Gen.Variant.MSILPerseus.28714_2eb91303de

by malwarelabrobot on August 12th, 2016 in Malware Descriptions.

Gen:Variant.MSILPerseus.28714 (BitDefender), Trojan:Win32/Dynamer!ac (Microsoft), Trojan.Win32.Hosts2.wgq (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Gen:Variant.MSILPerseus.28714 (B) (Emsisoft), Artemis!2EB91303DE1C (McAfee), Heur.AdvML.C (Symantec), Gen:Variant.MSILPerseus.28714 (FSecure), Generic37.BNIF (AVG), Win32:Malware-gen (Avast), Gen:Variant.MSILPerseus.28714 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2eb91303de1c6b8fa47413fc31b50bbf
SHA1: ed1fb5bf9da703ea04f24ec648d16caccddaa776
SHA256: 63756740714e6ac5f8d3aa13c90ad8cd41445bb4f4448a31587ef05bb6f77eb8
SSDeep: 98304:GmshfKKaVgF5vvE0RvZWaq4Ul39myNDVTX:EfDXFp9m4Ud5DVTX
Size: 3441152 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company:
Created at: 2016-05-20 08:48:58
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:900

The Trojan injects its code into the following process(es):

Extreme Loader.exe:412

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Extreme Loader.exe (410922 bytes)

The process Extreme Loader.exe:412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (611 bytes)

Registry activity

The process %original file name%.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 EA EB 39 4B 4E 1E 1C C3 5B 8B 9F 02 17 6B 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"Extreme Loader.exe" = "Extreme Loader"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process Extreme Loader.exe:412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 4B 4F 3A BE 8A C6 34 27 4A 28 AA 13 30 6B D1"

Dropped PE files

MD5	File path
bb4ca7c47f5f41531999e3d4376cbcf7	c:\Extreme Loader.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 611 bytes in size. The following strings are added to the hosts file listed below:

1.2.3.4	badeshan.com
1.2.3.4	www.badeshan.com
162.210.102.212	memoryhackers.com
162.210.102.212	www.memoryhackers.com
162.210.102.210	memoryhackers.org
162.210.102.210	www.memoryhackers.org
1.2.3.4	utilcheat.com
1.2.3.4	www.utilcheat.com
1.2.3.4	utilcheat.org
1.2.3.4	www.utilcheat.org
1.2.3.4	ughf.net
1.2.3.4	www.ughf.net
1.2.3.4	turkfrm.com
1.2.3.4	www.turkfrm.com
1.2.3.4	legendaryhax.org
1.2.3.4	www.legendaryhax.org
1.2.3.4	galaxyfrm.com
1.2.3.4	www.galaxyfrm.com
1.2.3.4	crewhan.org
1.2.3.4	www.crewhan.org
1.2.3.4	memoryhackers.net

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: updater
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2016
Legal Trademarks:
Original Filename: updater.exe
Internal Name: updater.exe
File Version: 1.0.0.0
File Description: updater
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	3423572	3423744	5.5402	dc001ad20788fb7ad64e31d05512d2f2
.sdata	3432448	312	512	1.46421	14f1b47501d727a522aba0f991abb904
.rsrc	3440640	15120	15360	2.92972	a55e1d565b9f4b3e7a9a317d0f023628
.reloc	3457024	12	512	0.067931	a670bf957a87a74673523197c025df23

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Extreme Loader.exe_412:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

