Backdoor.Win32.PcClient_7a32afd69f

by malwarelabrobot on November 13th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.MultiPlug.bwof (Kaspersky), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Backdoor, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 7a32afd69f4409e830580bd1ae392af9
SHA1: da930d3abc2629f47cbae2c1f2f2cad73754f874
SHA256: b9a3df5f9c34e2595b76d005c46756132231ef4d8e8b8503621ff64fc7474da3
SSDeep: 6144:urcbUzkuvcBYC47l2x6VhrsvjcGUk6u2EOhB6nzuY5t:urhkuveY3bGkz6zuY5t
Size: 323200 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: FreeWorldApp
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

usetup.exe:416
putfu.exe:1848
rundll32.exe:204
rundll32.exe:424
Upd Inst.exe:1992
Upd Inst.exe:192
%original file name%.exe:548

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process usetup.exe:416 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\Upd Inst.exe (26080 bytes)

The process putfu.exe:1848 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\DeltaFix\DeltaFix.dll (246604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (25429 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

The process Upd Inst.exe:192 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\2218554572.ini (35494 bytes)
%WinDir%\Tasks\Upd Inst-S-2218554572.job (660 bytes)

The process %original file name%.exe:548 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu88EE8827.dll (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.1_1.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1FED15A.dat (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\agup[1].exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.usetup.exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DeltaFix[1].exe (185551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\_Setup.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1_1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.1.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A} (4 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.dat (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinFE67.bat (88 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\_Setup.dll (673 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Custom.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7a32afd69f4409e830580bd1ae392af9.log (1682472 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Custom.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.putfu.exe (185551 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].txt (6 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Addons\putfu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x86\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x86 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.usetup.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Custom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu88EE8827.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1FED15A.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\_Setup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Addons (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Addons\usetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.putfu.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x64\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Readme.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.loversion[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tinFE67.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.548.1_1.ini.part (0 bytes)

Registry activity

The process usetup.exe:416 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 06 53 0F 7D 4E 7A B3 80 79 F2 D3 7B 33 6C AD"

The process putfu.exe:1848 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\DeltaFix\DeltaFix.dll,_uninstall /un /uq"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"uuid" = "8686240424344041467"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Mode" = "4026531840"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"InstallDate" = "20131112"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"e46c271e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"data.1" = "E3bKGecXEXlIaIKEG mlVfzBBryH7/QJ1ZWugDr9jxU9ktWpIbtFDq2kyPJIKlQEJbqdlLxQQRYxIAlccm95J7xYiazX4tUrNC03wm5IAh"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"dlpath" = "c:\progra~1\deltafix\deltafix.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0e93c3f3" = "///%"
"f6ad6fa6" = "V/////%%"
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a2e3b941" = "///%"
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a1dcff5b" = "V/////%%"
"65114b36" = "Vl/l////"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\DeltaFix\DeltaFix.dll,_uninstall /un"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2e22d94e" = "///%"

"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"DisplayName" = "Install Supporter"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"State" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0e93c3f3" = "///%"
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 93 06 46 05 CE 65 E8 10 32 F4 96 FF 64 90 BE"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0c230bcb" = "///%"
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"iiid" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"24c54e38" = "%Program Files%\DeltaFix\DeltaFix.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Install_Dir" = "%Program Files%\DeltaFix"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"iiid" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"Publisher" = "Genuine P Software"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"svpath" = "c:\Program Files\DeltaFix\DeltaFix.dll"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf////"
"414bc593" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"CategoryName" = ""

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a2e3b941" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"data.0" = "NAgPJcKvxPhFoomjlhDeRLi5uhL3siRyILHSjCCwb3tyW6XWgf33Ds9BwxmImtEqz7VD1pB/k1F3F3NkCV1LuBCD"
"data.1" = "E3bKGecXEXlIaIKEG mlVfzBBryH7/QJ1ZWugDr9jxU9ktWpIbtFDq2kyPJIKlQEJbqdlLxQQRYxIAlccm95J7xYiazX4tUrNC03wm5IAh"
"LRTS" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"NoModify" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"date" = "%Server_Timestamp%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a1dcff5b" = "V/////%%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"usr.1" = "7DEeAYhabcdefABCDW"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"date" = "%Server_Timestamp%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"data.0" = "NAgPJcKvxPhFoomjlhDeRLi5uhL3siRyILHSjCCwb3tyW6XWgf33Ds9BwxmImtEqz7VD1pB/k1F3F3NkCV1LuBCD"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"340d3099" = "/P////%%"

