Dropped.Trojan.Generic.17338822_db5758991e

by malwarelabrobot on September 14th, 2016 in Malware Descriptions.

Dropped:Trojan.Generic.17338822 (B) (Emsisoft), Dropped:Trojan.Generic.17338822 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: db5758991e0deed7870c5e00ac1784f9
SHA1: 39d92feb6c68f1883bbfa79a202380f47bef9e1d
SHA256: 373e680e3c15ded35736b334f5dbb950f8c8faece035ed7799eaef6a6d436aac
SSDeep: 24576:NJpKVXCZs0g6hl55nrkwlgd47UWO6ACa4o0UY:wVXQg6hftkDu7UWOCGY
Size: 790495 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: BoostSoftware Inc.
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

taskkill.exe:908
taskkill.exe:1944
%original file name%.exe:1736
tasklist.exe:1080
tasklist.exe:312
tasklist.exe:628
tasklist.exe:252
tasklist.exe:1896
tasklist.exe:172
tasklist.exe:492
tasklist.exe:1616
tasklist.exe:232
tasklist.exe:1652
tasklist.exe:1676
tasklist.exe:1564
tasklist.exe:1212
tasklist.exe:468
tasklist.exe:140
tasklist.exe:560
tasklist.exe:264
tasklist.exe:160
tasklist.exe:236
tasklist.exe:1976
tasklist.exe:644
tasklist.exe:1764
klar.exe:1904
30973.exe:1276
79142644.exe:1320
find.exe:216
find.exe:1320
find.exe:1208
find.exe:748
find.exe:272
find.exe:236
find.exe:1712
find.exe:1884
find.exe:1612
find.exe:324
find.exe:1676
find.exe:1752
find.exe:1132
find.exe:1336
find.exe:264
find.exe:224
find.exe:1760
find.exe:2044
find.exe:1992
find.exe:1556
find.exe:644
find.exe:2008
find.exe:1764

The Dropped injects its code into the following process(es):

assigned.exe:212

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1736 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\slippery.lnk (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\AccessControl.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\30973.exe (1082 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ShellLink.dll (4 bytes)
%WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%WinDir%\assigned.exe (4387 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\79142644.exe (3083 bytes)
%Program Files%\ministry\assigned.exe (4387 bytes)
%WinDir%\settings.dll (10219 bytes)
%Program Files%\ministry\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
%Program Files%\crystallization\klar.exe (1036 bytes)
%Program Files%\ministry\settings.dll (10219 bytes)
%System%\drivers\etc\hosts (123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ShellLink.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)

The process klar.exe:1904 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy7.tmp\ExecCmd.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (0 bytes)

The process 30973.exe:1276 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)

The process 79142644.exe:1320 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (5289 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (0 bytes)

The process assigned.exe:212 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\logo[1].png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\noad[1].xml (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[2].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CATH9SJY.xml (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[1].xml (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CALG9QV7.xml (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[4].xml (687 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CAO9X9NF.xml (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\count[1].htm (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CAKLQRSP.xml (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[4].xml (503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CAKKO4BV.xml (756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[1].xml (692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[3].xml (575 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\index5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[3].xml (648 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[4].xml (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[5].xml (691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA57VGKC.xml (810 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\lbg[1].png (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\counter[2].js (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA8NEFUR.xml (771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CA5OP85J.xml (725 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\crossdomain[2].xml (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\page-1[1].htm (5002 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA2J452J.xml (722 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\wau-widget[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[7].xml (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CA6DE709.xml (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[2].xml (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CA1JGXHY.xml (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\analytics[1].js (2168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[5].xml (616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CAQRWXYZ.xml (811 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CAOTG8KB.xml (774 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CAKPQNCT.xml (710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\crossdomain[2].xml (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\jwplayer1[1].js (69987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[4].xml (628 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[2].xml (704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA2BUBE5.gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\crossdomain[1].xml (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[2].xml (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CA490JGR.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[1].xml (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\crossdomain[3].xml (144 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[5].xml (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[5].xml (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\counter[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\ova-jw[1].swf (36761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\itd[1].htm (1118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[3].xml (599 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (323 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CAC9MZ0D.xml (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\v[1].xml (654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\collect[1].gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\player1[1].swf (12413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\player1[1].swf (15193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[6].xml (645 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\func[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CA56KLV5.xml (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\css1[2].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\css1[1].css (659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\page-1[1].htm (3950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\1[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\logo[1].png (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[6].xml (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[6].xml (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[3].xml (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[1].xml (616 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\collect[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\counter[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\player1[1].swf (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\bck[1].htm (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\css1[1].css (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\page-1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (0 bytes)