9>t.hp

u%SSh

j%XtL9E

SSSSh

tFHt:Ht.Ht"Hu`

t'SShl

u$SShe

@ SSHPWj

FTCP

tAHt.HHt

SSh@B

<SShG

tl9_ tgSSh

FtPW

tWSShW

xSSSh

FTPjKS

FtPj;S

C.PjRV

CNotSupportedException

CCmdTarget

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

KERNEL32.DLL

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

RegOpenKeyTransactedA

Advapi32.dll

RegCreateKeyTransactedA

RegDeleteKeyTransactedA

CMFCVisualManagerWindows

comctl32.dll

comdlg32.dll

shell32.dll

user32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

mfcm100.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

Shell32.dll

%s:%x:%x:%x:%x

RegDeleteKeyExA

lXXxXXXXXXXX

kernel32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

&%d %s

%sDockingManager-%d

MSG_CHECKEMPTYMINIFRAME

%sPane-%d%x

%sPane-%d

CMDIFrameWndEx

Hex={X,X,X}

ole32.dll

CMDITabProxyWnd

CMDIChildWndEx

KeyboardManager

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

%sBasePane-%d%x

%sBasePane-%d

ShowCmd

%c%d%c%s

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

CMDIChildWnd

CMDIFrameWnd

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

windows

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

CMDIClientAreaWnd

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

MFCLink_UrlPrefix

MFCLink_Url

RGB(%d, %d, %d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

CMFCToolBarsKeyboardPropertyPage

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

ENABLE_KEYS

KEYS_MENU

KEYS

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

portuguese-brazilian

operator

GetProcessWindowStation

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

Wolfteam.bin

dnsapi.dll

Tal Turkey 3175

Turkey 9024

Hamadah SPORT

Linmeling SPORT

Reinhard SPORT

Marien SPORT

C:\Users\ADmin\Desktop\Extreme Loader\Extreme Loader\Release\Extreme Loader.pdb

.LGC[

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.?AVCCmdUI@@

.?AVCMFCVisualManagerWindows@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCToolBarCmdUI@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.PAVCFileException@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCRibbonKeyTip@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.PAVCOleDispatchException@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

.?AVCCmdTarget@@

.PAVCException@@

.rsrc

@.reloc

>> Error: Unable to allocate memory for DLL data (%d)

>> Error: Invalid executable image.

>> Error: Unable to open target process (%d)

>> Error: Unable to allocate memory for the DLL (%d)

>> Error: Unable to copy headers to target process (%d)

>> Error: Unable to allocate memory for the loader code (%d)

>> Executing loader code.

>> Error: Unable to execute loader code (%d)

C:\Users\ADmin\documents\visual studio 2013\Projects\ManualInjector\Release\ManualInjector.pdb

KERNEL32.dll

ADVAPI32.dll

MSVCP100.dll

MSVCR100.dll

_malloc_crt

_amsg_exit

_crt_debugger_hook

Teleportation[Y-T]

Crosshair

d3d9.dll

USER32.DLL

C:\Users\ADmin\Desktop\WolfExtremeX\WolfExtremeX\Menu\Menu\Release\Menu.pdb

GetAsyncKeyState

GetKeyState

USER32.dll

GDI32.dll

RegOpenKeyA

d3dx9_43.dll

PSAPI.DLL

imagehlp.dll

.detour

diTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:F90AE3FB0813E4119ED9E28834789A0C" xmpMM:DocumentID="xmp.did:3D0A0F2C270711E58839A3A226C0E3C5" xmpMM:InstanceID="xmp.iid:3D0A0F2B270711E58839A3A226C0E3C5" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F90AE3FB0813E4119ED9E28834789A0C" stRef:documentID="xmp.did:F90AE3FB0813E4119ED9E28834789A0C"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>U

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

C:\Extreme Loader.exe

LastPass

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

activation.php?code=

deactivation.php?hash=

C,%c@

.?AVIUrlBuilderSource@@

D$@%Xa

6#%x2

/n.In)

n-jSMx}

.uUtJ

.CA1k

.BV`e

y.xOS

.gV7')

sd.lnZ

.kUZ(I

V1.tO

,.nRsi

K".Nb

.OM@a

O.Mo~

NW.UQ

U.mua

Qd

9:i.Oo"

loUrL

p.DaE

%S:4D

SZ.Ae

.Uh}QWoT}

.LNwR

y?"%c

%F{g:

X.tJI06(

=.Ic?R

.Ss@l

2.Mj|\e

h.eA[

6?r%U

.CkeL

.iz n!3x

`y.JeD

q%up9

.fO*U

!%d>&

}YXiV.rl

H.IV0

vD.Yx&

Crtr9

l.jZad

zR.BW

1t.es

v%S"V

J?M%D@

vxt%U

v.MCSD/H

.rRb<

=<D36%U

i.pFE

hT..ddd

/ô~j

%u[#U

up.KN

Mz.zL

R.Ich

t-z}Z

hq-1}

>.LB;cM

_sLH%DNu

Y-.MT

4a.lfX

.Sau-;

ya|%d

4.myD

|B<.NO

úU{c

e.tha

.Ez[9^{

vT.ES

%X$G&

lA.DxJ

57%dZ

S.FhL

Dv%d:S7r"

e|.PR

25.sc

%dkk5

  m.eW.

-|EN%f

>qix.om

x.og_e

%s 3MoC

aG.Cei,k

%ChQ.n

.pn)$

pe*%U

q-76}Tlh

.om {E

%N%Dw

l_%sl

gA.Vo

.kJFr

1%ST?V

3p.Vd

D.XCx/q

I[.Cn

%f(#Q

_?ý6

S.Rkk

ej%F] _

?]%f;

ab.lcM

..p4.Wn

k.TjZu

3.%c]

<e.hA

uWT.CaM

U:\Zq

\$Dhu.MB

.fhf\^J

.hm2a:

%SHD'

.oBQV

cmd|9j

òi%

4$h%S

%f*co

Vd.wN

.&'%S

?%%X{

.NP/.