"bbf88800" = "///%"
"0c230bcb" = "///%"
"414bc593" = "///%"
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Version" = "22022115"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"uuid" = "8686240424344041467"
"svi" = "0"
"svn" = "DeltaFix"
"usr.0" = "B1GfBOOQIKEG xztvq"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"svx" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"usr.0" = "B1GfBOOQIKEG xztvq"
"usr.1" = "7DEeAYhabcdefABCDW"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"svt" = "1415795043"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 7E 4E 63 DF 84 1D D1 84 8A 83 14 78 DF 8B 8B"

The process rundll32.exe:424 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0e93c3f3" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"65114b36" = "Vl/l////"
"414bc593" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"f6ad6fa6" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a1dcff5b" = "V/////%%"
"fe94ce1e" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c5705860" = "Vx////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"8b9e4cbc" = "V/////%%"
"2d71d5ab" = "V/////%%"
"7367429f" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"0dc3ee96" = "/P////%%"
"e46c271e" = "///%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"a0743acc" = "N/////%%"
"c6c5dd44" = "V/////%%"
"1520c6f1" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a2e3b941" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"
"f1f24e29" = "Vl/l/C/////%"
"f2c53c49" = "UlAr/XJ/c//k////"
"c24899a6" = "Vx/g/CD/Mx////%%"
"0c230bcb" = "///%"
"587b5709" = "V/////%%"
"48bd1aff" = "V/////%%"
"c99a5f5c" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"340d3099" = "/P////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 8D 99 39 E7 7E 00 48 E6 AB A1 F8 62 CF 5E F5"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2e22d94e" = "///%"
"3c09c42b" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"bbf88800" = "///%"
"72758a5d" = "///%"
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf////"
"d1abcdb6" = "///%"
"27ddcf6f" = "///%"
"7f69fa1f" = "///%"

The process Upd Inst.exe:1992 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 60 EF F4 B8 33 EF E0 12 5F A7 29 E7 A7 21 27"