Registry activity

The process taskkill.exe:908 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 B3 AB 6A B1 EE 9A 9B AC D5 DB C2 FE 1E 91 5B"

The process taskkill.exe:1944 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C CC 86 67 91 46 CF B2 8C F6 D6 0E 03 BC C2 FB"

The process %original file name%.exe:1736 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 4D 08 AF CB 11 53 3E 3E B9 7F 2C 6E 0D E8 61"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"insupportable" = "%Program Files%\ministry\assigned.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hajji" = "%Program Files%\ministry\assigned.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"forestland" = "%Program Files%\ministry\assigned.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eales" = "%Program Files%\ministry\assigned.exe"

The process tasklist.exe:1080 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 29 95 7B B4 BB 4E 80 1C 71 7F C3 9A 27 64 AB"

The process tasklist.exe:312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 41 83 F4 4B 65 16 6B 31 C3 E4 6F 29 EF CD D5"

The process tasklist.exe:628 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 6B A9 48 DF 20 33 C0 82 38 C2 EE 6A 9B F4 CB"

The process tasklist.exe:252 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 76 56 B2 0B FA E5 01 00 56 B8 8A 52 3C F3 03"

The process tasklist.exe:1896 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 FD 18 00 87 A8 D5 63 AE EE 65 CB 7E 3D 00 74"

The process tasklist.exe:172 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 46 4E 3F EC D9 F3 EC 7B F5 5C 88 93 1B 23 EC"

The process tasklist.exe:492 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 19 93 AD 6D 93 88 B2 B1 DD 8D 54 45 87 57 9E"

The process tasklist.exe:1616 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 51 A9 11 B7 83 9D 00 9B 25 9E DF 4C 5C AB 2C"

The process tasklist.exe:232 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 2B 9C E3 7F 4F C9 0D B0 43 E8 AF AB C6 83 1E"

The process tasklist.exe:1652 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 4C 03 15 EE E8 19 CC 31 BE 2B D7 74 8A E0 C3"

The process tasklist.exe:1676 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 17 84 68 8A 4F EB 65 45 9A F1 04 1D B9 70 7C"

The process tasklist.exe:1564 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 56 C5 B3 A1 11 41 7C FF 2C C0 1B 4C 8F BA 3C"

The process tasklist.exe:1212 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 43 0C 93 EF F9 2F 3A 91 8B 98 CD 3D 8A 19 EF"

The process tasklist.exe:468 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 B4 E8 A3 A2 45 97 52 C3 94 F9 40 55 30 A0 20"

The process tasklist.exe:140 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 27 8F C5 2E 1D A5 64 97 91 AC B2 43 50 93 E0"

The process tasklist.exe:560 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E A1 FA 69 B0 C6 E2 89 99 5A C4 31 EA 85 90 D6"

The process tasklist.exe:264 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 2E 97 98 E9 AD 7A 60 88 F1 84 9E 47 0D CC CA"

The process tasklist.exe:160 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 DD 68 AE D7 0B 94 8D 41 D1 5D 16 18 4C 09 4D"

The process tasklist.exe:236 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 CA 9F 97 A6 B3 7E 6C E7 4C 7A C0 C3 34 5A B8"

The process tasklist.exe:1976 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E DF 47 0D CB BC D1 C5 0D 11 FE 29 93 FF 5F 1E"

The process tasklist.exe:644 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 A8 2B 1A 4C 3A 55 D5 7B 45 80 0B C1 1A 64 8C"