J,CRTm

E %UN6

7}C%xsp

OLEACC.dll

%c?)[

P[.sq

[%x^n

.FQO\

.oEHPu

[email protected]&

FKEY{

hf.Lk

2.qmtR

l~.Yg

L"6.vf4H

[.DIJ

^%c`qB

7.lhy$*

#.of0

`%Dno

RB,.WQ

1%ch^

]ra%f

sMt.aw

d%X/D

c%f!'B

K.ukWf

.QU*u

N%dxM2s

,..xI

,|}.av

j0V%C

;{.gG

1`k..lePM

$).ZV

sj.SwB

.DvdRXce{U

.zyag

vT {qx.WS

.ZnN3

'Eo

x.Nw~

iq;-7}

s.OY4C

v.xEp

.NB)x

%YT%u

d3YÅ

dT-A}

.pqG>

L.mGV

!Q.NpK

E#%CM

4%T.QM

:,f.wG

KÛ;

FD%X6

".uOR

R2.CD

%Xz[V

79.beN

.bP'3

.mT2.D

@A.YN

yU %S

z.DA"

$/.Je

*n>%sof

V.cKx

8kT.GdN

w".YB

W.zx4

o;z%X

"S%4U<

*X.BI

hW%D/5`X

[{.le

r%FM3uE

-.eykh

c}G.LOX

v&O%xF

Z}|:m%F

.nqG\

kKEye

.Wy_e

.BiMO

K<g%CK

J.kzO!

i:v%%d

<w{.bF]g

qd%f=

&64Ì

t.PS-y

M:\<4kv

JA.kW

oq%fy;

afz.FA

>.ex&

oit.Qe

.VQdB

MNF.ErD

@9.ph

>6*.Gx2E

.Aq#&

v/c.nCOf

%.UvC

%s2Vq8o

==Ah"^{KzG%u

Q.Qz^7 miNB

p[}%d

YYi.awZe

=v.pc

W.XTz

tj.Fg

pS}v.hS

dC.JH

:.GHhOo

&2.AQ

rn %XR

".ex}*

i.hS'FU

9u%Ut

Dy.JK

.yXbA

-q}9!

D.XYX

W.dc@

f.cip

F.MFo

CTt%S

V-Tr}

v.ytL

BP.jhjr

.WMbBF

 <.Lg

qQ)%Xw,

(%.WE

!(%uKc

;6Q%u

q]R.lA

ikEY*

'.ic\a--

.-He}

<.jOe

=so.DEu

Tn%X~

%Sl}

>.BMS7

#"Ny%X

H;.EY,

$Db3M.st

{I.GH

=a%%f

_.TxB

|pGL.hRt

7.URA!

.qO0v

b%Saw

)P.TrW

CÃf

.HlkLQw

ND%u|

%d)v{

H_ux%x

.SVX?v

u@%c

EP=.Rx

.Nde$

t.Eyr

j.qCE

Q.RcS

I.gK/

x.fkK

j{<awjF~%u%

A.zc%

G%C'R

$0U%c

N.xs_

Fy%f|g

zq.ra

Bl.PM

OT=.NeE.9

d.ASZ

]ýcN

'%CYLY

rU?n?

.SA!%

sp.tD

(y%9u

#v:%Fr7MuUsUo

.yL4<

r.hOv

.Ixs3

8p.Sw'

%0X6E

P%.jK

-L}oY

.cR5O

keYE

%CXywK

POK.OB

Cy(D

3m.cI

|Z.:%S

ýsG

;-xB}1n4

Y.edY

c.Ets?

gd%uR

!Hp.YZ

Vl.XDL

E9Npcz

5-%f~5

;/<6<=<!>

>&>->4>9>`>

:*;0;6;<;

5#5(5.545{6

7;8#9-959_9

7%8s8

3=3X3

<#= =<=_=

2"2)202.3

<!<=<9=:>

6"6&6*6.626~6

494{4!576

3\3%4,434~4

7&8.8\8{8

9;:<<|<]>

8\9{9 :6:

;0}0*121

9&:.:6:>:~:

6e6F6

? ?$?(?,?0?4?8?

> ?$?(?,?

7 7$7(7,7074787

< <$<(<,<0<4<

> >$>(>,>0>4>

< <$<(<,<

9 9(909<9`9

0S091K1h1

0 0$0(0,0

3/4`48>|>

9 :6:^:_<

19253;4{4

576\9 ?}?

aU.tB

urlmon.dll

\Q%sA

W.De}$

%sV0$:Yc

^B.gq

4.Gdd

pSHLWAPI.dll

;K.Vg i7

|@.Lr

c:*.EsXK

-.Lxk

A.Pct

%u22K

!%Um5

i%C^0m

Xbz%U

.MiI'

]I÷h

I%DgI

X~J%fW

%Uq{U

L}~D%C

.UX9[l

.hH^Cs

.Hd'Y

[g.nFb

1$*[%fZ

OJ:%7x

H%sg^

V.xOa

"%ci'

R@*ÿQ

N %S%

i.OTZ*l

.rzzp'

an G.Ah

yL;.Fx

vm.oaM

MSgs

.WePR|

.kCw}

%X5|R

.Zlc*

>hq%D

KA;%U

BL.qd

K 0%D

$(.GP

&*-1d}

2.hOP

[TU%X

.MB!V

%uix(

SExE]W.Z

.Bb>(

S.EJi

;_.CQx

.aRe4b

Kn.Fn

.eBhiLa

MSIMG32.dll

#WINSPOOL.DRV

OLEAUT32.dll

COMCTL32.dll

7ssHt

SHELL32.dll

qQ.xRT

&HfTp

u.sH`M

.wt_Q.

lq!.nLI

-pp}5nt

WINMM.dll

IMM32.dll

DMSGc

5%U6P

WININET.dll

URLDownloadToFileA

mk.aw

gdiplus.dll

oledlg.dll

..tBr

COMDLG32.dll

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

UxTheme.dll

accKeyboardShortcut

hhctrl.ocx

dwmapi.dll

yDWrite.dll

D2D1.dll

SHELL32.DLL

LRICHED20.DLL

ekernel32.dll

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

Extreme Loader.exe_412_rwx_005C6000_0033F000:

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

activation.php?code=

deactivation.php?hash=

C,%c@

.?AVIUrlBuilderSource@@

C:\Extreme Loader.exe

D$@%Xa

6#%x2

/n.In)

n-jSMx}

.uUtJ

.CA1k

.BV`e

y.xOS

.gV7')

sd.lnZ

.kUZ(I

V1.tO

,.nRsi

K".Nb

.OM@a

O.Mo~

NW.UQ

U.mua

Qd

9:i.Oo"

loUrL

p.DaE

%S:4D

SZ.Ae

.Uh}QWoT}

.LNwR

y?"%c

%F{g:

X.tJI06(

=.Ic?R

.Ss@l

2.Mj|\e

h.eA[

6?r%U

.CkeL

.iz n!3x

`y.JeD

q%up9

.fO*U

!%d>&

}YXiV.rl

H.IV0

vD.Yx&

Crtr9

l.jZad

zR.BW

1t.es

v%S"V

J?M%D@

vxt%U

v.MCSD/H

.rRb<

=<D36%U

i.pFE

hT..ddd

/ô~j

%u[#U

up.KN

Mz.zL

R.Ich

t-z}Z

hq-1}

>.LB;cM

_sLH%DNu

Y-.MT

4a.lfX

.Sau-;

ya|%d

4.myD

|B<.NO

úU{c

e.tha

.Ez[9^{

vT.ES

%X$G&

lA.DxJ

57%dZ

S.FhL

Dv%d:S7r"

e|.PR

25.sc

%dkk5

  m.eW.

-|EN%f

>qix.om

x.og_e

%s 3MoC

aG.Cei,k

%ChQ.n

.pn)$

pe*%U

q-76}Tlh

.om {E

%N%Dw

l_%sl

gA.Vo

.kJFr

1%ST?V

3p.Vd

D.XCx/q

I[.Cn

%f(#Q

_?ý6

S.Rkk

ej%F] _

?]%f;

ab.lcM

..p4.Wn

k.TjZu

3.%c]

<e.hA

uWT.CaM

U:\Zq

\$Dhu.MB

.fhf\^J

.hm2a:

%SHD'

.oBQV

cmd|9j

òi%

4$h%S

%f*co

Vd.wN

.&'%S

?%%X{

.NP/.

J,CRTm

E %UN6

7}C%xsp

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

Extreme Loader.exe_412_rwx_00C34000_00001000:

WINMM.dll

KERNEL32.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:900
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Extreme Loader.exe (410922 bytes)
%System%\drivers\etc\hosts (611 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Reboot the computer.