The process Upd Inst.exe:192 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 tJp3sbqomjlSvJfgkDPgofAaSAq8LeS0XEI" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 iI0lv89/XZTpmaWCAW6XiF/xIowoplYxrEc" = "NP6yu5 tyrauJ56789JH3"
"NP6yu5 xyxzUr xztv8XRDd4dOlw/ 0eLrMM" = "NP6yu5 p/RcQikg012CPtvY0JqomLb"
"NP6yu5 pNrKTFbcdefEjL8Z1TlnENCpBpb" = "NP6yu5 sB7jMZTVNPRs6ixSKY7TYx"
"NP6yu5 qmagWavqomjYke3rg3RaIWgtRR6ly542b" = "NP6yu5 kH9bidefABCP2yFXLKfqyTjDA1nRKmvCJlPo6"
"NP6yu5 t p YmhabcdJfHSAepXR5o1j1c DKl8GWf2QPTqLd" = "NP6yu5 mXYMPgsurpn3NfNkjIl1aXAkUJXJG"
"NP6yu5 u2C5SlhabcdKYXGD2X5Dtp " = "NP6yu5 kH9bidefABCP2yFXLKfqyTjDA1nRKmvCJlPo6"
"NP6yu5 iqFGhLqomjlSrvHfNHJ3oZIgyJwy44WgZ8t" = "NP6yu5 uDBxDY xztvCu97ygBqNrrfVrpnPvtSossp0Bhp2tIt/rYySGdnV6r1XFuQ6sBRm572bMSSvAZ/OONs HkRqlhE862xIPmTdR4dqHBbyHPF53QpX7hNgG4YVXljK2ZMMwne0CVWJWJbghTE3E7mzxRJP0H0FiN/tU2IgG4I8w/9DAh53ajKW7yPUaYBLn9LoeHW345F3UY8 IzVLMugTG/DxSeRtMbTuUrPQeqnHQsNpg3G8BK8ke5tx2WVKVlBNSNykrf9SDuE6O/CgdT/ruMVUKThe1KZHVzrmt5IL45JqB8oadba0 hF2cXHWiWrnaIKxRIj2YcPvJBcdhv3raZ6iDT 1xiQyw1lHDzIaglRjgVBMoFyvnEgCWVScvJ CSyEzx//pg8D4PZtfbhdLeBPOnG4K61iTKHc1VL0hfuNphvNMxZ9/v6fLTViZaJjq9BYEtgwXgs7udhVSg2Fu4IlcIQ7Pc23Hgo T9Udchl9xKtpeLf GAbD"
"NP6yu5 s/N9q2LFHwy5Ge3vWafDDyM0XgIXL/SocfUpBEc2iz" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 jO7cksRJLFHdItgO4" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 ow1rR56789/ue1sByvUf4kVuix" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 sH9 Y xztvq/XYWHIi jTIOMPd" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 kq14RlhabcdIjFSyg16YzyLsH" = "NP6yu5 oP0PS334567NX1wUvmzicsJyquhzWJThICeR9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"Publisher" = "Upd Inst"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 q83XdcabcdeK18vAC0H9NVFErZY89qziqz" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 kMSXeBMOQIKhE69m1QE674UDEx" = "NP6yu5 tyrauJ56789JH3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qnt FxztvqoDfBtS/GCPHJVoOIo2SDnPtKi" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 r 8G2h34567HEDrcOMl 7 u93c" = "NP6yu5 yvxasXSUMOQsUr zM0RdpTk8ScmJLjtCoOdgd"
"NP6yu5 mGooxrikg01VravP7V/5b68FyY" = "NP6yu5 xztvqomjlha"
"NP6yu5 mGMVNpnikg0UES4we2P15TB9y" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 rK2YdOCDWYSo sSZJb0LFNMK7umzJ4f" = "NP6yu5 o4IdosRJLFHmfwN6K"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"NoRepair" = "1"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 oxTCwROQIKEbfoQmXOVq3pyCV" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 t4SMY89/XZTo241UBcL1FgCdQgO" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 o/JAuurpnikZzc72iod641QVSkWTqJSu5zR" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"URLInfoAbout" = ""