The process tasklist.exe:1764 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 48 E8 2C 5D 77 A7 C6 0A 93 33 21 75 AC 10 84"

The process klar.exe:1904 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 49 1F ED 5D FC E2 F7 9D 07 7B 1F 15 03 53 27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"tassel" = "%Program Files%\ministry\assigned.exe"

"klar" = "%Program Files%\crystallization\klar.exe"

The process 30973.exe:1276 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 B4 1A 6A E8 75 DA 0A 94 3C 14 2D E0 AA D1 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 79142644.exe:1320 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 01 1D 0E 79 D4 5B CB D5 51 84 38 3B 1C EC FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process assigned.exe:212 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091320160914]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016091320160914\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091320160914]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091320160914]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 5D 64 D1 08 7F 56 19 26 12 C7 89 F0 1A 41 FE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091320160914]
"CacheRepair" = "0"
"CachePrefix" = ":2016091320160914:"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process find.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB D6 26 0A 10 08 89 B1 92 E7 FE 8D A4 8C A2 DE"

The process find.exe:1320 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 AD 7C 14 C1 2C 60 02 25 AF 15 F3 E8 08 48 4C"

The process find.exe:1208 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 3D 39 B4 83 D0 B2 5E 2D BB 79 06 DD F7 0D 57"

The process find.exe:748 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 F3 8F F2 CA 46 33 28 28 DB D8 60 E7 00 64 BF"

The process find.exe:272 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 19 A8 2D 3B 43 03 7A AF FB FE 03 9E F0 2F 62"

The process find.exe:236 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D A3 5A 24 F3 15 9A F1 98 C3 EA BE 1E 55 8A 88"

The process find.exe:1712 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 3B 49 D2 57 CD E3 1B 95 F2 63 7F AB 8D 5E 63"

The process find.exe:1884 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E B8 13 A0 1A F5 CE 09 63 38 30 7D A9 9E B2 C3"

The process find.exe:1612 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 85 22 C4 47 A1 79 A7 B6 71 01 4D 8D 9D 7F 0C"

The process find.exe:324 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF E3 28 00 14 82 C9 E9 47 02 1F E7 E4 32 D4 30"

The process find.exe:1676 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 F9 43 9C 57 D4 32 96 83 93 02 49 CA A7 F8 B0"

The process find.exe:1752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 C5 DE 81 17 5B 2A 40 5E CE CA 07 CC 79 45 AD"

The process find.exe:1132 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 C5 63 B9 DB 94 BF 8B 42 F0 76 0A 44 E4 4E 3F"

The process find.exe:1336 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 29 3F B8 04 C7 6A E9 27 AC 19 8E F9 C3 30 B5"

The process find.exe:264 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 D0 A8 5F 54 10 B4 17 5E 1E 1E E9 B4 8B 97 C3"

The process find.exe:224 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 45 A6 58 85 63 32 9E 54 CB 5A D7 AF 5D 43 EA"

The process find.exe:1760 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 98 CB 7D D1 25 E8 C3 28 D4 07 6A 7E 18 0E C0"

The process find.exe:2044 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 D5 05 C5 81 1C 06 61 B2 E8 9F 1A 58 9F 57 DD"

The process find.exe:1992 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 69 E9 5E AB E6 C5 0F 67 9D 88 C9 45 E6 67 DC"

The process find.exe:1556 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 5C D0 B6 AB DD FA 9B 48 1D B7 FB 80 99 38 59"

The process find.exe:644 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D BE D2 18 96 67 F2 59 78 45 B9 30 6A 65 E6 06"

The process find.exe:2008 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 A8 72 95 16 14 90 0B C7 5E 18 84 3E 88 45 4F"

The process find.exe:1764 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 6F 8E 88 D1 65 7C F5 E9 84 35 AA 6F D0 DE 88"

