Trojan.Autoit.Agent.EZ_5553f3c235

by malwarelabrobot on August 2nd, 2014 in Malware Descriptions.

Trojan.Win32.Autoit.bhd (Kaspersky), Trojan.Autoit.Agent.EZ (AdAware), Backdoor.Win32.Fynloski.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 5553f3c235e4b9845647a5b79c4fa1f6
SHA1: 7f7fbde406028906fff0b5c43cc39ad654d36def
SHA256: ffe1726d5e600a61d375e8a2dec5d5d37bea4100e0162754889277251e2d2084
SSDeep: 49152:rJZoQrbTFZY1ia9YGA0ddUtgg8oNc3ycp/wn:rtrbTA16eddOF8lp/G
Size: 1849123 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

tb2323xt.exe:1748
mscorsvw.exe:172
%original file name%.exe:1784
%original file name%.exe:1720
scvhost.exe:1872

The Trojan injects its code into the following process(es):

tb2323xt.exe:924
scvhost.exe:320

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process tb2323xt.exe:924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\ga[1].js (2107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\loader[1].htm (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[1].txt (1614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\swfobject_modified[1].js (6822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\us_usbv2[1].htm (1639 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\usbv2[1].jpg (1242 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[2].txt (1095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[2].htm (277 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[1].txt (918 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[2].txt (1799 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[2].txt (0 bytes)

The process %original file name%.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\m549576.png (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tb2323xt.exe (7337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB5.tmp (7185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB4.tmp (3929 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\autB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB4.tmp (0 bytes)

The process %original file name%.exe:1720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vhost\scvhost.exe (13122 bytes)

Registry activity

The process tb2323xt.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 34 13 78 87 FD 52 B7 6B 63 F6 BD 7C C7 CE E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process tb2323xt.exe:924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080120140802\"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheOptions" = "11"
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\BurnerMax]
"auto" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 20 AA F1 8F C6 E3 48 42 83 30 C6 6F 04 31 AE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080120140802]
"CachePrefix" = ":2014080120140802:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130212]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021320130214]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process mscorsvw.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process %original file name%.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 24 09 51 08 82 0E 53 24 1D 58 0B 47 57 64 ED"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tb2323xt.exe" = "BurnerMAX Payload Tool"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 10 3E 7A 95 D5 53 DC B2 D6 3C D5 1B 45 B3 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost]
"scvhost.exe" = "scvhost"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Svchost" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process scvhost.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 BC 8F A1 39 A9 BD D3 13 1F 21 5D 27 B9 CC CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process scvhost.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 5F B5 BF 5F 0E F5 B1 96 CF EC 8D 40 48 3B 1C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
9d92961c39c2e630a7e43bed7ac6c9a4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tb2323xt.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	525852	526336	4.63347	61ffce4768976fa0dd2a8f6a97b1417a
.rdata	532480	57280	57344	3.32693	0354bc5f2376b5e9a4a3ba38b682dff1
.data	589824	108376	26624	1.49032	8033f5a38941b4685bc2299e78f31221
.rsrc	700416	95568	95744	3.11661	6913d765bead9712b63ba495a63b8bd5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://xconsoles.com/app/loader.html
hxxp://userlocation.com/swadharma/projectf.js?pcode=UL02a0e47a4afc46f3ad7feaa4e458f5af
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=194608661&utmhn=www.xconsoles.com&utmcs=utf-8&utmsr=1024x768&utmvp=482x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=GEO LOCATOR&utmhid=976439038&utmr=-&utmp=/app/loader.html&utmht=1406892444448&utmac=UA-13041870-4&utmcc=__utma=43369132.180759635.1406892444.1406892444.1406892444.1;+__utmz=43369132.1406892444.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~
hxxp://x360usb.com/app/us_usbv2.html	87.98.252.138
hxxp://x360usb.com/app/Scripts/swfobject_modified.js	87.98.252.138
hxxp://userlocation.com/swadharma/projectf.js?pcode=UL65975a141c0b22a72105ce1a664b39b5
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=977061144&utmhn=www.x360usb.com&utmcs=utf-8&utmsr=1024x768&utmvp=498x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Sponsor&utmhid=1806500170&utmr=-&utmp=/app/us_usbv2.html&utmht=1406892445792&utmac=UA-13041870-2&utmcc=__utma=140599483.509102869.1406892446.1406892446.1406892446.1;+__utmz=140599483.1406892446.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~
hxxp://x360usb.com/app/usbv2.jpg	87.98.252.138
hxxp://www.userlocation.com/swadharma/projectf.js?pcode=UL65975a141c0b22a72105ce1a664b39b5	74.220.222.239
hxxp://www.xconsoles.com/app/loader.html	46.246.94.116
hxxp://www.userlocation.com/swadharma/projectf.js?pcode=UL02a0e47a4afc46f3ad7feaa4e458f5af	74.220.222.239
hxxp://www.x360usb.com/app/Scripts/swfobject_modified.js	87.98.252.138
hxxp://www.x360usb.com/app/us_usbv2.html	87.98.252.138
hxxp://www.x360usb.com/app/usbv2.jpg	87.98.252.138
hxxp://www.google-analytics.com/ga.js	173.194.43.32
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=194608661&utmhn=www.xconsoles.com&utmcs=utf-8&utmsr=1024x768&utmvp=482x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=GEO LOCATOR&utmhid=976439038&utmr=-&utmp=/app/loader.html&utmht=1406892444448&utmac=UA-13041870-4&utmcc=__utma=43369132.180759635.1406892444.1406892444.1406892444.1;+__utmz=43369132.1406892444.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~	173.194.43.32
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=977061144&utmhn=www.x360usb.com&utmcs=utf-8&utmsr=1024x768&utmvp=498x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Sponsor&utmhid=1806500170&utmr=-&utmp=/app/us_usbv2.html&utmht=1406892445792&utmac=UA-13041870-2&utmcc=__utma=140599483.509102869.1406892446.1406892446.1406892446.1;+__utmz=140599483.1406892446.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);&utmu=D~	173.194.43.32

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /app/us_usbv2.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.x360usb.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:31 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Last-Modified: Wed, 23 May 2012 08:18:59 GMT

ETag: "4601c0-667-4c0afc97c02c0"

Accept-Ranges: bytes

Content-Length: 1639

Connection: close

Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<META HTTP-EQUIV="Content-Typ
e" content="text/html; charset=UTF-8" />.<META HTTP-EQUIV="Expir
es" CONTENT="-1">.<META HTTP-EQUIV="Pragma" CONTENT="no-cache"&g
t;.<head>.<title>Sponsor</title>.<script src="Scr
ipts/swfobject_modified.js" type="text/javascript"></script>.
<!--//User Location Script: begin...//-->.<script type="text/
javascript" src="hXXp://VVV.userlocation.com/swadharma/projectf.js?pco
de=UL65975a141c0b22a72105ce1a664b39b5"> </script>.<!--//..
. User Location Script: end.//-->.<STYLE>.BODY {..border-styl
e:none;.}.</STYLE>.</head>.<BODY TOPMARGIN="0" LEFTMARG
IN="0" SCROLL="no">.<body>..<script type="text/javascript"
>...var gaJsHost = (("https:" == document.location.protocol) ? "htt
ps://ssl." : "hXXp://VVV.");...document.write(unescape(""));..</script>.<script type="text/javascript"&g
t;...try {....var pageTracker = _gat._getTracker("UA-13041870-2");....
pageTracker._trackPageview();...}...catch(err) {}..</script>.   
 ..    <!-- The browser displays static advert if no Flash in IE --
>.    <div> <a href="hXXp://VVV.xconsoles.com/products/xec
uter-x360usbpro-v2.html" target="_blank".           .onClick="java<<< skipped >>>