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 obHhU6789/Xu3lMQKQBU9v0o8l1 pwHGQ7a" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 upBrs456789yYTFdDrzVA0PJHl5GUN4cRRU6I0 /b" = "NP6yu5 ms6Kogvqomje5FgkwM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"_In" = "20141112"
"InstallDate" = "20131112"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qCEj2JrpnikTXYRb/hjk8pv2i7" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 uGnmtBCDWYSqb6jM/jZxaHmJs4bb/qRin 8" = "NP6yu5 yvxasXSUMOQsUr zM0RdpTk8ScmJLjtCoOdgd"
"NP6yu5 rOHR67habcdI6oQitBZylEDlKv" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 jJE/mnBCDWYvA42sczUv9SClfrqvZXt8sBARO" = "NP6yu5 k44Ae445678NJmwZvfXfHqgix"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"NoModify" = "1"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 q2cpRx789/XueIe5iLgmR36Hi9ZR5HNZs2A" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 t5w/eBhabcdLg7/sFSAaTxRvG" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 t3BD56789/Xu4TF4qCfDCBTHm9BO81oA/UPCl" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 m493B1JLFHwfSLP0cq" = "NP6yu5 sB7jMZTVNPRs6ixSKY7TYx"
"NP6yu5 xGCT2oqomjlV2gRnCoLMWn7nyn" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"UninstallString" = "c:\documents and settings\all users\application data\freeworldapp\upd inst\upd inst.exe /uninstall"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 zUPS3jlhabcQDMNIScd6AO3aDxmTq1WIaX6" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"
"NP6yu5 qwDMhUjlhabRi95gdx9wB Kt8h" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"DisplayName" = "Upd Inst"
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 xegqyZTVNPRhap40RL5nzk9RVF fIgeuX" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 jyYwQburpniZRRB5FiXXl0Nh4RV" = "NP6yu5 k44Ae445678NJmwZvfXfHqgix"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD C8 A8 9A 95 E2 7E 5E 17 B2 FB 98 AC 7D C2 8F"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 kzHwZuJLFHw5Fr3FSOzPpISE/F" = "NP6yu5 uDBxDY xztvCu97ygBqNrrfVrpnPvtSossp0Bhp2tIt/rYySGdnV6r1XFuQ6sBRm572bMSSvAZ/OONs HkRqlhE862xIPmTdR4dqHBbyHPF53QpX7hNgG4YVXljK2ZMMwne0CVWJWJbghTE3E7mzxRJP0H0FiN/tU2IgG4I8w/9DAh53ajKW7yPUaYBLn9LoeHW345F3UY8 IzVLMugTG/DxSeRtMbTuUrPQeqnHQsNpg3G8BK8ke5tx2WVKVlBNSNykrf9SDuE6O/CgdT/ruMVUKThe1KZHVzrmt5IL45JqB8oadba0 hF2cXHWiWrnaIKxRIj2YcPvJBcdhv3raZ6iDT 1xiQyw1lHDzIaglRjgVBMoFyvnEgCWVScvJ CSyEzx//pg8D4PZtfbhdLeBPOnG4K61iTKHc1VL0hfuNphvNMxZ9/v6fLTViZaJjq9BYEtgwXgs7udhVSg2Fu4IlcIQ7Pc23Hgo T9Udchl9xKtpeLf GAbD"
"NP6yu5 mPpwLQDWYSUoj8v7lBa0 8W0MSmWN4ClWM7" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 jxu9x/ztvqoWwAvzzG1eDHhjPa" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"DisplayVersion" = "1.2.0.1766"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 vbNHYCDWYSUoiK7bPU/LiTlOXXB/Y/8ZsgUeDPvDrC" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 jnTHsfABCDWtWkUM/W1aPBtS1 VQW3XAfac" = "NP6yu5 xztvqomjlha"
"NP6yu5 oFUvMDbcdefHBbxrMluGJ9Aygj" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 u4W7I3FHwysfpPWVEc640Vgj7vuI5FRvR" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 oRN6utIKEG digPng1ySOBlAVHvZrTks5X3JZ0jUs" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 xh2uW4Hwysu7Ssr8oWZx2xW2hDd4djxqbX" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 vGPjjAfABCDtsHMzvqSfT7E4si" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 sFynDebcdef tMD" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 s2TbxEefABCxJ0DAXr /fsJdEdZsSHr HV" = "NP6yu5 oP0PS334567NX1wUvmzicsJyquhzWJThICeR9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"URLUpdateInfo" = ""

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 yEFhrM xztvBTqybYrHCKZLQDEDd77yDa71" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-2218554572]
"SilentUninstall" = "c:\documents and settings\all users\application data\freeworldapp\upd inst\upd inst.exe /uninstall"

[HKLM\SOFTWARE\Upd Inst\2218554572\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qAAIJrpnikgVSUoLaz3mK8u RgKbxPY" = "NP6yu5 ms6Kogvqomje5FgkwM"