Dropped PE files

MD5 File path
6351426f5922b23dd580621eee7b681c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\30973.exe
e7d305ae3129ea163f28aa141c51060a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\79142644.exe
b9380b0bea8854fd9f93cc1fda0dfeac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy7.tmp\ExecCmd.dll
662aac406d172571392b861fbec0edd9 c:\Program Files\crystallization\klar.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\Program Files\ministry\Microsoft.Win32.TaskScheduler.dll
de8ce032e276eee18ad1bc3196f2d23d c:\Program Files\ministry\assigned.exe
501a783962b9a7d5e92b59943d773b9a c:\Program Files\ministry\settings.dll
c8ff52bfddc6898c202c08c4a61a3d22 c:\WINDOWS\Microsoft.Win32.TaskScheduler.dll
de8ce032e276eee18ad1bc3196f2d23d c:\WINDOWS\chump.exe
501a783962b9a7d5e92b59943d773b9a c:\WINDOWS\settings.dll

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 857 bytes in size. The following strings are added to the hosts file listed below:

162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 108
7bcde813c50a0b0e20e5f9f233bc3040
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333
14055969428fc76bc66b28491ff90d63
2b8b2136bdf153f722ecd721fabcf1aa
9dec231998f0f3d8301aa5c1a6e0119f
0affe53e87c71d2b7f9066427a5d71e5
3f92282b316430f68d847ff93565f264
1f4ab1b0f88d2b1805bcfbdaa2c461f1
3fadc54dc0f9a4e6af4b370749973ec3
2d43a582840285217ab6adaf45ff8c22
4ad98fe1fd6a020f491e31eb4aa16205
562254cc7ac0f92876c4964400fb6cd7
a261aa83665bed04243da16ecade0df0
bea91233ff3a67b260b02a18d7cb54c2
b1a5b5b97ab40559c62f27923a7322c1
830674c88d54f6aa3c6f1bcf72147f75
fb9b2e8e0616dc9aecab4078c571a0f8
f3636d03e448990429c0cd25a2f93345