GET /app/usbv2.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.x360usb.com

Connection: Keep-Alive

Cookie: __utma=140599483.509102869.1406892446.1406892446.1406892446.1; __utmb=140599483.1.10.1406892446; __utmc=140599483; __utmz=140599483.1406892446.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)


HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:32 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Last-Modified: Wed, 23 May 2012 08:19:00 GMT

ETag: "4601cb-34ad-4c0afc98b4500"

Accept-Ranges: bytes

Content-Length: 13485

Connection: close

Content-Type: image/jpeg
......JFIF.....`.`.....4Exif..II*.......1...............Adobe ImageRea
dy.....C................................... $.' ",#..(7),01444.'9=82&l
t;.342...C...........2!.!222222222222222222222222222222222222222222222
22222...........".....................................................
.......}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFG
HIJSTUVWXYZcdefghijstuvwxyz...........................................
......................................................................
.............w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*5678
9:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................
................................................?...%...I.i.'.V.N ....
.B....)d..'Z.4.k...*.[.M.3Y.M. S.f$.URk..,.x8..N.F8.NYq....Y..`.......
:II.Y.M.sS4..S.A.Z..=.0. ..9..l....z.~AS.........F...R...\.....I...D[.
#T,k.w-Qj....*x4..'.n..ul...%.a.:..2...R.$...Y2:..6.Z....Zv.......h..9
. %bG68....Z.39*Q......Y3N'"...9lC*...<U..Vd.k)..M)...1M.5bh.r*....
.z......4f.........Hh..HCM.R.H.4.m>...wL.^q..v....y.8......V.......
[email protected].%.#.RQ.3....3Hi)...KL...,:.n.\.!i)(.....s...
..f.4..n.v..L.sE!.Z)(...?:(.....I ...&*.......5)..<..k>i..M:i.SY
.I..]..us..Vq.*.l.j68..%E$.)...Qm../Z..|..y9#5Fg..k...z.ab.2.N..g.....
.[=.B......)Y.&j......<...4g.0..m....<.MR.z.mYI.t..F...H..mN.E..
.fO.......RG!...NG.5w..:..#...R.).MA......t......ee.c...Q.[Fg.J64I.TM.
.$..2.i..k..J."`...j..YJ'U)..F)3R...'.....%..4RQ....i(..aE...4.....%!.
[email protected],.i)7Q...E&h. <<< skipped >>>

GET /ga.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.xconsoles.com/app/loader.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 06:07:03 GMT

Expires: Fri, 01 Aug 2014 18:07:03 GMT

Last-Modified: Tue, 17 Jun 2014 01:05:58 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 15810

Age: 37104

Cache-Control: public, max-age=43200

Alternate-Protocol: 80:quic
...........}kW.:..w~....c...pk..f..-mii..%...e9..q.........$[NB.s.Y...
......h43v..Pd.d.z..|..y ."........(..a.B........1..Tf..K.L2....~...ep
...&y....MS...t9.....&..2... .Q.N.(o....8..q..L.!...a..0...$.pX..N&..a
. ..zB:l.8c9.p.....;l..x.$c.]BP\.....B...&..*pz.H.~......g...Ap..!....
K......V;l.H.....V.a.....s.$p....5.39...a.a7P'9.b.[H>N.$..A..... ..
^..;h.h...2l_......w9..d.@.`...N.....|....%.d.%........{.....&.A.I..:.
...F.;..c..{P*..~..JzP.Kl...F..y.U8(&.......}[email protected]. u.Y...!..R
.h.F..`./>5...*{P..(..:A.}..v.} ..u...k......w\..d....he.q..U.u..yE
..J.Re.....Y.2!.J.a..i^R....p..LG4.d.6U..........E..%..5.kz<....[..
!2o.tV.V.....|..p7o..?N&..].o>.|...../..a.\...vL3].._....q.....C.].
JG..\.[9...hp....w.Y^1..>..`..Q..!w0.U..}x.;^.......w.I............
....R..aQ2R..<..%....A%|.E...j...L..j..\.\.D.<.g....^Y)...L.*D..
......2....-..%F.T..j..,F...C.....m_.$..2..2.g...B.{.....\c......*5..c
..J.{@...Q.....j..........E..Z...#>.....>...g{...t.....i1..Yk..@
m..v.Cf..)..7.....(.......$\.S.......>......a..r..N. ........o;>
...A..>...U...J'.....X....B.q..E....()..3. .... A".uss.;.......W...
..k-..zF.\`Qp?........\d..a..A.1....5......Z.H...M"tf.GM. .X[.YU...T..
_.lH......n@=1.5N....?Z...V>&."..Q$.....&.sS..Kq....].UySz=..3..$."
....".'.Iar\Y.WVt\....;[email protected])2!..xD7...T..Di.
v.RC`.m.8.\....J....h..uss.....p..)..O3.W....5....k...y.`^ ....&1..f".
.D.w.}.;D:d.F....p#... ......d...T..iU7n.;-hh..T..^P....U.....>...T
..m.^..fM....>..>d..Q..!....P1......7L...[.........;.>_W.<<< skipped >>>

GET /__utm.gif?utmwv=5.5.3&utms=1&utmn=194608661&utmhn=VVV.xconsoles.com&utmcs=utf-8&utmsr=1024x768&utmvp=482x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=GEO LOCATOR&utmhid=976439038&utmr=-&utmp=/app/loader.html&utmht=1406892444448&utmac=UA-13041870-4&utmcc=__utma=43369132.180759635.1406892444.1406892444.1406892444.1;+__utmz=43369132.1406892444.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=D~ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.xconsoles.com/app/loader.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 31 Jul 2014 06:07:04 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 123504

Alternate-Protocol: 80:quic
GIF89a.............,...........D..;....


GET /__utm.gif?utmwv=5.5.3&utms=1&utmn=977061144&utmhn=VVV.x360usb.com&utmcs=utf-8&utmsr=1024x768&utmvp=498x150&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Sponsor&utmhid=1806500170&utmr=-&utmp=/app/us_usbv2.html&utmht=1406892445792&utmac=UA-13041870-2&utmcc=__utma=140599483.509102869.1406892446.1406892446.1406892446.1;+__utmz=140599483.1406892446.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=D~ HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google-analytics.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Pragma: no-cache

Expires: Wed, 19 Apr 2000 11:43:00 GMT

Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Date: Thu, 31 Jul 2014 06:07:04 GMT

Server: Golfe2

Content-Length: 35

Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate

Age: 123505

Alternate-Protocol: 80:quic

GIF89a.............,...........D..;..

GET /app/loader.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.xconsoles.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Fri, 01 Aug 2014 16:22:48 GMT

Content-Type: text/html

Content-Length: 765

Connection: keep-alive

Last-Modified: Wed, 19 Jun 2013 01:06:29 GMT

ETag: "543ce0-bc3-4df7770896f40-gzip"

Vary: Accept-Encoding

Content-Encoding: gzip

Accept-Ranges: bytes
...........V[O.@.~...8......w.A..].V...D..P...t..1......d..M.fN.9....m
...;.......0..u.;.....;..;......B.....P...!.0.{..D.h..$I..n....%...jiq
.4.R..J...f.8....V.....-.....i...........:<.,....1.t...ds........&.
.sb."[email protected].....`1t9%.X.....}.a......
a.."..T.s....,..DL.X2S=...I.....J...(.....y .#.]f...MRe... c......3f.4
Xckw.E...M..z....j.,ts.M....N.>t.....l.EHk...Z....j.W.-.tOb..7q....
t=. ..X.....j...h%Sr....B......`..!D....R...d.,d....h........l.....q..
. ..>H...k.(o..%.wJ..u[...T.TQ...~j....Q evD.c...;5..F....c2..h.6j.
j...S5....R.9..b.".>K....VR........OK.>...A_..#.g..9J.W......[.^
.3...T.?.....r%........Nb6VM.'9.oWg.&..D......~....9......*...5$6.W.#.
(..uQHva.N..C.,...0...C*.>u.E!]..B.u.B..6....!......7.W>v.c.7_n.
.ce?.-....*.......