The process %original file name%.exe:548 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"UninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{6C07E~1\Setup.exe /remove /q0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"Version" = "16777216"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Tsu88EE8827.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"QuietUninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{6C07E~1\Setup.exe /remove /q"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"VersionMajor" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EBF539D0-F45C-4138-9756-F390D12471F8}]
"388" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"Language" = "1033"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"EstimatedSize" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Addons]
"usetup.exe" = "usetup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"TSAware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Fonts" = "%WinDir%\Fonts"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 24 2C C4 E9 F7 72 6A 7C 64 FF 5F FE 8E CF 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"TizPath" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\6f70514a-d59d-4ddb-91be-7250c73acdab]
"VersionMinor" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
deba33db167548f8bbac30f5d78eb168 c:\Documents and Settings\All Users\Application Data\FreeWorldApp\Upd Inst\Upd Inst.exe
2580b4f2c4522fe5cb36e6d3ec09b24a c:\Documents and Settings\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Custom.dll
e717f6ce3a7429bfa6d7f3cf66737a4b c:\Documents and Settings\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.exe
af7ce801c8471c5cd19b366333c153c4 c:\Documents and Settings\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\TsuDll.dll
9b02f9d7afb338368b1aab73f21708cd c:\Documents and Settings\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\_Setup.dll
deba33db167548f8bbac30f5d78eb168 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\agup[1].exe
4c6332261ee935985c443e80e1499e16 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DeltaFix[1].exe
22f99fd2ba978909acdcf3f63846af17 c:\Program Files\DeltaFix\DeltaFix.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: FreeWorldApp
Product Name: FreeWorldApp
Product Version: 1.0.0.3
Legal Copyright: Copyright (c) 2014 FreeWorldApp
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2014.9.28.1126
File Description: Installer for FreeWorldApp
Comments: WinNT (x86) Unicode Lib Rel
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7672 7680 4.5056 b1ae6dcdc3a7ba319c6d5e0b1a2eadbc
.rdata 12288 1794 2048 3.26018 cd4f20f041a2da05dfe5974fe61bd4ec
.data 16384 1040 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 20480 8288 8704 2.76871 f36830a909a8bc24c3f3695408fe2ee4
.reloc 32768 348 512 2.09579 938152484b33bca77bd622973abb524e
.tsustub 36864 120967 121344 5.54288 c1e6f883fec7a9e07fd2e6fc90d0362d
.tsuarch 159744 176640 176640 5.54373 e24ce50b92cada2eab1c838aac41d932

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 147
fb5ff98dac7bc36d12c9335752411604
71b3a40ccf8da4dbe4130cc70039d6da
1f888efe0ad73548de6438e1d2e795c8
3c66ca3590754e16f1df2f15a131efba
f52401172d0c1cb2172d930a7b7f3f23
98dac264f5f435cf1d4aa5505fe42b40
27849a4e9b3fcacdbd92aa370076f376
33aee1c53d009796f4576853cb60d58c
58263df9371fdc2f0525477f468c2fcb
9fbee49305ad0ed5535d272b41013743
39c962f6a0cad6ca7e7af7d66cdcc882
b6d72648b89478b662268021af5df4c1
368611f715b672ca05bcc2d21c049994
4f9116f00a7d463e7d2092771f250f3c
383872d10f5c9aaebdafe2ee73002fd7
dc0ccb722ab215703eb90e887b573307
b1d4281b66c3bdc39b97e590e8fbe679
7a76512669c326db613119650a8df6b3
0b6af8290d4a92cc1e5e92196852204f
512e9865f8411afa85e762267cfbabf4
2c75856632aaadf7e7336e25820df894
eb4e30bdd829cdf8c98152e1fb610a4d
d6c93276b1a7cf9ce7939fdb61ed77fb
81bc60cbb29799aa061c4a240c639880
486089fe50b6187f55852e447bf4af39
b0c009da2e9a187122ec6cd9fa1e3f93

URLs

URL IP
hxxp://loversion.com/?step_id=1&installer_id=6050722328027847665&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=BG&locale=EN&browser_id=4&download_id=3744279888015210350&external_id=0&session_id=5882646364848683593&hardware_id=8686240424344041467&installer_file_name=Remover for NextCoup adware&sr=1&st=1&include_signature=0&uuid=%2A
hxxp://loversion.com/?report_version=5&
hxxp://loverse.org/addons/DeltaFix.exe
hxxp://techine.info/get/?data=B/fMQmYOzdAqods9/X1K3CglXDfrEy9ZcSKZAhLEmmhbnGCeWfXHtdHlf1NeWd04/henjjpmjOMzNrDTrL/8idfbTGhNiXGm2ObekP2yiZzS6F+HIv4+Tlko5aDO9madLVRjwK0/PjETdXDfnz4My/6XpxvwB/V/hKjD61gTq0fxkO953fxN3tk1dW/9QSojGTYUH44fMDpHbBz6xpqsaD3+kkYQrRTpCLy8NlAOaXfFnlaGvVGd4LS3OMvO7uc+rd9zWt299m1pfgXjubjOy5GjmX4rv0Rmw/Od+mUUy+6apuRmCqlmkLoujLYMhdi87qjRShgkfAGTGPw9UpiD1epESunZKISwl0Q1s/eEsk8TBUR8IlcTptW3ZGJLx+5/oTUyub8Ar/Rf7eUmdn94FNbwYGg0wBxuWcCJF4fLiN7CtoSfwW5vr3g7BdOIgRuNFonbkb0733UMZdizLOVMLPKA2RCMB0Jb3nUAYt32yo5XEBsCw/BH3uGfqgK0jrFbj3D9e+qhUa46iXmwOSq+JOC5/NKdQD&version=4
hxxp://loversion.com/?step_id=1_1&installer_id=6050722328027847665&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=BG&locale=EN&browser_id=4&download_id=3744279888015210350&external_id=0&session_id=5882646364848683593&hardware_id=8686240424344041467&installer_file_name=Remover for NextCoup adware&sr=1&st=1&include_signature=0&uuid=%2A
hxxp://loverse.org/addons/agup.exe


