OONs HkRqlhE862xIPmTdR4dqHBbyHPF53QpX7hNgG4YVXljK2ZMMwne0CVWJWJbghTE3E7mzxRJP0H0FiN/tU2IgG4I8w/9DAh53ajKW7yPUaYBLn9LoeHW345F3UY8 IzVLMugTG/DxSeRtMbTuUrPQeqnHQsNpg3G8BK8ke5tx2WVKVlBNSNykrf9SDuE6O/CgdT/ruMVUKThe1KZHVzrmt5IL45JqB8oadba0 hF2cXHWiWrnaIKxRIj2YcPvJBcdhv3raZ6iDT 1xiQyw1lHDzIaglRjgVBMoFyvnEgCWVScvJ CSyEzx//pg8D4PZtfbhdLeBPOnG4K61iTKHc1VL0hfuNphvNMxZ9/v6fLTViZaJjq9BYEtgwXgs7udhVSg2Fu4IlcIQ7Pc23Hgo T9Udchl9xKtpeLf GAbD"
"NP6yu5 s/N9q2LFHwy5Ge3vWafDDyM0XgIXL/SocfUpBEc2iz" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 jO7cksRJLFHdItgO4" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 ow1rR56789/ue1sByvUf4kVuix" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 sH9 Y xztvq/XYWHIi jTIOMPd" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 kq14RlhabcdIjFSyg16YzyLsH" = "NP6yu5 qUrHuLUMOQIt9ojpRf16bCfmAuG5KiOkAkyk9h"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"Publisher" = "Upd Inst"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 q83XdcabcdeK18vAC0H9NVFErZY89qziqz" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 kMSXeBMOQIKhE69m1QE674UDEx" = "NP6yu5 z7vLgNfABCDER9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qnt FxztvqoDfBtS/GCPHJVoOIo2SDnPtKi" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 r 8G2h34567HEDrcOMl 7 u93c" = "NP6yu5 uvj7iEjlhabCyaAO0vnW1 rnHIkYXxIrwQwI6"
"NP6yu5 mGooxrikg01VravP7V/5b68FyY" = "NP6yu5 xztvqomjlha"
"NP6yu5 mGMVNpnikg0UES4we2P15TB9y" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 rK2YdOCDWYSo sSZJb0LFNMK7umzJ4f" = "NP6yu5 o4IdosRJLFHmfwN6K"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"NoRepair" = "1"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 oxTCwROQIKEbfoQmXOVq3pyCV" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 t4SMY89/XZTo241UBcL1FgCdQgO" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 o/JAuurpnikZzc72iod641QVSkWTqJSu5zR" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"URLInfoAbout" = ""

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 obHhU6789/Xu3lMQKQBU9v0o8l1 pwHGQ7a" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 upBrs456789yYTFdDrzVA0PJHl5GUN4cRRU6I0 /b" = "NP6yu5 ms6Kogvqomje5FgkwM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"_In" = "20141023"
"InstallDate" = "20131024"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qCEj2JrpnikTXYRb/hjk8pv2i7" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 uGnmtBCDWYSqb6jM/jZxaHmJs4bb/qRin 8" = "NP6yu5 uvj7iEjlhabCyaAO0vnW1 rnHIkYXxIrwQwI6"
"NP6yu5 rOHR67habcdI6oQitBZylEDlKv" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 jJE/mnBCDWYvA42sczUv9SClfrqvZXt8sBARO" = "NP6yu5 vR37OJKEG xjp5lmDeqehiLpz"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"NoModify" = "1"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 q2cpRx789/XueIe5iLgmR36Hi9ZR5HNZs2A" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 t5w/eBhabcdLg7/sFSAaTxRvG" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 t3BD56789/Xu4TF4qCfDCBTHm9BO81oA/UPCl" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 m493B1JLFHwfSLP0cq" = "NP6yu5 kF2gRPysurp2A3mtKSHZBR"
"NP6yu5 xGCT2oqomjlV2gRnCoLMWn7nyn" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"UninstallString" = "c:\documents and settings\all users\application data\freeworldapp\upd inst\upd inst.exe /uninstall"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 zUPS3jlhabcQDMNIScd6AO3aDxmTq1WIaX6" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"
"NP6yu5 qwDMhUjlhabRi95gdx9wB Kt8h" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"DisplayName" = "Upd Inst"
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 xegqyZTVNPRhap40RL5nzk9RVF fIgeuX" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 jyYwQburpniZRRB5FiXXl0Nh4RV" = "NP6yu5 vR37OJKEG xjp5lmDeqehiLpz"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 4F 90 32 90 39 20 A8 30 7B 7E 90 9D 99 FF A0"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 kzHwZuJLFHw5Fr3FSOzPpISE/F" = "NP6yu5 uDBxDY xztvCu97ygBqNrrfVrpnPvtSossp0Bhp2tIt/rYySGdnV6r1XFuQ6sBRm572bMSSvAZ/OONs HkRqlhE862xIPmTdR4dqHBbyHPF53QpX7hNgG4YVXljK2ZMMwne0CVWJWJbghTE3E7mzxRJP0H0FiN/tU2IgG4I8w/9DAh53ajKW7yPUaYBLn9LoeHW345F3UY8 IzVLMugTG/DxSeRtMbTuUrPQeqnHQsNpg3G8BK8ke5tx2WVKVlBNSNykrf9SDuE6O/CgdT/ruMVUKThe1KZHVzrmt5IL45JqB8oadba0 hF2cXHWiWrnaIKxRIj2YcPvJBcdhv3raZ6iDT 1xiQyw1lHDzIaglRjgVBMoFyvnEgCWVScvJ CSyEzx//pg8D4PZtfbhdLeBPOnG4K61iTKHc1VL0hfuNphvNMxZ9/v6fLTViZaJjq9BYEtgwXgs7udhVSg2Fu4IlcIQ7Pc23Hgo T9Udchl9xKtpeLf GAbD"
"NP6yu5 mPpwLQDWYSUoj8v7lBa0 8W0MSmWN4ClWM7" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 jxu9x/ztvqoWwAvzzG1eDHhjPa" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"DisplayVersion" = "3.3.0.1810"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 vbNHYCDWYSUoiK7bPU/LiTlOXXB/Y/8ZsgUeDPvDrC" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 jnTHsfABCDWtWkUM/W1aPBtS1 VQW3XAfac" = "NP6yu5 xztvqomjlha"
"NP6yu5 oFUvMDbcdefHBbxrMluGJ9Aygj" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 u4W7I3FHwysfpPWVEc640Vgj7vuI5FRvR" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 oRN6utIKEG digPng1ySOBlAVHvZrTks5X3JZ0jUs" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 xh2uW4Hwysu7Ssr8oWZx2xW2hDd4djxqbX" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 vGPjjAfABCDtsHMzvqSfT7E4si" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 sFynDebcdef tMD" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 s2TbxEefABCxJ0DAXr /fsJdEdZsSHr HV" = "NP6yu5 qUrHuLUMOQIt9ojpRf16bCfmAuG5KiOkAkyk9h"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"URLUpdateInfo" = ""

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 yEFhrM xztvBTqybYrHCKZLQDEDd77yDa71" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"SilentUninstall" = "c:\documents and settings\all users\application data\freeworldapp\upd inst\upd inst.exe /uninstall"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qAAIJrpnikgVSUoLaz3mK8u RgKbxPY" = "NP6yu5 ms6Kogvqomje5FgkwM"

The process Upd Inst.exe:3156 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 98 23 A6 40 9E 64 E1 6D FE D0 24 26 9C E2 36"

Dropped PE files

MD5 File path
deba33db167548f8bbac30f5d78eb168 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\agup[1].exe
23912df27a61ea0463c5509ba6a97579 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tpq[1].exe
d4d1cc69e363813c14f289694756aa1e c:\Program Files\Assistant.dll
12f36f36188cbd24a4d601ccc9ef5e76 c:\Program Files\AssistantSvc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: FreeWorldApp
Product Name: FreeWorldApp
Product Version: 1.0.0.3
Legal Copyright: Copyright (c) 2014 FreeWorldApp
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2014.9.28.1126
File Description: Installer for FreeWorldApp
Comments: WinNT (x86) Unicode Lib Rel
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7672 7680 4.5056 b1ae6dcdc3a7ba319c6d5e0b1a2eadbc
.rdata 12288 1794 2048 3.26018 cd4f20f041a2da05dfe5974fe61bd4ec
.data 16384 1040 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 20480 8288 8704 2.76871 f36830a909a8bc24c3f3695408fe2ee4
.reloc 32768 348 512 2.09579 938152484b33bca77bd622973abb524e
.tsustub 36864 120967 121344 5.54288 c1e6f883fec7a9e07fd2e6fc90d0362d
.tsuarch 159744 176640 176640 5.54373 e24ce50b92cada2eab1c838aac41d932

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 119
fb5ff98dac7bc36d12c9335752411604
648c1100e2e838592a559aa03ba39e61
614c8dbc0d17d22ad63a9cdd96d53f3f
18b6ffe6f55dab9d043c1b05fbe01cd2
e03e5b12d876441dc658a960f0dd2ccd
405e0fab3e811944341782e9f9eb0b71
329a706460e0b949b6c53f00d0538ac5
777cb72ce57f38ae6ee7a31e38e50f97
677d5873d7ea9291b75e9c4d90fe5309
d1e74e2d701ba627baf0e2d1597d4c9b
e34f59d7bdb328fb34c665ce1010ba89
b38e7e30bc203503e20bcde37a11dc54
dfb1076f0341b3f101cf4bd6a6bca49e
bc5aa530f305ff5dba802c4146dd9fb4
b592ae62c7316a20e762db74734e4b6f
eabfa595f64526bc7e81eb5deb6ba832
83acc92bc763e84f89a96c2db4161976
c3f364962e3555a3600509ab902e42b5
ecf560b50b77b8d0fd2f6cc3964efac3
5a0e7dd371312cf8414903bb3290d300
8cd438b09914cd05bf6257452ae1552f
6cbf3234d9f265ac9ed9189a0edad02b
6c1f995c0de24b95ac561f98a2e66a10
9e976b759061285b2347516018d42512
7d652f91717f6fef910e30a915b7dfb5
680c73ab32d9167c3e5c9a099cb3be44

URLs

URL IP
hxxp://datadownloadscan.info/get/?data=pvOtqdz0+7XfxpgPRJ8s+i9yA1me86AaNBOeDH5X6pGfjnzMEgrRDjn6Tj1Yb7NxwjJKCIR0uXpbRPCIT+SFuz5nJ8ld1fFoUEUFGBqXjTgGAWp0kJA00mzT8EOPXGcfXk0lH//zIHRXVvgVL/K5ve3xJrAR/+s4HR/qvoOWygey/ImdkKiiItzsHZBkhZaNpoEgOmsxuJDMUiGzJSgdiaZLPXQkl4rgU6v6o3Q7qv5GlLkc4OFqeA7XMXCQ+BIDtDpkXaF0TYtGbsiVEVJEYHtQlhkZzQ8+3Y5JCC8NBNNbpSSsLFrTziXZjCNwyu1eL72xZNyDOU/85poqR1l3dYu89+yGEfGSvfS/QcxkXgCd8axDz+AAh5W/HkFHHGAvFO84EK1Q1OhxdeRL8KhmcoNtQYhdx6VNrP/zXe3iSAUKoiXlp+0eLs3uIfIm4ZXHUXxloW6J1hXCbjSVwLyWetDDoer0zj80+X9CeCDNT3xDW8zUMa839rb1poGU0dJWcxXkCD9XL8+PdgSUM&version=4 95.211.159.5
hxxp://54.68.226.215/?step_id=1_1&installer_id=3932630734550040144&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=2522497648903360838&external_id=0&session_id=315671984335875143&hardware_id=17167354810579486025&installer_file_name= Download now (32-bit)&sr=1&st=1&include_signature=0&uuid=%2A
hxxp://198.7.61.119/addons/agup.exe
hxxp://54.68.226.215/?report_version=5&
hxxp://i1.loverse.org/addons/agup.exe
hxxp://c1.loversion.com/?step_id=1_1&installer_id=3932630734550040144&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=2522497648903360838&external_id=0&session_id=315671984335875143&hardware_id=17167354810579486025&installer_file_name= Download now (32-bit)&sr=1&st=1&include_signature=0&uuid=%2A


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin
ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /get/?data=pvOtqdz0+7XfxpgPRJ8s+i9yA1me86AaNBOeDH5X6pGfjnzMEgrRDjn6Tj1Yb7NxwjJKCIR0uXpbRPCIT+SFuz5nJ8ld1fFoUEUFGBqXjTgGAWp0kJA00mzT8EOPXGcfXk0lH//zIHRXVvgVL/K5ve3xJrAR/+s4HR/qvoOWygey/ImdkKiiItzsHZBkhZaNpoEgOmsxuJDMUiGzJSgdiaZLPXQkl4rgU6v6o3Q7qv5GlLkc4OFqeA7XMXCQ+BIDtDpkXaF0TYtGbsiVEVJEYHtQlhkZzQ8+3Y5JCC8NBNNbpSSsLFrTziXZjCNwyu1eL72xZNyDOU/85poqR1l3dYu89+yGEfGSvfS/QcxkXgCd8axDz+AAh5W/HkFHHGAvFO84EK1Q1OhxdeRL8KhmcoNtQYhdx6VNrP/zXe3iSAUKoiXlp+0eLs3uIfIm4ZXHUXxloW6J1hXCbjSVwLyWetDDoer0zj80+X9CeCDNT3xDW8zUMa839rb1poGU0dJWcxXkCD9XL8+PdgSUM&version=4 HTTP/1.1
Accept: */*
User-Agent: win32
Host: datadownloadscan.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Fri, 24 Oct 2014 04:27:00 GMT
Content-Length: 0
Connection: close



GET /?step_id=1_1&installer_id=3932630734550040144&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=2522497648903360838&external_id=0&session_id=315671984335875143&hardware_id=17167354810579486025&installer_file_name=                Download now (32-bit)&sr=1&st=1&include_signature=0&uuid=%2A HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: c1.loversion.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Fri, 24 Oct 2014 04:27:01 GMT
Content-Type: text/html
Content-Length: 6716
Connection: close
Content-Disposition: attachment; filename="1_1.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".0.d.e.
b.d.7.3.9.-.b.6.e.f.-.4.b.c.a.-.b.6.4.3.-.a.b.e.3.c.c.3.1.f.6.9.1."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".0."...I.n.s.t.a.l.l.e.r.I.D.=.
".3.9.3.2.6.3.0.7.3.4.5.5.0.0.4.0.1.4.4."...L.o.c.a.l.e.=.".<.L.a.n
.g.u.a.g.e.>."...D.a.t.e.=.".2.0.1.4./.1.0./.2.4."...T.i.m.e.=.".4.
:.2.7.:.0.1."...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.
n.s.=.".0."...R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.
r.t.e.d.=."."...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.
d.R.e.p.o.r.t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.
S.e.r.v.e.r.]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.
I.n.f.o.]...C.o.u.n.t.r.y.C.o.d.e.=.".I.N."...I.P.A.d.d.r.e.s.s.=.".1.
8.4...1.0.7...3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.
e.n.]...P.e.r.c.e.n.t.a.g.e.=.".6.5.".....[.S.c.r.e.e.n.7.6.]...T.i.t.
l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.
o.n.2.=.".C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.
h.e. .d.o.w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n.
.. .P.l.e.a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.
e. .f.o.r. .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.e.n.
7.5.]...T.i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.
t.o.n.2.=.".N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...
<<< skipped >>>


GET /addons/agup.exe HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: i1.loverse.org


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Fri, 24 Oct 2014 04:26:45 GMT
Content-Type: application/octet-stream
Content-Length: 773632
Last-Modified: Wed, 17 Sep 2014 09:31:05 GMT
Connection: close
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......p.).4.G.4.G.
4.G.R!..7.G.=...5.G.....z.G...../.G.......G.=...1.G.=...%.G.4.F...G.R!
..'.G.4.G.6.G.R!..5.G.R!..5.G.Rich4.G.........................PE..L...
.8.T..................................................................
...P......|m...............................................@..<....
........................................................k..@..........
.....$............................text............................... 
..`.rdata..............................@[email protected]...._.................
[email protected]...<....@......................@..@..............
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U...}..u.3.]..u.....
.Y].U...u......Y].U....\SVW.U....E..H..M..H8.M..H<[email protected]
..H....H..p K.].3.C.....M..H.K.e...M..H(.]..X0.M..H$.P4.M..H,.]..X..x.
.U..M..].#M..E.......M....P......s............C.].........;...........
... .......}...M...l...f..Q.].u..}..t3.M......DE..M.j...T...E.#E.Y*M..
..M.....i........]..M....sm...j.X.B. ..M.3.A............s..E..........
...E.........;.s........ ......f..... . ...... .f...A......r.......].;
]..U...#E. E..B..................... ..M.3..U.A...]...#]..].....U.
<<< skipped >>>






The Backdoor connects to the servers at the folowing location(s):







rundll32.exe_1908:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

Upd Inst.exe_3156:




.text
`.rdata
@.data
.rsrc
L$HQSShD`
QSSSSSSh
j.Yf;
_tcPVj@
.PjRW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
load x
qI3[0%s
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
EnumWindows
USER32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USERENV.dll
GetCPInfo
zcÁ
[]@%~!#$^&*()_-?|{}=:
/vABmeRfAuIUlkvobQhxXiDGwS02xn6H0U6DZCDHvIATNlPbpqpPOz1QGiLGMhTuXinBPsG7pT5nQKg97KEjbWMXt6UeZQ3NNhWSkbs0PFUOXeu7qBezPy6gssSHDhGJ
1JyR4HrFONIVXjDC3ceRt4KW5E58D1BdAX9AHUEsxBGQrkj2l4p0wTdBiE7AyjeDgvWK9VVq41NX09K0nnoHzGbVXNQNdpxZbKzI7sigiVjIeNRe8 D7f5nzkjv R2ij
DJG8iVLHF5/4R27dp4BElIKbN/KYkRKY7AbogR38oQlq2txqkyi1sKMR3UpmxdJxPe0HZ/DdKh6G/lUlRZH1/xerK5e7xun94PtKXn1pSjcmK1a5DK1XC7msG9iESCW1
4HrFQ J0KEY8b4oBZWCCb9J2PMsVPOlaLQ9moQOQoSEHORL 9OxkswsK3bpiEZ4fOxjain0oLy40kYhnKKs0deJGnSyjex/VA9ibPUrxX7Gs/Ay7bzRJsCrHQSGYORaa
4H5dKFe wAXj6ynku/N94HrFR273xIi0IAGzz55vz8HIL 0 apXImYhvAzmlpZRXSjcmEeDdVg4C 9RaF0sQlNnsjMyL5da53 cNpd0KlFJb22sElQvaM4mT8PvEN057
20120606
:2RP.aN
vcrT"?y
.D@%D~
@%.wQ
PU.xV;E
f.yrf3
iZ.pR
GW%Cw
<-r}?
:sB-.hK
H.gNQB#
.Ae>W
%.av s,
%-K}E
vH.ye
2%x/z
d{|%F
.UHnf(
pmva'.Prg
g5Zy%X
.LGhx
sQln<uYTN
lŒ2s
Ä{d
`D%Cs2
%o.kE
.gifUl
dd%C#
7.ykC(
a*W*%u?F
%U_;p
c:\documents and settings\all users\application data\freeworldapp\upd inst\Upd Inst.exe
?456789:;<=
!"#$%&'()* ,-./0123
'()*#$%&
>?:;<=9876540123,-./
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<!--Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<!--Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
kernel32.dll
USER32.DLL
portuguese-brazilian
%s\%s
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
_dlsys->%s is null
ProductSupport
log.txt
AG%d%s
access out of bounds index %d not in 0..%d
UInfoURL
E:%u LookupPrivValue
E:%u AdjustTokenPriv
AdjustTokenPriv() return: %u (0==success)
E:%u OpProcTkn
(lpCmdLine==NULL)
result=%s
E: empty key; ignored
Except 0x%0.8x @0x%0.8x (%.30s) hmod=0xx
E:%d enc
E OpenPT: %x
E EES: %x
PendingFileRenameOperations
PendingFileRenameOperations2
FileRenameOperations
c:\temp\winnie-pooh\piglet-rules.tmp
DeleteFile('%s') OK (not exist)
DeleteFile('%s') E1:%d;E2:%d
DeleteFile('%s') OK (scheduled; immediate E:%d); pending ops found:%d
DeleteFile('%s') OK
'%.256s~': E:%d
C:\Users
C:\Doc
\qmgr.dll
major version %d looks bogus
minor ver %d looks bogus
s-pack %d looks bogus
E:%d creating Runtime; OS-ver=%d
DLL LogPath='%s'
DL%d_%s
E:%d create HTML document; OS-ver=%d, IE-ver=%s
E:%d bind runtime to HTML window; OS-ver=%d, IE-ver=%s
E:%d LoadScr(BOOT)
E:%d LoadScr(JSO)
FROMAGENT_URLMON_IS_PRIMARY
FROMAGENT_NO_FALLBACK_ON_HTTP_ERRORS
E:%x execScript(JSON)
E:%x execScript(BOOTSTRAP)
execScript(BOOTSTRAP) done; m_eExitCode not set, assumed %d (E_SUCCESS=%d)
execScript(BOOTSTRAP) done; EC:{%d,%d}
execScript(BOOTSTRAP): script ended: VT_%d (VT_INT=%d)
worker about to end - calling spRuntime.Release();
%s-%s
Global\%s
E:%d CreateEvent '%s'
/schedule /profile "%s"
E:%d installing task '%.256s~'
E:%d removing task '%.256s~'
SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
E:%d open BITS registry at '%s'
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): Adjusting BITS FGND retries to %d (in registry)
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): BITS FGND retries (in registry) = %d
Refresh enth set to %d sec
%ds[to-wait]-%ds[since-last];keep>0 ==>%ds
Waiting  %ds
"%s" /%s "%s"
E appdaemon.Start '%.256s~'
%d.%d.%d.d
: E:%d open agent key '%.50s>'
E:%d delete module key '%.256s~'
: InitializeSecurityDescriptor failed; Error %u
: SetSecurityDescriptorDacl failed; Error %u
%s\%s\%s
E:%d open agent key'%.256s~'
WriteRegistryProfile E open module key '%.50s>' E:%d
WriteRegistryProfile E create section key '%.50s>' E:%d
WriteRegistryProfile E write section='%.50s>' value='%.50s>'; E:%d
['%.50s>']('%.50s>')<=='%.50s>'; E:%d; %s
: {sec'%.50s>',key'%.50s>'} E val-len %d>%d truncated
['%.256s~']('%.256s~')='%.256s~'; E %d too long, max=%d
E:%d start worker watchdog
CAgentModule::WatchdogThreadMain: Watchdog active. no event; waiting %d sec
.ini.bak
(%s,%s): E:%d open key
E:%d CoCreateInst
E:%d: ITaskSched::NewWItem
SetApplicationName E:%d
E:%d SetParameters
SetWorkingDirectory E:%d
SetAccountInformation E:%d
SetComment E:%d
SetFlags E:%d
CreateTrigger E:%d
SetTrigger E:%d
SetMaxRunTime E:%d
QueryInterface(IPersistFile) E:%d
E:%d save task in scheduler (IPersistFile::Save)
E:%d activate task (ITask::Run)
CoCreateInstance TaskScheduler failed %d
ITaskScheduler::Delete failed %d
E:%d OpSCMan
OpenService failed %d
ChangeServiceConfig failed %d
E:%d GetUserName
: E:%d LoadUserProfile (hTok=0x%x)
E:%d CreateEnvironmentBlock (hTok=0x%x)
"%s" %s
E:0xx CreateProcessAsUser; cannot start '%.256s~'; attempt CreateProcess
E:0xx CreateProcess; cannot start worker
E:0x%x CreateProcess OK but (hProcess==NULL); cannot start worker
: PHY %dmb<%dmb; E start command'%.256s~'
: VIRT %dmb<%dmb; E start command'%.256s~'
E:0x%0x WTSQUserTken
: E:0x%0x DupToken(Impers); continue;
: E:0x%0x DupToken(Ident); continue;
: E:0x%0x GetTokenInfo; continue;
E:0x%0x ImpersLOU
non admin user, os-ver=%d ==> do not execute
E:%d FndNxtFile: source is a folder
DeleteDirectory('%s') OK
DeleteDirectory('%s') E:%d
RemoveFileTree('%s') OK
RemoveFileTree('%s') E:%d
E:%d '%.256s~'->'%.256s~'
E:%d encrypting; cont unencrypted
E:%d Prepare()
ShellExecuteEx
E:%d (info.hInstance=%d)
Notepad.exe
Software\Microsoft\Windows\Current
ddeexec
.aHTML
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
ddd
%d.%d.0.%d
URLInfoAbout
URLUpdateInfo
C:\Windows\System32\msiexec.exe
PID%d.TID%d
CEventLogger::LogEventV: vsprintf error %d with pszFormat='%s'
E:%d create memlog
{"entry_counter":"%u","entry_time":"%s","entry_type":"%llu","message":"%.256s"},
file not reported
JScr E:'%.50s>' F:'%.30s>',L:%d
E:NULL desc) (F='%.30s>',L=%d)
JScr: ExitP(%d)
JScr: ExitP(no code=%d)
E:%d data='%.256s~'
E:%d GetDisID'%.256s~'
ver=%d.%d.%d(%s)
os_id=%d.%d.%d sp%d
aid=%s
hid=%s (old crc32=0xx)
timestamp now=0x%s
IPv4_long=%d 0xx
E:%d folder '%s'
killed %d '%.256s~'
E:%d copy to '%.256s~'
E:%d ShellExec '%.256s~''%.256s~'
E:%d CreateProc '%.256s~'
E:%d GetExitCodProc(pid=%d)
E:%d inst to '%.256s~'
/instal E not adm. (OSVer=%d)
/install E not admin. (OSVer=%d) Cannot run
/Install <path> E:%d; continue as worker to report
/inst E not admin. (OSVer=%d)
/install E:%d schedule logon task (OSVer=%d); continue as worker to report
/install OK, but uninstaller(this=0x%x) E:%d.
/install OK. (will be reported by self)
/install E:%d. (is reported by parent)
/schedule E not admin. (OSVer=%d) Cannot run
New Scheduler v%d.%d.%d %s
Scheduler exits C:0x%x
/uninstall requires admin privileges. (OSVer=%d) Cannot run
Disable OK; %d killed
UNINST REPORT STARTS
UNINST REPORT ENDS
New Wker v%d.%d.%d %s
Worker exits C:0x%x
E:0x%x create: '%.256s~'
(%s,%s): OK
(%s,%s): E:%d setting value
E:%d open key '%.256s~'
RegDeleteKeyEx






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    usetup.exe:2892
    putfu.exe:1480
    rundll32.exe:2424
    rundll32.exe:1908
    %original file name%.exe:1496
    Upd Inst.exe:2932
    Upd Inst.exe:3156
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\Upd Inst.exe (26080 bytes)
    %Program Files%\Assistant.dll (264574 bytes)
    %Program Files%\AssistantSvc.dll (174 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\agup[1].exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1496.usetup.exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Readme.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1[1].txt (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.ico (4 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.dat (16944 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\TsuDll.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\1_1[1].txt (6 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.ico (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x64\regsvr32.exe (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1496.1.ini (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Custom.dll (3312 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\_Setup.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\_Setup.dll (6360 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Readme.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tpq[1].exe (163934 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1496.putfu.exe (163934 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\F2ED9AF8.dat (16424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TsuF5BB3F7D.dll (2569 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1496.1_1.ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_tinFE67.bat (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Setup.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\x86\regsvr32.exe (12 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{DC8E51AE-8787-4CAA-AE41-CFA5076D7358}\Custom.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\24f041f340e2d78a5022c85a9c3bd6c4.log (1662468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\2218554572.ini (35280 bytes)
    %WinDir%\Tasks\Upd Inst-S-2218554572.job (660 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now