GET /swadharma/projectf.js?pcode=UL02a0e47a4afc46f3ad7feaa4e458f5af HTTP/1.1

Accept: */*

Referer: hXXp://VVV.xconsoles.com/app/loader.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.userlocation.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:27 GMT

Server: Apache

Cache-Control: max-age=1209600

Expires: Fri, 15 Aug 2014 16:25:27 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 2949

Keep-Alive: timeout=10, max=500

Connection: Keep-Alive

Content-Type: text/html
...........X.s........A.Lm.....Y...t..9.;q2.E..e..([.....[2v.2.>..\
.....,..z..N.j.S.{..{~o^..e.....o.t\..#L..f...2...q..^6......h..J..E99
........r.e..rql..t...M...,..G....5-.q.....~N..!..W..).B89.2.d..s3..!.
....9.....T.-....J..e,g'.`s..P...~=/.............,./.Ge...3].......L. 
.?...........8.G.a..}............k.2.~.....g.,/.....v^../.'S......x.G.
.c~T.D.'...y..y=0....;..Lm..t..^...k.o..'...:.5.,.z/.q.:. 5...`.!..x[g
...F.w.......2.:.....?m...w..v.....O..1........?....=<..).B..P=E[..
......^.n.W.e.O.#....:......6.{._?....z..6z L}k...B.....#.}`..p.~..z..
....;.\.5..3..-....6.E.X....>...y...H.....q.B...u..N.......poB...M.
......o.3..Y_Q,}.k......*....^.....|...5>....&...DFA8..G...V..u....
.lI...!4..8K..@T....../....0.Mk.[E|~.I...`W..fI.i.h_).Sd.T.Z...u.e{{.(
..<x.I.3..A....U..);d..s..Kl./t......7#X........J./..R..-~JP.?.....
.t$'.il_{...vN......l{...6Rd.....%."...%...J..j.>.........U........
[........n$.....(..![...~.T..R ...L.l.cB..^..bn.#.d..g.g.&}.3.o.&}.3..
.I.$.T...c...s....g....6.....}............X.aO..h.k>..c7.=..v/...RM
v...&.M..=.......Hi.b=6{mo......OeZ.1"vh...#.............) ..o......bo
.....o....R....2m......%.>q..........-...g.b..}.#.."3 ..Bu9a|..9...
...k..;......Aq.qW....,.3.1>P.d<[email protected]...#...c.r.88.*...%..
U...x!|......)q.#....q..(J..Vm.?..'{S....pw.2...../T....B..{.|<..G.
..3..*.....&..{........]h.&.....7.U..;L..<..L...M...A..'...T]...YvA
......6 .]...YuA8.. .]...........X.....B......P.. D..b.Znd.L..H.h.....
gL.................|[email protected].(@....H$..']$8KHx...%d.........g..<<< skipped >>>

GET /swadharma/projectf.js?pcode=UL65975a141c0b22a72105ce1a664b39b5 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.userlocation.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:29 GMT

Server: Apache

Cache-Control: max-age=1209600

Expires: Fri, 15 Aug 2014 16:25:29 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 2949

Keep-Alive: timeout=10, max=499

Connection: Keep-Alive

Content-Type: text/html
...........X.s........A.Lm.....Y...t..9.;q2.E..e..([.....[2v.2.>..\
.....,..z..N.j.S.{..{~o^..e.....o.t\..#L..f...2...q..^6......h..J..E99
........r.e..rql...X.......( ...X...c..,..w.9....L.....Y"....W.L..na..
=...!.z..<.j.e.W.Y........l._..v<...E...Z......{..e.E.....~..z_.
r........a5.....|v..g.h6,../<..|......u}.OF./.....l...v..}.......d.
...}..O.H.|....h.D}.5..1............O....k?W|......T?Sg.F..E.e1NVg....
}..7$..o..........v..WZ._........O...?....4....?f...w;v;...\.....=E[(.
...h.5.}..oZ. .-......b..?.R..X....F{.......Yo_.F...omaTX..X=.}D..l...
.o.[/....~vg.....w.V........(.......C.:..".ipA_.3n\(.|..p.)}...u...M.&
gt;...2...9...u..:. ...cm..A..@ep~.....z..O..............(..{.H.~.....
.....-...=.F{.gI......X.`.EW.[...i.x...o4.5|.....,.8... %[email protected]
oo.%....4)v..5(....J.?e...{..b.m....R..!.f. ..6C..7C).%XR.W..O...g..|.
.....5..k..x.....{.r.m..!.F.......dW$...$..Z.[W..g..W......j...1...s 4
.;|.Y[..D.......4d .`...*1Tj.6.....tL.~. .S.-t...].L......&..../~&=.7.
.....7r...x.U.w.,.6.....}]...12RZ....... 1..B..`...c....]..%.tT...6...
......7.....).Z..f....7.....L "F..-..q...=...4.....1e%......Y.V.-...0.
....[.x..Z....7W....'n.^.W..X.6.....lWL4./v..Td...R..'./.?g.....q.Rz..
.^q.>(.0.*!....x.<[email protected].!x....*.u./...
.R.=2%N`....#NQ.E.O..-.'..do.......U..s5....}.RC.W.o..'}...cb.CS...:..
.?b..8...73..M..8b...F...e.)..G...9...b6 .3.......b7 ......wA......5 .
....p.....=.r........8..@[email protected]..=`b.
......<g.a..L..................g.......L.... .....".......2N@..<<< skipped >>>

GET /app/Scripts/swfobject_modified.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.x360usb.com/app/us_usbv2.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.x360usb.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Fri, 01 Aug 2014 16:25:31 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Last-Modified: Tue, 08 Mar 2011 11:19:02 GMT

ETag: "4601bb-575d-49df6c788f580"

Accept-Ranges: bytes

Content-Length: 22365

Connection: close

Content-Type: application/javascript
/*!.SWFObject v2.0 <hXXp://code.google.com/p/swfobject/>...Copyr
ight (c) 2007 Geoff Stearns, Michael Williams, and Bobby van der Sluis
...This software is released under the MIT License <hXXp://VVV.open
source.org/licenses/mit-license.php>..*/..var swfobject = function(
) {......var UNDEF = "undefined",....OBJECT = "object",....SHOCKWAVE_F
LASH = "Shockwave Flash",....SHOCKWAVE_FLASH_AX = "ShockwaveFlash.Shoc
kwaveFlash",....FLASH_MIME_TYPE = "application/x-shockwave-flash",....
EXPRESS_INSTALL_ID = "SWFObjectExprInst",........win = window,....doc 
= document,....nav = navigator,........domLoadFnArr = [],....regObjArr
 = [],....timer = null,....storedAltContent = null,....storedAltConten
tId = null,....isDomLoaded = false,....isExpressInstallActive = false;
....../* Centralized function for browser feature detection....- Propr
ietary feature detection (conditional compiling) is used to detect Int
ernet Explorer's features....- User agent string detection is only use
d when no alternative is possible....- Is executed directly for optima
l performance...*/....var ua = function() {....var w3cdom = typeof doc
.getElementById != UNDEF && typeof doc.getElementsByTagName != UNDEF &
& typeof doc.createElement != UNDEF && typeof doc.appendChild != UNDEF
 && typeof doc.replaceChild != UNDEF && typeof doc.removeChild != UNDE
F && typeof doc.cloneNode != UNDEF,.....playerVersion = [0,0,0],.....d
 = null;....if (typeof nav.plugins != UNDEF && typeof nav.plugins[SHOC
KWAVE_FLASH] == OBJECT) {.....d = nav.plugins[SHOCKWAVE_FLASH].des<<< skipped >>>