URLs

URL IP
hxxp://d3cpqb3ouewn5u.cloudfront.net/index5.php?id=18AT7KCfXnrMx8X8r3ZK&date=2016-09-04&p=none&t=
hxxp://d3cpqb3ouewn5u.cloudfront.net/func.js?r=5
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://cocomo.tremorhub.com/itd.php?id=18AT7KCfXnrMx8X8r3ZK&date=2016-09-04&p=none&t=&rand=
hxxp://www.clangburkitt.info/count.php?id=18AT7KCfXnrMx8X8r3ZK&date=2016-09-04&p=none&t=&rand= 162.222.194.132
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png 67.202.94.86
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=356611280&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=18AT7KCfXnrMx8X8r3ZK&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=555460349&cid=1377690454.1473782234&tid=UA-74694740-5&_r=1&z=1612721500
hxxp://c.statcounter.com/10114910/0/757d7213/1/ 67.215.253.140
hxxp://8c715ae47b.site.internapcdn.net/page-1.html?lid=937115
hxxp://widgets.amung.us/draw/?w=colored&n=998&c=000000ffffff&p= 173.192.200.70
hxxp://109.201.148.40/report1.php?url=/govids/page-1.html?lid=937115
hxxp://govids.net/jwplayer1.js 162.222.194.11
hxxp://109.201.148.40/bck.php?1473782235000
hxxp://govids.net/1.js 162.222.194.11
hxxp://8c715ae47b.site.internapcdn.net/page-1.htm?lid=937115
hxxp://109.201.148.40/report1.php?url=/govids/page-1.htm?lid=937115
hxxp://g1.panthercdn.com/counter/counter.js
hxxp://govids.net/player1.swf 162.222.194.11
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j46&a=607540295&t=pageview&_s=1&dl=http://www.govids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1916155861&cid=44415039.1473782236&tid=UA-74694740-2&_r=1&z=256026923
hxxp://8c715ae47b.site.internapcdn.net/css1.css
hxxp://8c715ae47b.site.internapcdn.net/img/logo.png
hxxp://8c715ae47b.site.internapcdn.net/img/lbg.png
hxxp://c.statcounter.com/t.php?sc_project=10675947&java=1&security=299981d6&u1=F76D7BABCB714F614E7A5CF7E571261E&sc_random=0.475769053747595&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1276&h=846&camefrom=http://www.govids.net/page-1.html?lid=937115&u=http://www.govids.net/page-1.htm?lid=937115&t=&sc_snum=1&sess=a181b5&p=0&invisible=1 67.215.253.140
hxxp://cs28.wpc.thetacdn.net/5/10/logo.png
hxxp://govids.net/ova-jw.swf 162.222.194.11
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://wildcard-ads-1386167347.us-east-1.elb.amazonaws.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 1&mediaDesc=Home videos, Funny Videos - 1&mediaId=2&mediaUrl=hxxp://www.govids.net/1.html&srcPageUrl=hxxp://www.govids.net/1.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/crossdomain.xml
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=rocketfuel,adapTV,centro,mediamath,TubeMogul-GP,_dmp_turbine,Videology,thetradedesk,appnexus,TapAd,videoamp,beeswax,eyeview,dataxu,google,ignitionone,tremornet,SundaySky,conversant,1,audiencescience,BidTheatre,dynadmic&uid=66c0e761009a4593b3aea4e8af5db5bf&init=true
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners-1732315393.us-east-1.elb.amazonaws.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.google-analytics.com/analytics.js 216.58.214.238
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/crossdomain.xml 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.govids.net/page-1.htm?lid=937115 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.govids.net/img/logo.png 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=google,conversant,TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.govids.net/page-1.html?lid=937115 69.88.149.142
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=607540295&t=pageview&_s=1&dl=http://www.govids.net/page-1.htm?lid=937115&ul=en-us&de=utf-8&sd=32-bit&sr=1276x846&vp=850x480&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=1916155861&cid=44415039.1473782236&tid=UA-74694740-2&_r=1&z=256026923 216.58.214.238
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.google-analytics.com/r/collect?v=1&_v=j46&a=356611280&t=pageview&_s=1&dl=http://www.bruindorsett.pw/index5.php?id=18AT7KCfXnrMx8X8r3ZK&date=2016-09-04&p=none&t=&ul=en-us&de=utf-8&dt=add&sd=32-bit&sr=1276x846&vp=679x408&je=0&fl=11.6 r602&_u=AEAAAEAAI~&jid=555460349&cid=1377690454.1473782234&tid=UA-74694740-5&_r=1&z=1612721500 216.58.214.238
hxxp://xlf5t.ads.tremorhub.com/ad/tag?adCode=we1sb-kg4io&playerWidth=645&playerHeight=380&playerPosition=1&mediaTitle=Home videos, Funny Videos - 1&mediaDesc=Home videos, Funny Videos - 1&mediaId=2&mediaUrl=hxxp://www.govids.net/1.html&srcPageUrl=hxxp://www.govids.net/1.html&contentLength=300&LR_FORMAT=application/x-shockwave-flash 52.72.222.207
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=TubeMogul-GP,ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.bruindorsett.pw/index5.php?id=18AT7KCfXnrMx8X8r3ZK&date=2016-09-04&p=none&t= 54.230.45.35
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.govids.net/css1.css 69.88.149.142
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.govids.net/img/lbg.png 69.88.149.142
hxxp://xlf5t.ads.tremorhub.com/crossdomain.xml 52.72.222.207
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.bruindorsett.pw/func.js?r=5 54.230.45.35
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=ignitionone,1,adapTV,dataxu,tremornet,Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=Videology,thetradedesk,eyeview,appnexus,audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://www.statcounter.com/counter/counter.js 151.249.89.198
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://l.longtailvideo.com/5/10/logo.png 93.184.221.48
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=audiencescience,centro,SundaySky,dynadmic,mediamath,BidTheatre,beeswax,videoamp,TapAd,_dmp_turbine&uid=66c0e761009a4593b3aea4e8af5db5bf 54.210.87.134
hxxp://partners.tremorhub.com/syncnoad?rid=5ef0abec81db4606a741033f44101df5&p=rocketfuel,adapTV,centro,mediamath,TubeMogul-GP,_dmp_turbine,Videology,thetradedesk,appnexus,TapAd,videoamp,beeswax,eyeview,dataxu,google,ignitionone,tremornet,SundaySky,conversant,1,audiencescience,BidTheatre,dynadmic&uid=66c0e761009a4593b3aea4e8af5db5bf&init=true 54.210.87.134


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /5/10/logo.png HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://govids.net/player1.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: l.longtailvideo.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: image/png
Date: Tue, 13 Sep 2016 15:57:13 GMT
Etag: "3015243340"
Expires: Tue, 20 Sep 2016 15:57:13 GMT
Last-Modified: Fri, 22 Jun 2012 18:10:31 GMT
Server: ECAcc (arn/46B0)
X-Cache: HIT
Content-Length: 1845
.PNG........IHDR...].........9.".....IDATh..Zo..E...e...*!.......RP...
.0H.|).Y...).4C.#H..2....g{.....GO.....A...(.?H....B..wf.....{.......c
v..9sv...3g....A-.).8j......J..*[email protected] u(.....k.Nt.3..yR....~*]. 
...Y...v..........\.YO....0.....bZ.=...e..ji.g..S..Z.t.9?..N).]`.K !..
...Y..?..<.h.v.<.........%..6.O.......R..g.}.i.?.Vh.....?..[..C{
.h.-%......s.\..:.M.p.K..u.5....c...X.>..........m.........._.%.d9k
L....t..t..N...#...|..VV.2...w.....X.W:^.:.S...n6....E=...$.i......(.j
.}[email protected]./.....U.u.-.U\..../B......;[email protected]....=.'.~Jm0t<c.
]...-....D...~......<...X....&....Ky%..j...[...Nk.6.....7.._.e!h...
........T7(q..q..v.J=c.^..............--.>......=.....n."...("....0
.Z..<... .q!.`.....N...Z....b.....g.,..UjA.j..7{.H...Pa.. /...l(...
S.j.Q0.u`...LcthJ.. .BN..............P....e...BPZ...W.I...........Sc.j
.!..'..d>c.....xV..2.i#.Z...#j >wa.......[.Y.../.6.g.j'.m...y..O
.\..W.....ar.J~..B...0...........~1M....].......;f...>>$...h.{..
....>zpI/...!>........0...f..ez.....b..!.....X....R..H.l|.r9.#'.
...x..1.A.qy.......M......Y&}..I...-} ..X.....(..17(...EJ.l..T..(8;.`.
..8o.{..r@..]..Z.......^n...vy.3S....%^'....)..nDeg..'.1. $....C...x..
t...x.d#.......t...?...N.N.............%`..Kc....#4.x....#.....9.ps.a.
q........G..R..........B... .S.K$......]..2..-..Hn..t'....4UA9P..69Q.'
.......2..d.<b.....{m....).dd...d.(..G.1`*.....<..ql.zs.On......
j..$..Fnf.T.Y........}.z....N.ZS.]........U)..K...xJFf........S....&.b
i..Mv.F..r....Z...`.~_........._ y.......(.b..f..m....R..k......se
<<< skipped >>>


GET /player1.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://VVV.govids.net/page-1.htm?lid=937115
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive
Cookie: _ga=GA1.2.44415039.1473782236; _gat=1


HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 00:02:57 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Sun, 15 Jun 2014 13:46:26 GMT
ETag: "4403c4-1bb61-4fbe0230ad080"
Accept-Ranges: bytes
Content-Length: 113505
Cache-Control: max-age=2592000, public
Expires: Wed, 16 Aug 2017 00:02:57 GMT
Connection: close
Content-Type: application/x-shockwave-flash
CWS..`..x..}.\...x...@).....JCQJ...t.S.:.s..P.M.".."D.=.E."!.G.Q."....
y...~_..|>o.....u?o......."..>...Z}....u......X....^...8\.3..7,V
$.;[Y%%%[email protected]../[email protected]..
...8$.i.p... .Z.X.......<A.C4...s.L...*.B..c.'1...h.C.;.J.....E.d..
...... .........X...%[.x.m2@oK&/../...LtM..P..|.0._..a.c..x17..K.....6
L....z....z...#f. .=..:i...!B.O.s..:..`kmc.-............ xh6).UpWB.6..
..UC.SQ.1^..3.]3x4z.o..>...7F.`s..,.G.K.s.)........ $E..[O..O......
......w.....0.Jw....qCv.........&L..I...0.g...z%...k.s_....B.V....f- .
y>..6.e..v...O..R.4u...J?.q.........o?.........._.8i.........L'._s.
...ug......N..h..[....s/.[X>.G...9....k...O...L;.,X.p......... ....
r&.c..F.>._w.. {.2...b..ri..=.C.N#M..|..(&..8........9..,.S.....KhS
.}.......~..i....W...?....7.S\...eS..*&.S.z.\:....#!cng.}5...I.*I;....
'.M...U..3^s.l....^.7..sp.......Z_..wJ.....O.;0e... ..f\.t..{....5v}..
=..9...1..C..?..4.R.....[G7W..=h|...a..p../s..]......^...K.r..]T..... 
....j..V7.r.9l.........,zf..U.c..$b..n.}...^..B=.-.RP....Y.......aB.f.
...9...Vuzz.M\../b............8n...2..^Y..%u..n,...x.....,.;..s.r..]|8
...v......u.m........=.n..9.&{.B......D_JU.7.<.....>gz.<....O
.4..zQhiWf....aOL.-.bE..2yU.S..)g6Z...m...m..s....ly.....Q.us..ci....[
k?M.7p.e.....yG.'.8...R.....m_/z.>p.......=....B..w..zwQ\P..B...Bn.
2..>K..F....>.xLy..`...%..`.._......'5.9..V../z.....E..;....h)..
_..>...........{^.....p&x.Q....;YH..E.6.<m..8n... a...#U~.5S(wr2
V....h..Y^.'^.....y.8:........Q....^[..nK....hq...5..[...i94$.....
<<< skipped >>>


GET /jwplayer1.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.govids.net/page-1.html?lid=937115
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: govids.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 14 Sep 2016 00:02:54 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 02 Jun 2016 05:31:59 GMT
ETag: "4403af-25d37-53444eccf91c0"
Accept-Ranges: bytes
Content-Length: 154935
Cache-Control: max-age=2592000, public
Expires: Wed, 16 Aug 2017 00:02:54 GMT
Connection: close
Content-Type: text/javascript
var dtn = Date.parse(new Date().toString());..document.write(unescape(
'
klar.exe_1904:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy7.tmp\ExecCmd.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy7.tmp\ExecCmd.dll
"%Program Files%\ministry\assigned.exe"
md.dll
.reloc
EnumWindows
ExecCmd.dll
Kernel32.DLL
e%uy%u
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy7.tmp
nsy7.tmp
rogram Files\ministry\assigned.exe"
q assigned.exe" | %SystemRoot%\System32\find /I "assigned.exe"
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy7.tmp
"%Program Files%\crystallization\klar.exe"
%Program Files%\crystallization
klar.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\crystallization\klar.exe
Software\Microsoft\Windows\CurrentVersion\Run
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
allization\klar.exe"
istry\assigned.exe"


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    taskkill.exe:908
    taskkill.exe:1944
    %original file name%.exe:1736
    tasklist.exe:1080
    tasklist.exe:312
    tasklist.exe:628
    tasklist.exe:252
    tasklist.exe:1896
    tasklist.exe:172
    tasklist.exe:492
    tasklist.exe:1616
    tasklist.exe:232
    tasklist.exe:1652
    tasklist.exe:1676
    tasklist.exe:1564
    tasklist.exe:1212
    tasklist.exe:468
    tasklist.exe:140
    tasklist.exe:560
    tasklist.exe:264
    tasklist.exe:160
    tasklist.exe:236
    tasklist.exe:1976
    tasklist.exe:644
    tasklist.exe:1764
    klar.exe:1904
    30973.exe:1276
    79142644.exe:1320
    find.exe:216
    find.exe:1320
    find.exe:1208
    find.exe:748
    find.exe:272
    find.exe:236
    find.exe:1712
    find.exe:1884
    find.exe:1612
    find.exe:324
    find.exe:1676
    find.exe:1752
    find.exe:1132
    find.exe:1336
    find.exe:264
    find.exe:224
    find.exe:1760
    find.exe:2044
    find.exe:1992
    find.exe:1556
    find.exe:644
    find.exe:2008
    find.exe:1764

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\slippery.lnk (487 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\AccessControl.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\30973.exe (1082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ShellLink.dll (4 bytes)
    %WinDir%\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %WinDir%\assigned.exe (4387 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\79142644.exe (3083 bytes)
    %Program Files%\ministry\assigned.exe (4387 bytes)
    %WinDir%\settings.dll (10219 bytes)
    %Program Files%\ministry\Microsoft.Win32.TaskScheduler.dll (8850 bytes)
    %Program Files%\crystallization\klar.exe (1036 bytes)
    %Program Files%\ministry\settings.dll (10219 bytes)
    %System%\drivers\etc\hosts (123 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7.tmp\ExecCmd.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SimpleFC.dll (5289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\logo[1].png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#govids.net\settings.sxx (193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\noad[1].xml (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[2].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CATH9SJY.xml (825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[1].xml (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CALG9QV7.xml (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[4].xml (687 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CAO9X9NF.xml (756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\count[1].htm (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CAKLQRSP.xml (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[4].xml (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CAKKO4BV.xml (756 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (1076 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[1].xml (692 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[3].xml (575 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[1].txt (556 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\index5[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[3].xml (648 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[2].txt (812 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[4].xml (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[5].xml (691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA57VGKC.xml (810 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@govids[2].txt (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\lbg[1].png (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\counter[2].js (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA8NEFUR.xml (771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CA5OP85J.xml (725 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\govids.net\com.jeroenwijering.sxx (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\crossdomain[2].xml (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\page-1[1].htm (5002 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA2J452J.xml (722 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\wau-widget[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[7].xml (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CA6DE709.xml (765 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[2].xml (707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CA1JGXHY.xml (808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\analytics[1].js (2168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[5].xml (616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\CAQRWXYZ.xml (811 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@statcounter[1].txt (611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\CAOTG8KB.xml (774 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tremorhub[2].txt (728 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CAKPQNCT.xml (710 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\crossdomain[2].xml (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\jwplayer1[1].js (69987 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[4].xml (628 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@amung[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[2].xml (704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\CA2BUBE5.gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\crossdomain[1].xml (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[2].xml (633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CA490JGR.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[1].xml (803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\crossdomain[3].xml (144 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[5].xml (762 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[5].xml (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\counter[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\ova-jw[1].swf (36761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\itd[1].htm (1118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[3].xml (599 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[2].txt (323 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CAC9MZ0D.xml (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\v[1].xml (654 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\collect[1].gif (35 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bruindorsett[1].txt (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\player1[1].swf (12413 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\player1[1].swf (15193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\syncnoad[6].xml (645 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@govids[1].txt (172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\func[1].js (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\CA56KLV5.xml (807 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\css1[2].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\css1[1].css (659 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKCUY40K\page-1[1].htm (3950 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\1[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\logo[1].png (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[6].xml (719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVWN4Z0B\syncnoad[6].xml (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LAX56M35\syncnoad[3].xml (652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2D8LYHA5\syncnoad[1].xml (616 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "insupportable" = "%Program Files%\ministry\assigned.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hajji" = "%Program Files%\ministry\assigned.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "forestland" = "%Program Files%\ministry\assigned.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "eales" = "%Program Files%\ministry\assigned.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "tassel" = "%Program Files%\ministry\assigned.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "klar" = "%Program Files%\crystallization\klar.exe"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now