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
ET MALWARE W32/InstallRex.Adware Report CnC Beacon
ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

The Backdoor connects to the servers at the folowing location(s):

rundll32.exe_424:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

Upd Inst.exe_1992:

.text
`.rdata
@.data
.rsrc
L$HQSShD`
QSSSSSSh
j.Yf;
_tcPVj@
.PjRW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
load x
qI3[0%s
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
EnumWindows
USER32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USERENV.dll
GetCPInfo
zcÁ
[]@%~!#$^&*()_-?|{}=:
/vABmeRfAuIUlkvobQhxXiDGwS02xn6H0U6DZCDHvIATNlPbpqpPOz1QGiLGMhTuXinBPsG7pT5nQKg97KEjbWMXt6UeZQ3NNhWSkbs0PFUOXeu7qBezPy6gssSHDhGJ
1JyR4HrFONIVXjDC3ceRt4KW5E58D1BdAX9AHUEsxBGQrkj2l4p0wTdBiE7AyjeDgvWK9VVq41NX09K0nnoHzGbVXNQNdpxZbKzI7sigiVjIeNRe8 D7f5nzkjv R2ij
DJG8iVLHF5/4R27dp4BElIKbN/KYkRKY7AbogR38oQlq2txqkyi1sKMR3UpmxdJxPe0HZ/DdKh6G/lUlRZH1/xerK5e7xun94PtKXn1pSjcmK1a5DK1XC7msG9iESCW1
4HrFQ J0KEY8b4oBZWCCb9J2PMsVPOlaLQ9moQOQoSEHORL 9OxkswsK3bpiEZ4fOxjain0oLy40kYhnKKs0deJGnSyjex/VA9ibPUrxX7Gs/Ay7bzRJsCrHQSGYORaa
4H5dKFe wAXj6ynku/N94HrFR273xIi0IAGzz55vz8HIL 0 apXImYhvAzmlpZRXSjcmEeDdVg4C 9RaF0sQlNnsjMyL5da53 cNpd0KlFJb22sElQvaM4mT8PvEN057
20120606
:2RP.aN
vcrT"?y
.D@%D~
@%.wQ
PU.xV;E
f.yrf3
iZ.pR
GW%Cw
<-r}?
:sB-.hK
H.gNQB#
.Ae>W
%.av s,
%-K}E
vH.ye
2%x/z
d{|%F
.UHnf(
pmva'.Prg
g5Zy%X
.LGhx
sQln<uYTN
lŒ2s
Ä{d
`D%Cs2
%o.kE
.gifUl
dd%C#
7.ykC(
a*W*%u?F
%U_;p
c:\documents and settings\all users\application data\freeworldapp\upd inst\Upd Inst.exe
?456789:;<=
!"#$%&'()* ,-./0123
'()*#$%&
>?:;<=9876540123,-./
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<!--Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<!--Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
kernel32.dll
USER32.DLL
portuguese-brazilian
%s\%s
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
_dlsys->%s is null
ProductSupport
log.txt
AG%d%s
access out of bounds index %d not in 0..%d
UInfoURL
E:%u LookupPrivValue
E:%u AdjustTokenPriv
AdjustTokenPriv() return: %u (0==success)
E:%u OpProcTkn
(lpCmdLine==NULL)
result=%s
E: empty key; ignored
Except 0x%0.8x @0x%0.8x (%.30s) hmod=0xx
E:%d enc
E OpenPT: %x
E EES: %x
PendingFileRenameOperations
PendingFileRenameOperations2
FileRenameOperations
c:\temp\winnie-pooh\piglet-rules.tmp
DeleteFile('%s') OK (not exist)
DeleteFile('%s') E1:%d;E2:%d
DeleteFile('%s') OK (scheduled; immediate E:%d); pending ops found:%d
DeleteFile('%s') OK
'%.256s~': E:%d
C:\Users
C:\Doc
\qmgr.dll
major version %d looks bogus
minor ver %d looks bogus
s-pack %d looks bogus
E:%d creating Runtime; OS-ver=%d
DLL LogPath='%s'
DL%d_%s
E:%d create HTML document; OS-ver=%d, IE-ver=%s
E:%d bind runtime to HTML window; OS-ver=%d, IE-ver=%s
E:%d LoadScr(BOOT)
E:%d LoadScr(JSO)
FROMAGENT_URLMON_IS_PRIMARY
FROMAGENT_NO_FALLBACK_ON_HTTP_ERRORS
E:%x execScript(JSON)
E:%x execScript(BOOTSTRAP)
execScript(BOOTSTRAP) done; m_eExitCode not set, assumed %d (E_SUCCESS=%d)
execScript(BOOTSTRAP) done; EC:{%d,%d}
execScript(BOOTSTRAP): script ended: VT_%d (VT_INT=%d)
worker about to end - calling spRuntime.Release();
%s-%s
Global\%s
E:%d CreateEvent '%s'
/schedule /profile "%s"
E:%d installing task '%.256s~'
E:%d removing task '%.256s~'
SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
E:%d open BITS registry at '%s'
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): Adjusting BITS FGND retries to %d (in registry)
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): BITS FGND retries (in registry) = %d
Refresh enth set to %d sec
%ds[to-wait]-%ds[since-last];keep>0 ==>%ds
Waiting  %ds
"%s" /%s "%s"
E appdaemon.Start '%.256s~'
%d.%d.%d.d
: E:%d open agent key '%.50s>'
E:%d delete module key '%.256s~'
: InitializeSecurityDescriptor failed; Error %u
: SetSecurityDescriptorDacl failed; Error %u
%s\%s\%s
E:%d open agent key'%.256s~'
WriteRegistryProfile E open module key '%.50s>' E:%d
WriteRegistryProfile E create section key '%.50s>' E:%d
WriteRegistryProfile E write section='%.50s>' value='%.50s>'; E:%d
['%.50s>']('%.50s>')<=='%.50s>'; E:%d; %s
: {sec'%.50s>',key'%.50s>'} E val-len %d>%d truncated
['%.256s~']('%.256s~')='%.256s~'; E %d too long, max=%d
E:%d start worker watchdog
CAgentModule::WatchdogThreadMain: Watchdog active. no event; waiting %d sec
.ini.bak
(%s,%s): E:%d open key
E:%d CoCreateInst
E:%d: ITaskSched::NewWItem
SetApplicationName E:%d
E:%d SetParameters
SetWorkingDirectory E:%d
SetAccountInformation E:%d
SetComment E:%d
SetFlags E:%d
CreateTrigger E:%d
SetTrigger E:%d
SetMaxRunTime E:%d
QueryInterface(IPersistFile) E:%d
E:%d save task in scheduler (IPersistFile::Save)
E:%d activate task (ITask::Run)
CoCreateInstance TaskScheduler failed %d
ITaskScheduler::Delete failed %d
E:%d OpSCMan
OpenService failed %d
ChangeServiceConfig failed %d
E:%d GetUserName
: E:%d LoadUserProfile (hTok=0x%x)
E:%d CreateEnvironmentBlock (hTok=0x%x)
"%s" %s
E:0xx CreateProcessAsUser; cannot start '%.256s~'; attempt CreateProcess
E:0xx CreateProcess; cannot start worker
E:0x%x CreateProcess OK but (hProcess==NULL); cannot start worker
: PHY %dmb<%dmb; E start command'%.256s~'
: VIRT %dmb<%dmb; E start command'%.256s~'
E:0x%0x WTSQUserTken
: E:0x%0x DupToken(Impers); continue;
: E:0x%0x DupToken(Ident); continue;
: E:0x%0x GetTokenInfo; continue;
E:0x%0x ImpersLOU
non admin user, os-ver=%d ==> do not execute
E:%d FndNxtFile: source is a folder
DeleteDirectory('%s') OK
DeleteDirectory('%s') E:%d
RemoveFileTree('%s') OK
RemoveFileTree('%s') E:%d
E:%d '%.256s~'->'%.256s~'
E:%d encrypting; cont unencrypted
E:%d Prepare()
ShellExecuteEx
E:%d (info.hInstance=%d)
Notepad.exe
Software\Microsoft\Windows\Current
ddeexec
.aHTML
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
ddd
%d.%d.0.%d
URLInfoAbout
URLUpdateInfo
C:\Windows\System32\msiexec.exe
PID%d.TID%d
CEventLogger::LogEventV: vsprintf error %d with pszFormat='%s'
E:%d create memlog
{"entry_counter":"%u","entry_time":"%s","entry_type":"%llu","message":"%.256s"},
file not reported
JScr E:'%.50s>' F:'%.30s>',L:%d
E:NULL desc) (F='%.30s>',L=%d)
JScr: ExitP(%d)
JScr: ExitP(no code=%d)
E:%d data='%.256s~'
E:%d GetDisID'%.256s~'
ver=%d.%d.%d(%s)
os_id=%d.%d.%d sp%d
aid=%s
hid=%s (old crc32=0xx)
timestamp now=0x%s
IPv4_long=%d 0xx
E:%d folder '%s'
killed %d '%.256s~'
E:%d copy to '%.256s~'
E:%d ShellExec '%.256s~''%.256s~'
E:%d CreateProc '%.256s~'
E:%d GetExitCodProc(pid=%d)
E:%d inst to '%.256s~'
/instal E not adm. (OSVer=%d)
/install E not admin. (OSVer=%d) Cannot run
/Install <path> E:%d; continue as worker to report
/inst E not admin. (OSVer=%d)
/install E:%d schedule logon task (OSVer=%d); continue as worker to report
/install OK, but uninstaller(this=0x%x) E:%d.
/install OK. (will be reported by self)
/install E:%d. (is reported by parent)
/schedule E not admin. (OSVer=%d) Cannot run
New Scheduler v%d.%d.%d %s
Scheduler exits C:0x%x
/uninstall requires admin privileges. (OSVer=%d) Cannot run
Disable OK; %d killed
UNINST REPORT STARTS
UNINST REPORT ENDS
New Wker v%d.%d.%d %s
Worker exits C:0x%x
E:0x%x create: '%.256s~'
(%s,%s): OK
(%s,%s): E:%d setting value
E:%d open key '%.256s~'
RegDeleteKeyEx


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    usetup.exe:416
    putfu.exe:1848
    rundll32.exe:204
    rundll32.exe:424
    Upd Inst.exe:1992
    Upd Inst.exe:192
    %original file name%.exe:548

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\Upd Inst.exe (26080 bytes)
    %Program Files%\DeltaFix\DeltaFix.dll (246604 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (25429 bytes)
    %Documents and Settings%\All Users\Application Data\FreeWorldApp\Upd Inst\2218554572.ini (35494 bytes)
    %WinDir%\Tasks\Upd Inst-S-2218554572.job (660 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\TsuDll.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tsu88EE8827.dll (2569 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.548.1_1.ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Readme.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C1FED15A.dat (16424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\agup[1].exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.548.usetup.exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DeltaFix[1].exe (185551 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\_Setup.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.ico (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1_1[1].txt (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.548.1.ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Readme.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x86\regsvr32.exe (12 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.dat (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_tinFE67.bat (88 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\_Setup.dll (673 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.ico (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Custom.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7a32afd69f4409e830580bd1ae392af9.log (1682472 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Custom.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\x64\regsvr32.exe (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.548.putfu.exe (185551 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{6C07E87C-2CDB-4381-A16A-64F9B7E4CA8A}\Setup.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1[1].txt (6 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now