GET /app/us_usbv2.html HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: x360usb.com

Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently

Date: Fri, 01 Aug 2014 16:25:31 GMT

Server: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Location: hXXp://VVV.x360usb.com/app/us_usbv2.html

Content-Length: 248

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.x360usb.com/app/us_usbv2.html
">here</a>.</p>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

tb2323xt.exe_924:

.text

`.rdata

@.data

.rsrc

@.reloc

B.odata

{94374E65-3577-4fde-ABBD-4E943E70E8E8}

WindowsForms10.Window.8.app4

WindowsForms10.Window.8.app.0.378734a

notepad.exe

X:

\\.\%c:

("Unexpected return from _amsg_exit",FALSE)

Load failed due to incompatible .NET Runtime version

mscoree.dll

%s(%d) : %s

_CrtDbgReport: String too long or IO Error

Second Chance Assertion Failed: File %s, Line %d

user32.dll

Debug %s!

Program: %s%s%s%s%s%s%s%s%s%s%s

kernel32.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

Client hook allocation failure at file %hs line %d.

_CrtCheckMemory()

_CrtIsValidHeapPointer(pUserData)

Client hook re-allocation failure at file %hs line %d.

DAMAGE: after %hs block (#%d) at 0x%p.

DAMAGE: before %hs block (#%d) at 0x%p.

%hs allocated at file %hs(%d).

_CrtMemCheckPoint: NULL state pointer.

_CrtMemDifference: NULL state pointer.

crt block at 0x%p, subtype %x, %Iu bytes long.

client block at 0x%p, subtype %x, %Iu bytes long.

%hs(%d) :

#File Error#(%d) :

Data: <%s> %s

f:\vs70builds\3077\vc\crtbld\crt\src\sprintf.c

f:\vs70builds\3077\vc\crtbld\crt\src\vsprintf.c

GetProcessWindowStation

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

("Invalid MBCS character sequence passed to strftime",0)

("Zero length output buffer passed to strftime",0)

("Invalid MBCS character sequence passed into strftime",0)

portuguese-brazilian

convrtcp.c

`.rsrc

v1.1.4322

IWebBrowser

DWebBrowserEvents

IWebBrowserApp

IWebBrowser2

OLECMDID

OLECMDF

OLECMDEXECOPT

DWebBrowserEvents2

WebBrowser_V1Class

DWebBrowserEvents2_Event

DWebBrowserEvents2_StatusTextChangeEventHandler

DWebBrowserEvents2_ProgressChangeEventHandler

DWebBrowserEvents2_CommandStateChangeEventHandler

DWebBrowserEvents2_DownloadBeginEventHandler

DWebBrowserEvents2_DownloadCompleteEventHandler

DWebBrowserEvents2_TitleChangeEventHandler

DWebBrowserEvents2_PropertyChangeEventHandler

DWebBrowserEvents2_BeforeNavigate2EventHandler

DWebBrowserEvents2_NewWindow2EventHandler

DWebBrowserEvents2_NavigateComplete2EventHandler

DWebBrowserEvents2_DocumentCompleteEventHandler

DWebBrowserEvents2_OnQuitEventHandler

DWebBrowserEvents2_OnVisibleEventHandler

DWebBrowserEvents2_OnToolBarEventHandler

DWebBrowserEvents2_OnMenuBarEventHandler

DWebBrowserEvents2_OnStatusBarEventHandler

DWebBrowserEvents2_OnFullScreenEventHandler

DWebBrowserEvents2_OnTheaterModeEventHandler

DWebBrowserEvents2_WindowSetResizableEventHandler

DWebBrowserEvents2_WindowSetLeftEventHandler

DWebBrowserEvents2_WindowSetTopEventHandler

DWebBrowserEvents2_WindowSetWidthEventHandler

DWebBrowserEvents2_WindowSetHeightEventHandler

DWebBrowserEvents2_WindowClosingEventHandler

DWebBrowserEvents2_ClientToHostWindowEventHandler

DWebBrowserEvents2_SetSecureLockIconEventHandler

DWebBrowserEvents2_FileDownloadEventHandler

DWebBrowserEvents2_NavigateErrorEventHandler

DWebBrowserEvents2_PrintTemplateInstantiationEventHandler

DWebBrowserEvents2_PrintTemplateTeardownEventHandler

DWebBrowserEvents2_UpdatePageStatusEventHandler

DWebBrowserEvents2_PrivacyImpactedStateChangeEventHandler

DWebBrowserEvents2_NewWindow3EventHandler

DWebBrowserEvents_Event

DWebBrowserEvents_BeforeNavigateEventHandler

DWebBrowserEvents_NavigateCompleteEventHandler

DWebBrowserEvents_StatusTextChangeEventHandler

DWebBrowserEvents_ProgressChangeEventHandler

DWebBrowserEvents_DownloadCompleteEventHandler

DWebBrowserEvents_CommandStateChangeEventHandler

DWebBrowserEvents_DownloadBeginEventHandler

DWebBrowserEvents_NewWindowEventHandler

DWebBrowserEvents_TitleChangeEventHandler

DWebBrowserEvents_FrameBeforeNavigateEventHandler

DWebBrowserEvents_FrameNavigateCompleteEventHandler

DWebBrowserEvents_FrameNewWindowEventHandler

DWebBrowserEvents_QuitEventHandler

DWebBrowserEvents_WindowMoveEventHandler

DWebBrowserEvents_WindowResizeEventHandler

DWebBrowserEvents_WindowActivateEventHandler

DWebBrowserEvents_PropertyChangeEventHandler

WebBrowser_V1

WebBrowserClass

WebBrowser

DShellWindowsEvents

IShellWindows

ShellWindowsClass

DShellWindowsEvents_Event

DShellWindowsEvents_WindowRegisteredEventHandler

DShellWindowsEvents_WindowRevokedEventHandler

ShellWindows

DShellWindowsEvents_SinkHelper

DShellWindowsEvents_EventProvider

DWebBrowserEvents_SinkHelper

DWebBrowserEvents_EventProvider

DWebBrowserEvents2_SinkHelper

DWebBrowserEvents2_EventProvider

System.Runtime.InteropServices

System.Reflection

System.Collections

System.Threading

ImportedFromTypeLibAttribute

get_LocationURL

LocationURL

cmdID

cmdexecopt

OLECMDID_OPEN

OLECMDID_NEW

OLECMDID_SAVE

OLECMDID_SAVEAS

OLECMDID_SAVECOPYAS

OLECMDID_PRINT

OLECMDID_PRINTPREVIEW

OLECMDID_PAGESETUP

OLECMDID_SPELL

OLECMDID_PROPERTIES

OLECMDID_CUT

OLECMDID_COPY

OLECMDID_PASTE

OLECMDID_PASTESPECIAL

OLECMDID_UNDO

OLECMDID_REDO

OLECMDID_SELECTALL

OLECMDID_CLEARSELECTION

OLECMDID_ZOOM

OLECMDID_GETZOOMRANGE

OLECMDID_UPDATECOMMANDS

OLECMDID_REFRESH

OLECMDID_STOP

OLECMDID_HIDETOOLBARS

OLECMDID_SETPROGRESSMAX

OLECMDID_SETPROGRESSPOS

OLECMDID_SETPROGRESSTEXT

OLECMDID_SETTITLE

OLECMDID_SETDOWNLOADSTATE

OLECMDID_STOPDOWNLOAD

OLECMDID_ONTOOLBARACTIVATED

OLECMDID_FIND

OLECMDID_DELETE

OLECMDID_HTTPEQUIV

OLECMDID_HTTPEQUIV_DONE

OLECMDID_ENABLE_INTERACTION

OLECMDID_ONUNLOAD

OLECMDID_PROPERTYBAG2

OLECMDID_PREREFRESH

OLECMDID_SHOWSCRIPTERROR

OLECMDID_SHOWMESSAGE

OLECMDID_SHOWFIND

OLECMDID_SHOWPAGESETUP

OLECMDID_SHOWPRINT

OLECMDID_CLOSE

OLECMDID_ALLOWUILESSSAVEAS

OLECMDID_DONTDOWNLOADCSS

OLECMDID_UPDATEPAGESTATUS

OLECMDID_PRINT2

OLECMDID_PRINTPREVIEW2

OLECMDID_SETPRINTTEMPLATE

OLECMDID_GETPRINTTEMPLATE

OLECMDID_PAGEACTIONBLOCKED

OLECMDID_PAGEACTIONUIQUERY

OLECMDID_FOCUSVIEWCONTROLS

OLECMDID_FOCUSVIEWCONTROLSQUERY

OLECMDID_SHOWPAGEACTIONMENU

OLECMDF_SUPPORTED

OLECMDF_ENABLED

OLECMDF_LATCHED

OLECMDF_NINCHED

OLECMDF_INVISIBLE

OLECMDF_DEFHIDEONCTXTMENU

OLECMDEXECOPT_DODEFAULT

OLECMDEXECOPT_PROMPTUSER

OLECMDEXECOPT_DONTPROMPTUSER

OLECMDEXECOPT_SHOWHELP

WindowSetResizable

WindowSetLeft

WindowSetTop

WindowSetWidth

WindowSetHeight

bstrUrlContext

bstrUrl

.ctor

IWebBrowser2_GoBack

IWebBrowser2_GoForward

IWebBrowser2_GoHome

IWebBrowser2_GoSearch

IWebBrowser2_Navigate

IWebBrowser2_Refresh

IWebBrowser2_Refresh2

IWebBrowser2_Stop

IWebBrowser2_get_Application

IWebBrowser2_get_Parent

IWebBrowser2_get_Container

IWebBrowser2_get_Document

IWebBrowser2_get_TopLevelContainer

IWebBrowser2_get_Type

IWebBrowser2_get_Left

IWebBrowser2_set_Left

IWebBrowser2_get_Top

IWebBrowser2_set_Top

IWebBrowser2_get_Width

IWebBrowser2_set_Width

IWebBrowser2_get_Height

IWebBrowser2_set_Height

IWebBrowser2_get_LocationName

IWebBrowser2_get_LocationURL

IWebBrowser2_get_Busy

DWebBrowserEvents2_Event_add_StatusTextChange

DWebBrowserEvents2_Event_remove_StatusTextChange

DWebBrowserEvents2_Event_add_ProgressChange

DWebBrowserEvents2_Event_remove_ProgressChange

DWebBrowserEvents2_Event_add_CommandStateChange

DWebBrowserEvents2_Event_remove_CommandStateChange

DWebBrowserEvents2_Event_add_DownloadBegin

DWebBrowserEvents2_Event_remove_DownloadBegin

DWebBrowserEvents2_Event_add_DownloadComplete

DWebBrowserEvents2_Event_remove_DownloadComplete

DWebBrowserEvents2_Event_add_TitleChange

DWebBrowserEvents2_Event_remove_TitleChange

DWebBrowserEvents2_Event_add_PropertyChange

DWebBrowserEvents2_Event_remove_PropertyChange

add_WindowSetResizable

remove_WindowSetResizable

add_WindowSetLeft

remove_WindowSetLeft

add_WindowSetTop

remove_WindowSetTop

add_WindowSetWidth

remove_WindowSetWidth

add_WindowSetHeight

remove_WindowSetHeight

DWebBrowserEvents_Event_Quit

DWebBrowserEvents2_Event_StatusTextChange

DWebBrowserEvents2_Event_ProgressChange

DWebBrowserEvents2_Event_CommandStateChange

DWebBrowserEvents2_Event_DownloadBegin

DWebBrowserEvents2_Event_DownloadComplete

DWebBrowserEvents2_Event_TitleChange

DWebBrowserEvents2_Event_PropertyChange

IWebBrowser2_Application

IWebBrowser2_Parent

IWebBrowser2_Container

IWebBrowser2_Document

IWebBrowser2_TopLevelContainer

IWebBrowser2_Type

IWebBrowser2_Left

IWebBrowser2_Top

IWebBrowser2_Width

IWebBrowser2_Height

IWebBrowser2_LocationName

IWebBrowser2_LocationURL

IWebBrowser2_Busy

IWebBrowser_GoBack

IWebBrowser_GoForward

IWebBrowser_GoHome

IWebBrowser_GoSearch

IWebBrowser_Navigate

IWebBrowser_Refresh

IWebBrowser_Refresh2

IWebBrowser_Stop

IWebBrowser_get_Application

IWebBrowser_get_Parent

IWebBrowser_get_Container

IWebBrowser_get_Document

IWebBrowser_get_TopLevelContainer

IWebBrowser_get_Type

IWebBrowser_get_Left

IWebBrowser_set_Left

IWebBrowser_get_Top

IWebBrowser_set_Top

IWebBrowser_get_Width

IWebBrowser_set_Width

IWebBrowser_get_Height

IWebBrowser_set_Height

IWebBrowser_get_LocationName

IWebBrowser_get_LocationURL

IWebBrowser_get_Busy

DWebBrowserEvents_Event_add_StatusTextChange

DWebBrowserEvents_Event_remove_StatusTextChange

DWebBrowserEvents_Event_add_ProgressChange

DWebBrowserEvents_Event_remove_ProgressChange

DWebBrowserEvents_Event_add_DownloadComplete

DWebBrowserEvents_Event_remove_DownloadComplete

DWebBrowserEvents_Event_add_CommandStateChange

DWebBrowserEvents_Event_remove_CommandStateChange

DWebBrowserEvents_Event_add_DownloadBegin

DWebBrowserEvents_Event_remove_DownloadBegin

DWebBrowserEvents_Event_add_TitleChange

DWebBrowserEvents_Event_remove_TitleChange

DWebBrowserEvents_Event_add_PropertyChange

DWebBrowserEvents_Event_remove_PropertyChange

DWebBrowserEvents_Event_StatusTextChange

DWebBrowserEvents_Event_ProgressChange

DWebBrowserEvents_Event_DownloadComplete

DWebBrowserEvents_Event_CommandStateChange

DWebBrowserEvents_Event_DownloadBegin

DWebBrowserEvents_Event_TitleChange

DWebBrowserEvents_Event_PropertyChange

IWebBrowser_Application

IWebBrowser_Parent

IWebBrowser_Container

IWebBrowser_Document

IWebBrowser_TopLevelContainer

IWebBrowser_Type

IWebBrowser_Left

IWebBrowser_Top

IWebBrowser_Width

IWebBrowser_Height

IWebBrowser_LocationName

IWebBrowser_LocationURL

IWebBrowser_Busy

IWebBrowserApp_GoBack

IWebBrowserApp_GoForward

IWebBrowserApp_GoHome

IWebBrowserApp_GoSearch

IWebBrowserApp_Navigate

IWebBrowserApp_Refresh

IWebBrowserApp_Refresh2

IWebBrowserApp_Stop

IWebBrowserApp_get_Application

IWebBrowserApp_get_Parent

IWebBrowserApp_get_Container

IWebBrowserApp_get_Document

IWebBrowserApp_get_TopLevelContainer

IWebBrowserApp_get_Type

IWebBrowserApp_get_Left

IWebBrowserApp_set_Left

IWebBrowserApp_get_Top

IWebBrowserApp_set_Top

IWebBrowserApp_get_Width

IWebBrowserApp_set_Width

IWebBrowserApp_get_Height

IWebBrowserApp_set_Height

IWebBrowserApp_get_LocationName

IWebBrowserApp_get_LocationURL

IWebBrowserApp_get_Busy

IWebBrowserApp_Quit

IWebBrowserApp_ClientToWindow

IWebBrowserApp_PutProperty

IWebBrowserApp_GetProperty

IWebBrowserApp_get_Name

IWebBrowserApp_get_HWND

IWebBrowserApp_get_FullName

IWebBrowserApp_get_Path

IWebBrowserApp_get_Visible

IWebBrowserApp_set_Visible

IWebBrowserApp_get_StatusBar

IWebBrowserApp_set_StatusBar

IWebBrowserApp_get_StatusText

IWebBrowserApp_set_StatusText

IWebBrowserApp_get_ToolBar

IWebBrowserApp_set_ToolBar

IWebBrowserApp_get_MenuBar

IWebBrowserApp_set_MenuBar

IWebBrowserApp_get_FullScreen

IWebBrowserApp_set_FullScreen

IWebBrowserApp_Application

IWebBrowserApp_Parent

IWebBrowserApp_Container

IWebBrowserApp_Document

IWebBrowserApp_TopLevelContainer

IWebBrowserApp_Type

IWebBrowserApp_Left

IWebBrowserApp_Top

IWebBrowserApp_Width

IWebBrowserApp_Height

IWebBrowserApp_LocationName

IWebBrowserApp_LocationURL

IWebBrowserApp_Busy

IWebBrowserApp_Name

IWebBrowserApp_HWND

IWebBrowserApp_FullName

IWebBrowserApp_Path

IWebBrowserApp_Visible

IWebBrowserApp_StatusBar

IWebBrowserApp_StatusText

IWebBrowserApp_ToolBar

IWebBrowserApp_MenuBar

IWebBrowserApp_FullScreen

SWFO_COOKIEPASSED

FindWindowSW

ImportExportFavorites

fImport

strFailureUrl

strUrl

Import

Export

getErrorMsg

getErrorUrl

getAlwaysShowLockState

get_URL

SetDefaultSearchUrl

get_InWebFolder

FindOnWeb

GetSearchAssistantURL

InWebFolder

m_WindowSetHeightDelegate

m_WindowSetWidthDelegate

m_WindowSetTopDelegate

m_WindowSetLeftDelegate

m_WindowSetResizableDelegate

Interop.SHDocVw

SHDocVw.dll

System.Runtime.InteropServices.CustomMarshalers.EnumeratorToEnumVariantMarshaler, CustomMarshalers, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

$EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B

$EAB22AC2-30C1-11CF-A7EB-0000C05BAE0B

$34A226E0-DF30-11CF-89A9-00A0C9054129

$0002DF05-0000-0000-C000-000000000046

$D30C1661-CDAF-11D0-8A3E-00C04FC9E26E

$65507BE0-91A8-11D3-A845-009027220E6D

$34A715A0-6587-11D0-924A-0020AFC7AC4D

$EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B

SHDocVw.DWebBrowserEvents2

)SHDocVw.DWebBrowserEvents2_EventProvider

SHDocVw.DWebBrowserEvents

(SHDocVw.DWebBrowserEvents_EventProvider

SHDocVw.WebBrowser_V1Class

6SHDocVw.DWebBrowserEvents

$8856F961-340A-11D0-A96B-00C04FD705A2

SHDocVw.WebBrowserClass

6SHDocVw.DWebBrowserEvents2

$0002DF01-0000-0000-C000-000000000046

SHDocVw.InternetExplorerClass

$C08AFD90-F2A1-11D1-8455-00A0C91F3880

SHDocVw.ShellBrowserWindowClass

$F41E6981-28E5-11D0-82B4-00A0C90C29C5

$7716A370-38CA-11D0-A48B-00A0C90A8F39

$FE4106E0-399A-11D0-A48C-00A0C90A8F39

$85CB6900-4D95-11CF-960C-0080C7F4EE85

$9BA05972-F6A8-11CF-A442-00A0C90A8F39

SHDocVw.DShellWindowsEvents

*SHDocVw.DShellWindowsEvents_EventProvider

SHDocVw.ShellWindowsClass

$729FE2F8-1EA8-11D1-8F85-00C04FC2FBE1

$64AB4BB7-111E-11D1-8F79-00C04FC2FBE1

SHDocVw.ShellUIHelperClass

$55136806-B2DE-11D1-B9F2-00A0C98BC547

$55136804-B2DE-11D1-B9F2-00A0C98BC547

$E572D3C9-37BE-4AE2-825D-D521763E3108

$55136805-B2DE-11D1-B9F2-00A0C98BC547

SHDocVw.DShellNameSpaceEvents

,SHDocVw.DShellNameSpaceEvents_EventProvider

SHDocVw.ShellNameSpaceClass

$F3470F24-15FD-11D2-BB2E-00805FF7EFCA

$EFD01300-160F-11D2-BB2E-00805FF7EFCA

SHDocVw.CScriptErrorListClass

$BA9239A4-3DD5-11D2-BF8B-00C04FB93661

$47C922A2-3DD5-11D2-BF8B-00C04FB93661

$72423E8F-8011-11D2-BE79-00A0C9A83DA1

$72423E8F-8011-11D2-BE79-00A0C9A83DA2

$72423E8F-8011-11D2-BE79-00A0C9A83DA3

$1611FDDA-445B-11D2-85DE-00C04FA35C89

$B45FF030-4447-11D2-85DE-00C04FA35C89

SHDocVw.SearchAssistantOCClass

$eab22ac0-30c1-11cf-a7eb-0000c05bae0b

AxInterop.SHDocVw.dll

System.Windows.Forms

AxWebBrowser

DWebBrowserEvents2_NewWindow3Event

DWebBrowserEvents2_PrivacyImpactedStateChangeEvent

DWebBrowserEvents2_UpdatePageStatusEvent

DWebBrowserEvents2_PrintTemplateTeardownEvent

DWebBrowserEvents2_PrintTemplateInstantiationEvent

DWebBrowserEvents2_NavigateErrorEvent

DWebBrowserEvents2_FileDownloadEvent

DWebBrowserEvents2_SetSecureLockIconEvent

DWebBrowserEvents2_ClientToHostWindowEvent

DWebBrowserEvents2_WindowClosingEvent

DWebBrowserEvents2_WindowSetHeightEvent

DWebBrowserEvents2_WindowSetWidthEvent

DWebBrowserEvents2_WindowSetTopEvent

DWebBrowserEvents2_WindowSetLeftEvent

DWebBrowserEvents2_WindowSetResizableEvent

DWebBrowserEvents2_OnTheaterModeEvent

DWebBrowserEvents2_OnFullScreenEvent

DWebBrowserEvents2_OnStatusBarEvent

DWebBrowserEvents2_OnMenuBarEvent

DWebBrowserEvents2_OnToolBarEvent

DWebBrowserEvents2_OnVisibleEvent

DWebBrowserEvents2_DocumentCompleteEvent

DWebBrowserEvents2_NavigateComplete2Event

DWebBrowserEvents2_NewWindow2Event

DWebBrowserEvents2_BeforeNavigate2Event

DWebBrowserEvents2_PropertyChangeEvent

DWebBrowserEvents2_TitleChangeEvent

DWebBrowserEvents2_CommandStateChangeEvent

DWebBrowserEvents2_ProgressChangeEvent

DWebBrowserEvents2_StatusTextChangeEvent

AxWebBrowserEventMulticaster

RaiseOnWindowSetHeight

RaiseOnWindowSetWidth

RaiseOnWindowSetTop

RaiseOnWindowSetLeft

RaiseOnWindowSetResizable

AssemblyKeyFileAttribute

AxInterop.SHDocVw

System.ComponentModel

BindableSupport

&{8856f961-340a-11d0-a96b-00c04fd705a2}

System.Int32

.C:\xbox360\Projects\WindowsApplication2\jf.snk

04/08/2004 01:56:46

)System.Resources.ResourceReader, mscorlibsSystem.Resources.RuntimeResourceSet, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

^System.Boolean, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089iSystem.Drawing.Size, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aiSystem.Drawing.Icon, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3apSystem.Globalization.CultureInfo, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\System.Int32, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089mSystem.CodeDom.MemberAttributes, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089}System.Windows.Forms.AxHost State, System.Windows.Forms, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089kSystem.Drawing.Bitmap, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ajSystem.Drawing.Point, System.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADc

%]-):(/!

System.Boolean

TSystem.Drawing, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

System.Drawing.Size

System.Drawing.Icon

!$!101989

141),))01

)89),))01)

),)),)),)),)),)),)

),)),)),)),)),)),))}

!49),)),)),)),)),)),)),)),)!

)()),)),)),)),)),)),)),)141

)()),)),)),)),)),)),)),)),)),)),)!

)()),)),)),)),)),)),)),)),)),)),)),)),)!

)()),)),)),)),)),)),)),)),)),)),)),)),)),))}

!$!!$!!$!!$!)())())())())())())())())())()!

! !)())())())())())())())())())())())())())()),1

)41101)()

),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()! !

989!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)!$!

!$!)()),)),)),)),)),)189

)()),)),))

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!$!9899<99<9),)

!$!),)),)),)),)101

)89),)),)),))41

),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)!$!

! !),)),)),)),)!

),)),)),)),)),)),)),)

),)),)),)9<9

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)! !

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)! !! !

)()),)),)),)),)),)),)),)),)!

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()9<9

989)())()! !

)()),)),)),)),)),)),)),)),)),)),))}

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)989

9<9)()),)!$!

)41),)),)),)),)),)),)),)),)),)),)),)101

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

)()),)),)!$!

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!!$!),)),)),)),)),)),)),)),)),)),)),)),)),)!

!$!),)),)!$!

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!$!),)),))()),)

! !),)),))

! !! !!$!!$!!$!! !! !

)()),))01!

189),)),)),)),)

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

),)),))()

)()),)),))01!

1<9),)),)),)),)

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)101

!$!),)),)),)),))

141),)),)),))()

!$!),)),)

),)),)),)),))()

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

! !),)),)),)),)),)),)189!

!$!),)),)),)),)),)),)),)),)),)),)1<9)}

!$!),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

101!$!),))()

)()),)989

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)

)()),)),)),)

101),)),)!$!{}{

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)9<9

! !),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)9<9

9<9),)),))())()

),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

989),)),)!$!

)()),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)141

1019<9989101),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),)),))()

!$!!$!! !! !! !! !

FFF.FFFs@@@

%%%x(((

System.Globalization.CultureInfo

System.Globalization.CompareInfo

System.Globalization.TextInfo%System.Globalization.NumberFormatInfo'System.Globalization.DateTimeFormatInfo

System.Globalization.Calendar

System.Globalization.TextInfo

%System.Globalization.NumberFormatInfo

LSystem, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

System.CodeDom.MemberAttributes

ZSystem.Windows.Forms, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

!System.Windows.Forms.AxHost State

System.Drawing.Bitmap

(7),01444

'9=82<.342

sx.LM

m.MZc

ÀRL

%fNHVx

.Zz`:TYo[

B)3%u[

IO%c(

N*.vU

r'QA.TQ

>/; 7'3'7

`öv

7j8f-X}

7S

IÝ~t
g^z%d
System.Drawing.Point
.cctor
_WinMainCRTStartup
0.591396905
add_KeyDown
AssemblyKeyNameAttribute
BurnerMax.exe
CreateSubKey
get_KeyCode
get_Msg
GetExecutingAssembly
GetPublicKey
ISupportInitialize
KeyEventArgs
KeyEventHandler
Keys
Microsoft.VisualC
Microsoft.Win32
NineRays.Decompiler
NineRays.Obfuscator
RegistryKey
set_KeyPreview
SetWindowsHookExA
System.Diagnostics
System.Drawing
System.Globalization
System.IO
System.Resources
System.Runtime.CompilerServices
System.Security
System.Security.Permissions
System.Text
UnhookWindowsHookEx
..\jf.snk
vThis software protected by 9Rays.Net Spices.Obfuscator (Evaluation version) and can't be used for commercial purposes.
C:\xbox360\BurnMax\BurnMax\Debug\BurnerMax.pdb
GetCPInfo
KERNEL32.dll
_CorExeMain
USER32.dll
GDI32.dll
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tb2323xt.exe
VC.NET How-To XP Theme Support
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
8 9'999@9[9{9
=%=1=?=^=
0D0J0y0
5 5`5 6|7
7$8(84888
mscorlib.dll
1.1.0.0
Interop.SHDocVw.dll
Assembly imported from type library SHDocVw
8856f961-340a-11d0-a96b-00c04fd705a2
$this.DrawGrid
$this.GridSize6
$this.Icon
$this.Language
$this.Localizable
$this.Locked
$this.SnapToGrid
$this.TrayHeight
$this.TrayLargeIcon
axWebBrowser1.Locked
axWebBrowser1.Modifiers
axWebBrowser1.OcxState
button12.Locked
button12.Modifiers
checkBox1.Locked
checkBox1.Modifiers
comboBox1.Locked
comboBox1.Modifiers
pictureBox1.Image
pictureBox1.Locked
pictureBox1.Modifiers
pictureBox2.Image
pictureBox2.Locked
pictureBox2.Modifiers
pictureBox5.Image
pictureBox5.Locked
pictureBox5.Modifiers
tabControl1.DrawGrid
tabControl1.GridSize
tabControl1.Locked
tabControl1.Modifiers
tabControl1.SnapToGrid
tabPage1.DrawGrid
tabPage1.GridSize
tabPage1.Locked
tabPage1.Modifiers
tabPage1.SnapToGrid
tabPage2.DrawGrid
tabPage2.GridSize
tabPage2.Locked
tabPage2.Modifiers
tabPage2.SnapToGrid
tabPage3.DrawGrid
tabPage3.GridSize
tabPage3.Locked
tabPage3.Modifiers
tabPage3.SnapToGrid
textBox3.Locked
textBox3.Modifiers
toolTip1.Location
toolTip1.Modifiers
. Z.cZ.#Z.
0, 15, 0, 0

scvhost.exe_320:


.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeysd-
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownL
OnKeyPress
OnKeyUpH
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword n
crSQLWait
%s (%s)
imm32.dll
TSocketPort
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
TDCWebCam
127.0.0.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
1.2.3
127.0.0.1:1604
#KCMDDC51#-
5.3.0
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.torrent
\Internet Explorer\iexplore.exe
explorer.exe
wlanapi.dll
80211_SHARED_KEY
user32.dll
TUploadFTP
notepad.exe
KEYNAME
%ShortCut#
RELATEDCMD
ping 127.0.0.1 -n 4 > NUL && "
DRKey
CRKey
DelMSKey
InstallHKEY
ActiveOnlineKeylogger
UnActiveOnlineKeylogger
KeylogOn
ActiveOfflineKeylogger
UnActiveOfflineKeylogger
ActiveOnlineKeyStrokes
UnActiveOnlineKeyStrokes
OpenWebPage
tmpprint.txt
URLUpdate
MSGBOX
#BOT#VisitUrl
#BOT#OpenUrl
HTTP://
http://
BTRESULTOpen URL|
Command successfully executed!|
#BOT#URLUpdate
BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|
BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
#BOT#URLDownload
GetActivePorts
out.txt
tmp.txt
DDOSHTTPFLOOD
DDOSUDPFLOOD
%IPPORTSCAN
SAPI.SpVoice
WEBCAMLIVE
WEBCAMSTOP
PASSWORD
FTPFILEUPLOAD
URLDOWNLOADTOFILE
UPLOADEXEC
UPANDEXEC
FTPPORT
FTPPASS
FTPUSER
FTPHOST
FTPROOT
FTPUPLOADK
FTPSIZE
BTRESULTUDP Flood|UDP Flood task finished!|
PortScanAdd
BTRESULTVisit URL|finished to visit
BTERRORVisit URL|An exception occured in the thread|
POST /index.php/1.0
BTRESULTHTTP Flood|Http Flood task finished!|
Mozilla
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
BTERRORDownload File| Error on downloading file check if you type the correct url...|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ERR|Cannot listen to port, try another one..|
TCaptureWebcam
taskmgr.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DC3_FEXEC
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
S-%u-
FAKEMSG
MSGICON
MSGTITLE
MSGCORE
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%Documents and Settings%\%current user%\Application Data\dclogs\2014-08-01-6.dc
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetKeyboardType
keybd_event
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WinExec
PeekNamedPipe
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
wsock32.dll
shell32.dll
ShellExecuteExA
ShellExecuteA
SHFileOperationA
URLMON.DLL
URLDownloadToFileA
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
FtpPutFileA
winmm.dll
netapi32.dll
gdiplus.dll
GdiplusShutdown
msacm32.dll
ntdll.dll
WS2_32.DLL
SHFolder.dll
SHELL32.DLL
AVICAP32.DLL
1!1,1=1|1
6 6$6(6,606
=!=%=)=-=1=
01m1
0 0$0(0,0004080<0@0
;"; ;$;(;,;0;4;8;<;@;
7 8$888<8
= =$=(=,=0=4=8=
UntKeylogger
KWindows
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
UrlMon
(UntUploadFTPThread
UntFTP
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0

scvhost.exe_320_rwx_00050000_000B2000:


.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeysd-
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownL
OnKeyPress
OnKeyUpH
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword n
crSQLWait
%s (%s)
imm32.dll
TSocketPort
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
TDCWebCam
127.0.0.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
1.2.3
127.0.0.1:1604
#KCMDDC51#-
5.3.0
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.torrent
\Internet Explorer\iexplore.exe
explorer.exe
wlanapi.dll
80211_SHARED_KEY
user32.dll
TUploadFTP
notepad.exe
KEYNAME
%ShortCut#
RELATEDCMD
ping 127.0.0.1 -n 4 > NUL && "
DRKey
CRKey
DelMSKey
InstallHKEY
ActiveOnlineKeylogger
UnActiveOnlineKeylogger
KeylogOn
ActiveOfflineKeylogger
UnActiveOfflineKeylogger
ActiveOnlineKeyStrokes
UnActiveOnlineKeyStrokes
OpenWebPage
tmpprint.txt
URLUpdate
MSGBOX
#BOT#VisitUrl
#BOT#OpenUrl
HTTP://
http://
BTRESULTOpen URL|
Command successfully executed!|
#BOT#URLUpdate
BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|
BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
#BOT#URLDownload
GetActivePorts
out.txt
tmp.txt
DDOSHTTPFLOOD
DDOSUDPFLOOD
%IPPORTSCAN
SAPI.SpVoice
WEBCAMLIVE
WEBCAMSTOP
PASSWORD
FTPFILEUPLOAD
URLDOWNLOADTOFILE
UPLOADEXEC
UPANDEXEC
FTPPORT
FTPPASS
FTPUSER
FTPHOST
FTPROOT
FTPUPLOADK
FTPSIZE
BTRESULTUDP Flood|UDP Flood task finished!|
PortScanAdd
BTRESULTVisit URL|finished to visit
BTERRORVisit URL|An exception occured in the thread|
POST /index.php/1.0
BTRESULTHTTP Flood|Http Flood task finished!|
Mozilla
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
BTERRORDownload File| Error on downloading file check if you type the correct url...|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ERR|Cannot listen to port, try another one..|
TCaptureWebcam
taskmgr.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DC3_FEXEC
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
S-%u-
FAKEMSG
MSGICON
MSGTITLE
MSGCORE
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%Documents and Settings%\%current user%\Application Data\dclogs\2014-08-01-6.dc
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetKeyboardType
keybd_event
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WinExec
PeekNamedPipe
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
CreatePipe
RegQueryInfoKeyA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
wsock32.dll
shell32.dll
ShellExecuteExA
ShellExecuteA
SHFileOperationA
URLMON.DLL
URLDownloadToFileA
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
FtpPutFileA
winmm.dll
netapi32.dll
gdiplus.dll
GdiplusShutdown
msacm32.dll
ntdll.dll
WS2_32.DLL
SHFolder.dll
SHELL32.DLL
AVICAP32.DLL
1!1,1=1|1
6 6$6(6,606
=!=%=)=-=1=
01m1
0 0$0(0,0004080<0@0
;"; ;$;(;,;0;4;8;<;@;
7 8$888<8
= =$=(=,=0=4=8=
UntKeylogger
KWindows
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
UrlMon
(UntUploadFTPThread
UntFTP
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

tb2323xt.exe:1748
mscorsvw.exe:172
%original file name%.exe:1784
%original file name%.exe:1720
scvhost.exe:1872
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\ga[1].js (2107 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\loader[1].htm (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[1].txt (1614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\swfobject_modified[1].js (6822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URM7CBUB\us_usbv2[1].htm (1639 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\usbv2[1].jpg (1242 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[2].txt (1095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9YXQNK1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CRQZ8ZQX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[1].htm (277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I929QL0X\projectf[2].htm (277 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@x360usb[1].txt (918 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@xconsoles[2].txt (1799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\m549576.png (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tb2323xt.exe (7337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB5.tmp (7185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB4.tmp (3929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vhost\scvhost.exe (13122 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Svchost" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\vhost\scvhost.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Autoit.Agent.EZ_5553f3c235

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Autoit.Agent.EZ_5553f3c235

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet