Trojan.GenericKD.1684739_312edbcc2f

by malwarelabrobot on May 23rd, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.GenericKD.1684739 (AdAware), GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 312edbcc2f351952561a9a79463d172d
SHA1: cd1a506899cfbf5a490506de4f96a61a5add666a
SHA256: f587157f08365ff6deb31a26e3d08c6164de676b381c624e40435712fbdc6725
SSDeep: 24576:4yDULOT9eznCeyen7Mb5Ru l3HD 6s8VEiPUNkzxtmyASTgn/:/DE2levq5k fs/kzxtmyJM
Size: 1452032 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-07-14 02:42:43
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

583.exe:1868
%original file name%.exe:480
rundll32.exe:1348
rundll32.exe:212
rundll32.exe:596
rundll32.exe:1772
rundll32.exe:1784
rundll32.exe:1720
rundll32.exe:1568
rundll32.exe:240
rundll32.exe:488
rundll32.exe:280
rundll32.exe:1752
rundll32.exe:1672
QSSSSS~1.EXE:424
QSSSSS~1.EXE:772
qqq.exe:568
qqq.exe:324
DW20.EXE:1852

The Trojan injects its code into the following process(es):

rundll32.exe:1184
25.exe:840

File activity

The process 583.exe:1868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aa.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qqq.exe (3727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wwwwwwwww.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\z.jpg (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\images.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cc.jpg (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dd.jpg (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w.jpg (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\x.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\s.jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\g.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\v.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaa.jpg (5 bytes)

The process %original file name%.exe:480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (21345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (13 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (0 bytes)

The process QSSSSS~1.EXE:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\25.exe (5442 bytes)

The process QSSSSS~1.EXE:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\583.exe (5442 bytes)

The process qqq.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Kurulum\Server.exe (4185 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dummy.html (0 bytes)

The process qqq.exe:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\svchost.exe (1895 bytes)

The process DW20.EXE:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1NX1M5O\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8267C.dmp (272187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZDB4QO0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\545QUVC9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A2MX3ODE\desktop.ini (67 bytes)

Registry activity

The process 583.exe:1868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 C9 33 23 49 63 BF 2D 51 A6 E3 8A 07 F6 DC 4F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"qqq.exe" = "qqq"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 DD 8A 34 59 0C 51 99 88 3E E4 B2 3F 4B 07 BD"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process rundll32.exe:1348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 41 BA C7 A9 88 16 06 9A A9 54 6D 82 8A D1 93"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 2E F2 F8 77 EE A1 68 FB 1F 1B 6C 3C CD 3B 7F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 EE D3 BF 27 9B 29 10 52 6A 0D 6D C4 8F 75 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 49 8F F8 06 7F 4E C2 BB 67 28 14 C2 BE DE 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 FD 28 DC 10 AB FE E1 27 DE 54 BB 2A A1 C6 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 1A 26 41 FA 85 92 71 A7 DA 49 26 27 2F 04 F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 72 91 8E 64 FF 39 D2 90 E2 51 F7 9A C1 DD A2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 BE 04 58 1E C1 7C BB 25 0E 66 BD C4 03 4F 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 7A E2 DC 1B B4 DF A7 22 0B AF A7 B9 0C B2 DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B E2 82 04 84 39 F2 10 9D 7F 1E 8B 73 33 7C 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB A3 1E 80 7C 65 D9 E4 41 74 74 FC 62 72 BC 50"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 DB E8 00 76 A1 EC B6 BA 75 69 D3 82 7B 8F A1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 FE C2 31 C6 F7 B9 A7 DD E2 67 A2 40 28 94 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process QSSSSS~1.EXE:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 98 C7 75 8F D1 7C 3B 3B 72 05 04 38 12 A0 C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process QSSSSS~1.EXE:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 C5 66 B9 5A 5D E2 7F 0D 3E 19 B5 ED 91 67 7D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process 25.exe:840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E A3 10 28 DA 60 B2 D1 0C 40 D4 2A A3 5B E6 DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process qqq.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D1 2A E4 AD 1A D5 A7 52 5D AB BD E0 90 C5 08"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{392EE29C-9DB0-ADDF-AEDA-EC2FE7D42BAA}]
"StubPath" = "\7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\Kurulum\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\Kurulum\Server.exe"

The process DW20.EXE:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 73 79 B0 24 BA 1F 58 4D 5C 29 FD 28 F6 5F C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
f1272bff9356e64c28b0db7d91af83d1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\25.exe
f1272bff9356e64c28b0db7d91af83d1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\583.exe
705fea8c2ef23e6b9567dc8f4f8aa148 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\qqq.exe
705fea8c2ef23e6b9567dc8f4f8aa148 c:\WINDOWS\Kurulum\Server.exe
9e3c13b6556d5636b745d3e466d47467 c:\WINDOWS\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 8.00.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 8.00.7600.16385 (win7_rtm.090713-1255)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 43748 44032 4.53606 3aeb6fb8fe8ab95f2462e3afb8b8acd3
.data 49152 8796 1536 4.57321 f3764284f4d25ed35f75b9c16e1ab608
.rsrc 61440 1404928 1401856 5.52627 3ad02c43911ebb5ab451f93e4ad20f61
.reloc 1466368 3480 3584 3.33168 bc74eb2a181cf1029262828db6ac5b5d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

qqq.exe_568:

.text
`.data
.rsrc
MSVBVM60.DLL
ct1.vbProgram
ShellPipe
Program.Socket
Program.ShellPipe
sUrl
sPassword
lPort
bPassiveSemantic
sWebcam_Module
sKeylogger_Module
clsftp
modSocketSupport
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
TextCmd
FindExecutableA
ShellExecuteA
RegCloseKey
RegOpenKeyExA
advapi32.dll
RegCreateKeyA
RegDeleteKeyA
advpack.dll
kernel32.dll
GetWindowsDirectoryA
avicap32.dll
MsgWaitForMultipleObjects
shell32.dll
ntdll.dll
psapi.dll
wtsapi32.dll
version.dll
user32.dll
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
GetAsyncKeyState
SHFileOperationA
keybd_event
WINMM.DLL
GDI32.DLL
VBA6.DLL
ws2_32.dll
gdiplus.dll
msvfw32.dll
GdiplusShutdown
%System%\MSVBVM60.DLL\3
RemotePort
LocalPort
RegCreateKeyExA
RegOpenKeyA
RegEnumKeyExA
ExitWindowsEx
olepro32.dll
CreatePipe
PeekNamedPipe
ClosePipe
wininet.dll
FtpGetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpPutFileA
FtpGetFileA
FtpDeleteFileA
FtpRenameFileA
FtpFindFirstFileA
%Program Files%\Microsoft Visual Studio\VB98\VBA6.dll
msvbvm60.dll
comdlg32.dll
HelpKey
getservbyport
Webcam G
?8??8??8??8??8?
lngRemotePort
lngLocalPort
sProxyBypass
sKey
lngPort
'Qmou&vtia}gk&fghljq%d`&tsh&lh&B@U&kmbd(
=w.Xv
B&.VP
%C]Y^\
}"&s%SUS
PSShx
 
@Yp.SoO
v.WlL
R".TWl
QSSh~
.4Q-336
PCICGP&isiaoh\pto*.`fqhjoYpqj*&pukqogldZ`ick`hq)%prdwkgkdYp`itc*&qdqrqnwb^cjdo`hu*%u`vuvmpbYpdlw`*&ulgkih^s`gjh)&baqc^etdaqcb%gwjk%joaoku
XZ%fY_\]Z
VCJCEQ&lb)&niurhgkc*/nr{vTcgjk,&`ithUsmkorS\I*&suc}kgkc@occg*&uauuqotj@o`ia*%chfw|vqfbPpfqjblc*#coeq
gohb%is&eimtkh&lhb`}&npq!ng.tghbc
gp~ljlgs|!bgr`dgvd%cjtkdq&cttjw
iofkmoa%svjpnljo
sqlir`Y}ehgheYtagia
.HPJI&
6=4<287550>:1113=6
T``ap`tkj% `%hwdcfu%cwik&SGJ%coj`&#w
OVK#bgilca vowk.OSJJ"tsgvgrce!rwgveocht
urtgha.iw&dbid%rio&moa
dbjwq%dr a%ia"^ v\?%#v
adl`a{$m~`k%vdseuilkq/(%STI%|qaq`igkqv"lk$uwjbp`vs
lfnko{.tiibdgem&{}gi|dlrfin"-/UWN"|zgrjcja{u%oi vr`b}gv|
VCI@DV&ldk`*%woirrga`."vvj&CWIK'"'t"/'v&UJERG'%u&MTACW%G_.wjuob
f`khjr%fnghac% v&rgk&hia`%cwik%roqnlk&g'qugkvgernjk
kous}c&`b.gaatjagrc&`shezoih&#(,|./
#w&#v&D\%r`wh&isu&i`&tghac&,%umisjb!c`&dcrqcck&7!dha& a
&qcthv&oh&JWBCW%D\%emdpuc
%enjshh%oh%tmc&|crpiq%ucr
qoj%lgh|%qetkv&ih%#v&D_%figpsc
d&IWISU.DV&mjgsvc&lu&r`tpow`a%mjcit`&MDPOHA
daivjabq`%cshftiokv%gtc%nkr%djhisab lk$qme$EVKPU%G\ gidswe
{`` hghv%cocukhv%ik" p
ud8'qthbfct!%DKB&. r(
sqllu`^
uglma%%u%kd|&hjrÜ%diqctca
PUADRC&$ q' #u%UKR&vti/8&vtjoqcY}jkdk`Pudtckq.|tj(& W./!S/$SJGPC"*v=
[VJGQG&'W( |&V@V&u~n&;"GGUG&RLKH%r|u`&8%"ptlab`w".QM@J%uuilq`[wahgb`Zrtobcct.vtj)&#T,JIVC%utjorkYwjagkcYqndic-utj*& T,&@HB*%qgiZkdkc&;%#W*.hake&;&EGUC UNCH&r|vc;!qodjc!&QNCH/*W"QN@H&ackc&JOMC&"u~jozcYgsriolbg~##!&GHB&q
vg;!ohdg~!%RHCK&!wqjlrcYgzvilhf`~]'%sz&#W&zz%usmurr.hnkc*#b-1>&&CNUC&hgkc/CHB&QNCTC&rdjYhdk`8#W DND&.r
PVDGRC%vtllre_r`kvQigvret&SCU%uwj&;&v
Eghhir&gbj g%UTLLOT\%KK_&ejlpkh
Edhnit.gbb%g&SHGWSC%eij{ch
Edkhir%gbb&o W@@@WKHM@V%eiiuk`&qorn&hih#HPII&bccgplr%sgisc
Egnhar&gad&g%[email protected]&wozn¼`dsjr%pglsc&NTJJ
WUEBV@!$'r-/&q"QCV"qrm"8&qzgqwt.qsm)3(#f  sy&!#"%&~z&'S&~z&|wdpvq*uwj)#k,"UN@WC%q{rg%?%'qcgng"%NLF&mdbc"8/#T
yo}qsdi#tdmc`q"hdv&ajp"mg%ciqj}`f
Ldkkjv"dab"c%fkjpkk&qi%d%sl`r
A@I@QD%CWLH. _-&r%RM@WK#qgb; _
V@I@FQ%qgb*%ha})%vqdr%CTAH! T vtilq`Zvrdq?
adqdgduc% u&ov%git`db|.ok%p}c
`i&up`g.gbrgdgpf<#&u
igocfr%mdnf&wf|`ws`b%ei}%lhqftkbo%svf
ve>##u!)$hgba8#T-%rgiZkdk`8 T)%tnnquda`<" b)&uti8#T%RMCWK.wayha8& b
udwdh`ra|v%ds`%kju%diiar`a%lo!slarv
rgcr&#v.kv.eksepjdti|%j`hok`a
ucgnk&'vÍ
%kir%d`%a|ju~`a
A@I@R@%CWJH& T( v%RNCTE&qbiZk`k`8 P.dnd zxvc$;!tribg`w"
A@LEQ@%CWJM! T,uwjiqc^qtdq7%RMCR@&rdj= _
sowqsdj%udgmcv"kd|%kjq%gg%okac}`e
lkaf}% v%ciw`df|%`~lvrv
zgljc& }/fos.ka.eib{mk&hgk`b% v
lkb`~%asujfoaq`b%ulrm%SHLTW@%mp%RTOHGPY%ME_!eihuqscilr&eanhjt gf apjuuca
FCJCRE @TIH #W.%u RHCWD!k`kc8#Q&DKA qype8!lnae}!
vkddj`&wi&hbdhrgh{&rfd!illcbu&po&dc&vcojbkweb
@VEDQ@!c~vwgurlih&ksvpÝ&d%rohbi`%fmgtgeuct
rgdjc&#U&ngu&#b%mkjskhu&dsr&#b&pgjscu.qct`&usvviocj
&ov#mit%shots`
pkuvvvjwr`a%con`%cjtngr
vmmkjvk&it%s`usvviwqca&lllh%qwuc<%#Q%#W v R
WIAMR%gha&@SLL%JPQER&OILHs gt`&kiq&fpwwf`ti|%sppujwqka
g%KATPWBI%oiok%hgy&kiq%ngpk gl&JL ir%SSJMG%elgusc
echhiz%maw`%dmrn&JN c`a [VHHA en`uqeu"gh rm`"}gke ojln
!g%uohal`&w`u{bq"gibiv`j&fju%a&SGICFQ&qngr&lu%vgvr&kc&ak%b}ttcvuojh
vwjmq`Ytpdwr`t|Z%uZ
q|vk;$z|lbbct)%[email protected]" 
ki%}scf.rtoia`t4. U
`i#up`núiscm4% u
mdk`at%PGMPSB%c|jh.qlqmlk.d%zwd`}deqjjo
mo``aq$PDMSTH& $VWI.wrgpkh``ru#l`.uwjbwc}u
EUPEFM/#(.GU&rees{bY`f=
UCJKEP&!EWADRC&RDGIJ/pgespmPbd !/zx&vsmvpw.vti*>2/&/%CWIB%vtblr`Zmeupcr&YHJRA%q|ve8!pg`c`#ªB%jgca#;#uujo{cZw`~qahg`"&/ÚB&vjjrvgbj85
VAJ@EP&"LVAEPJ.MJBC]/ynlssiYbd(&%zy&usduqs.uwb*71/&%@TIK%uwjordYkgrqcw&QNCTC&uwj&ILMC&!FTCDRJ%OHBC^%#!&
VCJCBR%!ETCGRC%PKOWSC&OHBC^&pgfpskYbd.!&zz&vsduqt.uwj*37/&%&CRIK&uwjoreYhdurct WNCTC uqi JOM@!!ETCGRC!SHIWPC&LKDC^&#!
SCJCER&!IHU@TQ&LHQN&pdespkYad('&z|&wsirc.hake/&zz&!$WCICFU%,&CTIH&kgoh(&&z}&tsirc.hgkd/&y}!"=!@S@K&kgoo uwmorcZkguq`t&RNDTC&q
UDMCL[%!F@JJQD&@SJK!wglsshZbd((!zz%~piqd'a`hc/&}y/!4!&CTJK.ynbzzkZjg vwbkrcYl`urjt/QNK]C/kgk`3!utcfrcPvcwsjkb`!%
VJC@LU&!LKUCTR&OHRI&pdfsskYbg(!&zz&wpiqa-hghc/%yz%!.UCJCFR&,%@TIK$keok(!&zy%
GHUC\Z%OJWM&rdepskYb`(uwiorcYlourct%&%UCJCER&r
vc;)rggj`".DHB.tiaruoac;5/
FW@ORC%XLTRSGJ%ROGI@&#Q
PUBGQC%#W(#v%V@R%r|uc;"qgdjc"*%hdc`8#W#.qgiZkgk`;#W)&qiir~ga`25)&uwj;#W&QNCTC&tiroa;% b
prgdjc%fonvtwperj}&bkd"kjq&b`ancwe"ufmekg<&%s
ni%upfh kjauj`:%%s
cdhnir&ps` okd`~?%%s
ugtset%sqacm jp`wfioq
h`gt " T"?%uyktd}&erwi|
tnc&NIR&OHBE^CB ejgusc iu&hor gjlixcb&ja&S_BNQ@&jt%A@JCT@%urgrch`h{u&wo{noh%rrlbbjtu
kd{dggv`%fj}vzvqlja/dv%claj& `/ab%]' 46uX
eg`hir%iu`h%cgbc&dr%blkc.#a%i`&]#(>6u[
AcrTdtchr
%%%& ss`c`i|Ie`n{lq|%q{u`8'Xlk67' kah`8'Hlfwivjcq Rlkdjxv Fjhhjk(Fjkqwjiv'%scwvljk8'8 0 5 5$&
EbbZvpvp$@}q`whgh$EG.Wjjz6
>15353565
<560=5451=6=_5
Rm`%SU@WRWSUQ&K`qrjwo7$6
kqqu8))if|v sqctqtzuq.com?
P[K-SUJWIl}vq"@gn`eu?
Atggvct.Kghgnc}vc|7
mruv;).vrr(suctqwtuu/enl0
006>4116656?\
416321712>59\6}7
LKHIBI%FN%Jiblrcd4'6
425<71616651_
@gt.Ua`ct5
5nrqu
E@BJBI%FG&Iokoqde7.5
AIBIFM%Aiaj/Vlaklab%CN"4
42277945520;\6!
[#AYARBASLANGIC#][#NOIP<<65066EF90B7603C0632DBF17DFC7C7612F47479EBC8581E6D1D03F35AEFB52DCF844F081F5A59D29103D7657F69C840B60F1715F755A1E8617CEDA2B016EBAE794B40A6F38FE693F65FEB847C8C6F8A30679F877A85532B19D687EE52295230CC48818200D0352DD018AF89C8C7242924591A9B212CBBB22B1BD16A29E8DBB4615DD87D2FFD0433FB03D2310D1FD5215EA98EF4B7E5561951E26CE9C8032EC10D28EC0829A002BE27D3364A0E34292E7C129F77FBBD21506B080D350959FA4290736F2AAECEFB341F68868480E1E6DC516616DCBD45CFD317227D17BE7F1108ABFF387883EFB09D965989C84DCED51EA751A7DE893D08B94F1F775D705031832>>#][#PORT<<32CE0060EF02755BD764A0C8A8871768DA588905866B72C5F4B8E193DAFA1EB02C6E6F6053EB7EBC0528E3957C96C4D2875CA1CD427B3231B186375C2D8154304263210861F3C83A39FF8D50E7C3F6D053A4122B1F8A188A0624F780CAC4B3150D9A33B207571EF49DA5A896138CB78069A9E73989D3316BE29170DCE0804878F9CDAF3B30934B439D174041AD2BD33F36A8AE54AA9087B171876D4DD9F1DF3773F9233F87635EC6A5D063AEE05C9766279E3098F181E9F75E02782E6213036F2798599A39022197214CDD7A1A1DCED467C7FDA2099F219AD4BEA19C666201B87EE9DFE9716E6153FDC7380085A9C562A29E1F0C1DA63B7641F73231D31AA3F3>>#][#KURBANID<<451272F4F97CA22B4FB824AE90EDB509B212CAA6699EF1EEB6295DE4493778200CA95AF601895DA951B6D613ADF86D9A55280B967C00398A928DCDC3E7B40A96F1294D80B479EAA1C8781E9B7DCE6313DFA9AC0AA44678DD672386251ACA2DF202C2156CE21A074E809A2406898C81311CB1987D2B0BDB6303887545B25691F0CDD0DEB596C81CEC8338D50CDFCE74AF989CB9ED9E684F18B096C561B9B4208C5DF054199D5F99385E6E5FEB4AEEE9099E063D530B3E7FF9FC2BE2B3FCBF45443E3CA39383B927EC5D586CA0D70B4C7CBC0C10AF3C66D701F121FB3985946FD1FB52F65E52367447CBD2AA65917F47033D085F793DBD442D5C9538AD230E47F1>>#][#BAGLANTISIFRE<<2BCF33C6CD44D99531F4517E084139EF9A7868474158328F995CDC0D0BA8F4717BE6B466E1C4483FFF54B500F9866018868AB45E4ACCA353CC12D41CC8BBA0FDAB5C03E6633F16191BFE40020C47F45E75B4194D304B12BCECDFE6787BC9BC9752C88F49D742E9085B5D0D606C81FDA192B1622EDE138CA7A5C01F3DD34D96599FA6272D6ACB4B66E96DA6B5C5EF097ACA3F5A5D005C5AB1A46E8DC8F8C378A03DB3956E8756CA12746A9A5D038CE54608988FF682A68CB416E878B59AE8AFC9D8E8E5689A5D71E5A70F72F51317DBA279FA8E5791ABEA0E24E8B1A0A2F7C96E1A846477CF9F8BBCAC9ABD595F8AB96849DEE11AD827849A7CAC41643EAC4D6D>>#][#KOPYALANANYAZILARIAL<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#USBDISKBULAS<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#WINDOWSFIREWALLKAPAT<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#SERVERKAYBOLSUN<<2A9DCEE98CE1A03C981369A7EBFEDD103B48EF6B970F2E925651C8426E76EFEF653A95879C7696840C4E70AA527532E15F9DB06BCF3AEF4718B6231F1B2E90AA19AA11A7059E73B1F3927E7C2CF411B31F40E868B482FBB9FD8CC4040BB81D811BD4C5FD2D6B3FB6B132D5529D4FFD3A9EC39A95287B969EAB2B71A6A5A71AE68FC836BDF7F2FA882902B91FC8187D2BBF7ECAE54F76046A46242E3ACB108C8F58DE275B86092B9BBF18EF56D2E4D23A2881BD0D4F8B0AD031CB7EF2234676F15B251DCB004096E11807BB2DE04882DA3D24B7824B0D2AC4D03567444F9D1CFC7B769CC187B03D51D6A2215794D88FBFE2F7BCB6660D2ABC07F6ABA3F569C2A9>>#][#KOPYALA<<1>>#][#KOPYALAMAISMI<<4D027208FD80D0C27029517E084139EF9A7868474158328F995CDC0D0BA8F4717BE6B466E1C4483FFF54B500F9866018868AB45E4ACCA353CC12D41CC8BBA0FDAB5C03E6633F16191BFE40020C47F45E75B4194D304B12BCECDFE6787BC9BC9752C88F49D742E9085B5D0D606C81FDA192B1622EDE138CA7A5C01F3DD34D96599FA6272D6ACB4B66E96DA6B5C5EF097ACA3F5A5D005C5AB1A46E8DC8F8C378A03DB3956E8756CA12746A9A5D038CE54608988FF682A68CB416E878B59AE8AFC9D8E8E5689A5D71E5A70F72F51317DBA279FA8E5791ABEA0E24E8B1A0A2F7C96E1A846477CF9F8BBCAC9ABD595F8AB96849DEE11AD827849A7CAC41643EAC4D6D>>#][#KOPYALAMAKLASORU<<4512720704830F5DC61B4583AF2C0640D3CF53E0C13D01885018B9287CD5DF395D15DE25C25091832A6D4BFBE5F1470D40522C286D28F87BF4000E06D14DDAAA2E3BA0443AA2A3B129D473F00614D022B3647BEFC17ADC072A8E8E42EBD3C5257E812102760CCDBC357410E5C778F4046027D53771D6C1B0A7E9CDE07F8DF7EF030BB7E3283221650171765D9A428936BA81CC43B2DF79FC1FF1DFE400DF83CB70FE356C457AB434426FB91E75D4A17DF614B518373D9C6C87CDD89223EC7C3E7A7B702001859A282C912E2B8D14919E0946E5FB36907A4711DF8D305B98F80B5369BB430E39E78AF3BC688993A66C1AE6F930AFE07DEB90B24CD1BEDD484878>>#][#KOPYALANACAKYOL<<71066EF60785155DC61B4583AF2C0640D3CF53E0C13D01885018B9287CD5DF395D15DE25C25091832A6D4BFBE5F1470D40522C286D28F87BF4000E06D14DDAAA2E3BA0443AA2A3B129D473F00614D022B3647BEFC17ADC072A8E8E42EBD3C5257E812102760CCDBC357410E5C778F4046027D53771D6C1B0A7E9CDE07F8DF7EF030BB7E3283221650171765D9A428936BA81CC43B2DF79FC1FF1DFE400DF83CB70FE356C457AB434426FB91E75D4A17DF614B518373D9C6C87CDD89223EC7C3E7A7B702001859A282C912E2B8D14919E0946E5FB36907A4711DF8D305B98F80B5369BB430E39E78AF3BC688993A66C1AE6F930AFE07DEB90B24CD1BEDD484878>>#][#BASLANGIC<<1>>#][#HKLM<<1>>#][#HKLMANAHTAR<<42E84CDF98DCF951CBC2305000655D2B6C4F38AFBAF4BD656B89E61344B70E631CF66A6E067BAA192559B6E2DAAB0F850A75887D9550E6B5DE09A0407ED0B9478C1203D1D2B079E417CE40CCCA52808455F5AAB90CB88BAFF4FE984B79FF7EB73720EBE62AE6E4BFBACF07DC2A466A7769BA986C7AD8EA5E4A950D4115F15C7FB9C91EB9274A2535A946C9DD5632CBA8A0334F62FD5AFC4E3BF9FBEF2B12CE6B6EBC59566748B95303E101DAACC21DA318C94C28EFAE81CC6456DC5F988E0FC932E29849440A1CE4620B2BE189A4DDF5ADEBCA8B6F7D7123A1982E5FF8D1DD621FA8559FDC80093523F0843C454387697B018616D6B38B200CEB6DB9E8863285>>#][#HKCU<<1>>#][#HKCUANAHTAR<<42E843E798DCF951CBC2305000655D2B6C4F38AFBAF4BD656B89E61344B70E631CF66A6E067BAA192559B6E2DAAB0F850A75887D9550E6B5DE09A0407ED0B9478C1203D1D2B079E417CE40CCCA52808455F5AAB90CB88BAFF4FE984B79FF7EB73720EBE62AE6E4BFBACF07DC2A466A7769BA986C7AD8EA5E4A950D4115F15C7FB9C91EB9274A2535A946C9DD5632CBA8A0334F62FD5AFC4E3BF9FBEF2B12CE6B6EBC59566748B95303E101DAACC21DA318C94C28EFAE81CC6456DC5F988E0FC932E29849440A1CE4620B2BE189A4DDF5ADEBCA8B6F7D7123A1982E5FF8D1DD621FA8559FDC80093523F0843C454387697B018616D6B38B200CEB6DB9E8863285>>#][#MSCONFIG<<0>>#][#ACTIVEX<<1>>#][#ACTIVEXANAHTAR<<75D039C4DD53D4963BF18AF4F37D9332FF1C5F5C8B63C559A721AF6915A03A08353C814B17A22D212BE458A85B605EC74C8C07EA69765E06D6557A6F4A12D1589F7D703831584E3BEA3FC5AFE280A8F4A904B5662CDAB14F3AEE18916D8DB89CEB58648D11120CB137CFF05C943D38AC0757AC663DB406B132ADEA38A1737CA73EBD9807E69023FE5E72C46DBD347C6B32A59868E75D88E84B2B1CA07261CA76248AF6E07AED3D5FEBC36DDBAAC05E6B36C763E8B873A7B0CF45D8052EF34D072A59ACD69C83494EAADD59E5A7FECCAADF5BBCE23D9289860B57CD231E0431D31948E4A4D6F12F09E69E72C63E4AF2A339BB0E127F9520268BBD67F650712219>>#][#INJECT<<1FE145D8D963EEB13A16A0070492B816BBA670231D1C60B8C9F4637180D2224471E07B57C7D2A72F494C904997AC3A1385A8D3399B5F1F68F8F3899885598E06DF384DD14AF535631B13D191A97CF88E75EA5B42A425327B5B730A0B02D6B478A0F59113152204B0FFC0BABC71CA9E2F9835A469713DB59E6F8283787596F184B1A2E589A4A53143F2E1E936EB2049A1A717C91A3E2E84BDAF6990CA5626E115CF8C621F318B9909B082BA6B144B56CFA11BE6C04A497C8359B60BADA5D0615B743EE7C23A5D17EBF42EC848681820A6C00E18CA8F58B61DE8B4D3CE1BE24CBE9DC50E9DBBAB8698BB72B078E111421282FBFB610A265277D7B043D83726BD2E>>#][#GIZLINITELIK<<0>>#][#MUTEX<>#][#OFFLINELOG<<1>>#][#FTP<<0>>#][#FTPHOST<<601170C0FE8212D05D36C715237BC96028D8E7863EF17FF71A2B842E090C7AE3817A15462316DACDB065E1B51BDBFBDAB982ACF010475761D26674C2A6EB7F2E9E29AF448B381FFCEB270EA3FC407EB72EFABC9EF97ABBC1C882DEC6D1BBD1AC041F547E1D3FD5B997F3367B7D6032215EA359435D1CF38AE255C7EEB250374F97EF89EAFC40FE7A58E01F71C44EDB0BAC904753DF7F3F31C4F0B2AF697CF58CF970D17A4B0EE03413C1CD79F59EFEEABC17CAC1A47CA769112A63BB1D958D5A91B17264303C3E182B28048735A59E72334AE70351E36C262DD62008F02E46E8400B2E5B4DA25C9C44AC088FA6F6FE15F53E234BC84A549EFCC7ECC9085C60EE>>#][#FTPUSER<<601170B203830EC95932BA131A4D3448AFAB170EEA6D990FB48DE3564FCBD9004EFBEC84B29A895E730B71D5E0F0652C1BA3BFA48254D93070BDACF4DA81B6F41922566384A2B842B871A8F436140664A8D8550F80E9702BBD159B3ACC21F22748BF011D1EB0306991795986557E78469BBAFF6068A08314E28B163BAA9FF3AD5F4591C9053B95A88297A79DC11F61A577BF9E6DBEEA74FF214F424D75715C9821A86A3B3CB6CC545080788FFE6D24D4C0DC580806806AFF7FD8C044B588D240D41B70C607D2B97E7FE62F70915BA5287C4492C7455446693F5878B3AB1B39B57955C73EEA48BF7D123EEF123DDF89342D2B2F7DBDD8EF9226454B2E9E1CF3CE>>#][#FTPPASS<<601170B20B7708CF5DC41F07A52064D05B27312684CFF837FA4C42731C4CB03EDD7F9B157540197E3820DB27421178E08DB0417320AB1162A453E3BA557A5D13128CEFA951EC5293F24530A1B0F29FD52F470A79757C2D9FB87BBCB510C19FC649305CCD1836537469979FAB92951E63A63E8FEA68D6D261DADAD29972F5FB8C684028F72FF21DD47F682D378C4EB8BF562AD33B1B49049D2D44A9599DA9F5591250565B7975776A594F9E790232B21B22E01B9E742EC78817CB052AF8F2D0A2ABB1EB2C5B90E467DB9C3626DA5550EC70B56C0A57D69E14FA456B80E465D29816FB2A1FB8DAA600A9277A3175CC956622B9CA71E7564EF7BC05DE0E87133CB3>>#][#FTPDK<<5>>#][#FTPSENDAFTERDELETE<<1>>#][#AYARBITIS#]P(
*\AE:\Projeler\Rat\Harmmy Rat v1.7\Stub\Project1.vbp
RAT_FTP_CLASS
{7BF80981-BF32-101A-8BBB-00AA00300CAB}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
127.0.0.1
PORT
WINDOWSFIREWALLKAPAT
FTPHOST
FTPUSER
FTPPASS
FTPDK
FTPSENDAFTERDELETE
GUpdate.exe
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\Userinit.exe,
ÞFAULTBROWSER%
\Userinit.exe,
[Webcam_Goruntusu]
notepad.exe
CALC.EXE
calc.exe
IEXPLORER.EXE
iexplorer.exe
NOTEPAD.EXE
[Ekran_Set_Keyboard]
[Online_Keylogger_Baslat]
[Online_Keylogger_Durdur]
[Offline_Keylogger_Loglarini_Gonder]
RegSvr.bat
del *.hy
Win32SysLogs.dat
dummy.html
winmgmts:\\.\root\SecurityCenter
2.6.0
WScript.Shell
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
SELECT * FROM Win32_OperatingSystem
\Internet Explorer\iexplore.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Webcam Penceresi Olusturuldu.!
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "
:*:Enabled:Windows Messanger" /f
cmd.exe /c netsh firewall set opmode disable
[Webcam_Stream_Geldi]
[Webcam_Gonderme_Hata_Olustu]
Scripting.FileSystemObject
[Online_Keylogger_Verisi_Geldi]
[Offline_Keylogger_Dosyalari_Geldi]
[Keylogger_Logu_Geldi]
Keylogger Logu Gonderiliyor
[Keylogger_Logu_Transfer_Bitti]
Keylogger Logu Transfer Bitti
[Keylogger_Logu_Geldi_OKU]
[Keylogger_Logu_Transfer_Bitti_OKU]
%systemroot%
rundll32.exe shell32.dll,Control_RunDLL main.cpl,,0
windows
rundll32.exe shell32.dll,Control_RunDLL intl.cpl,,0
rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,,0
rundll32.exe shell32.dll,Control_RunDLL timedate.cpl,,0
rundll32.exe shell32.dll,Control_RunDLL netcpl.cpl,,0
rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
Shell.Application
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Uninstall
xWin32WB.exe
xWin32hr.txt
The operation was canceled.
modSocketSupport.RegisterSocket
modSocketSupport.ResolveHost
Address family not supported by protocol family.
Operation already in progress.
Operation now in progress.
Socket operation on nonsocket.
Operation not supported.
Protocol family not supported.
Protocol not supported.
Socket type not supported.
Winsock.dll version out of range.
The version of Windows Sockets API support
Windows Sockets implementation.
The Windows Sockets version specified by the
application is not supported by this DLL.
modSocketSupport.InitWinsockService
.ResolveMessage
.WinsockMessage
clsSocket.RemoteHost
clsSocket.PostGetHostEvent
ShellPipe.Interrupt.ConsoleCtrlEvent
ShellPipe.ReadData.ReadFile
ShellPipe.ReadData.PeekNamedPipe
ReadData PeeknamedPipe error
ShellPipe.WriteData.WriteFile
Invalid thunk type passed
autorun.inf
Icon=%SystemRoot%\system32\SHELL32.dll,7
shell32.dll, 2
shell32.dll, 3
.fldr
shell32.dll, 0
\explorer.exe
@*\AE:\Projeler\Rat\Harmmy Rat v1.7\Stub\Project1.vbp
1.exe

rundll32.exe_1184:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

DW20.EXE_1852:




.text
`.data
.cdata
.rsrc
watson.microsoft.com
.mdmp
%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S
/dw/stagetwo.asp
%s/%S/%S/%S/%S/%S/%S/%S/%S.htm
Failed to fill report params from generic params
Not offering reporting
%s Mode
Failed to get a reporting destination
Nothing to report from queue
No reports left to send. Removing queue triggers and bailing.
Failed to plug UI; LCID=%u
Ignoring %S due to unknown queue version
Reporting is disabled
SignOff queue reporting is disabled
Queued Reporting Mode called but still want to report to the queue
Bad queue type to report from
No reports for given queue mask - %u
Invalid queue mask - %u
Suspending: Force cancel to queued reporting
Suspending: Force cancel to network reporting
CreateWindowExA failed with %d.
Application Error Reporting %d
WatsonQueuedReportingInstanceVerification
riched20.dll
qMicrosoft\PCHealth\ErrorReporting\DW
msaccess.exe
http://watson.microsoft.com/dw/dcp.asp
http://watson.microsoft.com/dw/watsoninfo.asp
dwintl20.dll
Launching lightweight browser with URL
mshtml.dll
Not reporting
Reporting
DWBypassQueue
DWExplainerURL
DWNoSignOffQueueReporting
DWAlwaysReport
DWReporteeName
DWURLLaunch
DWNoExternalURL
DWStressReport
ole32.dll
imm32.dll
BTLog.dll
Microsoft\PCHealth\ErrorReporting\DW
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
http://
https://
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
%s\%s
https
DwBTLog.log
Failed to get minidump for %S!
szAppName=%s
szAppVer=%d.%d.%d.%d
szAppStamp=x
szModName=%s
szModVer=%d.%d.%d.%d
szModStamp=x
fDebug=%s
offset=x
microsoft.com
.msn.com
.microsoft.com
d:d:d d-d-d
/dw/generictwo.asp
kernel32.dll
psapi.dll
mso.dll
MsoDWRecover%x
MsoDWHang%x
Launching browser with URL
shell32.dll
%d.%d.%d.%d
%d.%d.%d.%d.x.%d.%d
shfolder.dll
unknown.sig
%s dw20.exe %d.%d.%d.%d
RegKey=
ResponseURL=
URLLaunch=
NoExternalURL=
%s:(%s) XX
%s:(%s) X
%s:(%s)
%s:(%s) %s
registry.txt
wql.txt
Windows NT Version %d.%d Build: %d
Stage 1 server response: %s
Stage 2 server response: %s
Stage 4 server response: %s
StatusCode: %d
Opening server: %s
HttpOpen failed.
Opening %s Request:
HTTPS
HttpSend Failed.
HttpWrite Failed, GLE=%d.
HttpEndReq failed.
Count filename length greater than MAX_PATH, can't report.
Filesystem reporting: count file updated
FReportToQueue: GetLastError=%u
FReportToQueue: File Tree Root does not exist: %S
Failed to add heap file to cab: %S
memory.dmp
mdmpmem.hdmp
version.txt
Network reporting complete.
Network reporting failed.
Application Error Reporting Transfer %d
Filesystem reporting complete
Filesystem reporting: cab successfully written
Filesystem reporting: could not find/create directory for cab/count
Filesystem reporting: redirection failure, too many redirects
Filesystem reporting: redirection failure, no previous roots
Filesystem reporting: improper file tree root
Filesystem reporting cancelled
Filesystem reporting: file tree root is too long
Record: 0xxx
Address: 0xxx
Code: 0xx
Flags: 0xx
x:x
(%d.%d:%d.%d)
Checksum: 0xx
Time Stamp: 0xx
Image Base: 0xx
Image Size: 0xx
Module %d
Windows NT %d.%d Build: %d
CPU AMD Feature Code: X
CPU Version: X CPU Feature Code: X
CPU Vendor Code: X - X - X
0xx:
0xx: x x x x
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
Thread ID: 0xx
Thread %d
Memory Range %d
Software\Microsoft\PCHealth\ErrorReporting\DW
OkToReportFromTheseQueues
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to obtain queue mutex. GetLastError=%u
FGetQueueMutex: WaitForSingleObject returned %u
Failed to open or create queue mutex. GetLastError=%u
Failed queued reporting pester check
Failed to create run reg key
Persistent run key is set.
CoInitializeEx() returned 0x%x.
Reporting to Admin Queue
Reporting to Regular Queue
Reporting to SignOff Queue
Reporting to Headless Queue
Reporting from Regular Queue
Reporting from SignOff Queue
Reporting from Headless Queue
OOM Failed to alloc QueuedReportData
FAllocSD: GetLastError=%u
%s%s%s
FEnsureQueueDirW: GetLastError=%u
Failed to write snt. GLE: %u
Failed to create snt. GLE: %u
Failed to set info; bad queue type: %u
Failed to open reg key for queue
Failed to get windows folder path for queue: %u
Failed to move instr file from queue A to queue B - %u
Failed to move cab file from queue A to queue B - %u
Did not move any reports from admin q to user q
Did not move any reports from user q to headless q
Queue types that have reports: %u
Setting triggerAtConnectionMade to: %u
Setting triggerAtLogon to: %u
Setting the queue trigger based upon: %u
SUCCESS adding report to queue
Launched (%S)
Failed to store the SensSubscription. hr: %d
failed to allocate PROGID string: %S
Failed putting SubscriberInterface. hr: %d
Failed putting PerUser. hr: %d
Failed putting Enabled. hr: %d
Failed putting MachineName. hr: %d
Failed putting OwnerSID. hr: %d
Failed putting Description. hr: %d
Failed putting InterfaceID. hr: %d
Failed putting EventClassID. hr: %d
Failed putting MethodName. hr: %d
Failed putting SubscriptionName. hr: %d
Failed putting PublisherID. hr: %d
Failed putting SubscriberCLSID. hr: %d
Failed putting SubscriptionID. hr: %d
Failed CoCreateInstance on EventSubscription. hr: %d
Failed to remove the SensSubscription. hr: %d
failed to allocate query string: %S
Failed CoCreateInstance on EventSystem. hr: %d
SENS: StringFromIID() returned <%x>
DWSHARED: SysAllocString(%s) failed!
Failed to subscribe subscription %u. hr: %d
Failed to get data for subscription %u. hr: %d
Failed to query install reg key
Failed to open install reg key
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
creating CDwAccessible: hwnd %x, idc %d
WriteAtOffset.Write(0x%x) failed, 0xx
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteDirectoryEntry.Write(0x%x) failed, 0xx
Thread(0x%x) callback returned FALSE
WriteSystemInfo.GetOsCsdString failed, 0xx
WriteSystemInfo.GetCpuInfo failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
Kernel minidump write failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
Invalid exception record parameter count (0x%x)
Invalid exception record size (0x%x)
Invalid CPU type (0x%x)
Invalid function table size (0x%x)
GetSystemType.GetOsInfo failed, 0xx
GetSystemType.GetCpuType failed, 0xx
Write.Start failed, 0xx
Dump type requires streaming but output provider does not support streaming
Invalid dump type 0x%x
dbghelp.dll
Alloc(0x%x) failed
Thread(0x%x) will not be included
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
0GenGetAuxMemory(%ws) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.Start(0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
version.dll
ntdll.dll
%$%,%4%<%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
!"#$%&'()* ,-./0123456789:;<=
!!!!2222
%%%f||||
!!!!2222||||
!"#$%&'(
'()* ,-./0
&'()* ,-./
&'()* ,-./012345
3456789
.ASex
!"#$%&'()* ,-./012
!"#$%&'()
?msodatad.dat
msodatalast.dat
Unicows.dll
Kernel32.dll
SHLWAPI.DLL
GDI32.DLL
wintrust.dll
1108160
0u.hN
0SSh 
t.WWWj
PSSh07
t5SSh(
PSSSSSSh
0SSSSh
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
MSVCRT.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
VERSION.dll
WININET.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ReportEventA
ReportEventW
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyW
GetProcessHeap
GetSystemWindowsDirectoryW
_amsg_exit
_acmdln
ShellExecuteExA
UrlGetPartA
CreateURLMoniker
CreateDialogIndirectParamA
EnumWindows
HttpQueryInfoA
HttpSendRequestExA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpEndRequestA
dw20.pdb
\devsplab1\otools\BBT_TEMP\DW20O.pdb
winword.exe
wwordlt.exe
excel.exe
excellt.exe
mspub.exe
frontpg.exe
outlook.exe
powerpnt.exe
powpntlt.exe
onenote.exe
infopath.exe
winproj.exe
ois.exe
visio.exe
`!`'`)` `
e%f-f|3 f'f/f
]!^"^#^ ^$^
t.uGuHu
x4x7x%x-x x
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
ichczc]eVeQeYeWe_UOeXeUeTe
{1{ {-{/{2{8{
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
duewexei
kCpDpJpHpIpEpFp
S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S
U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU
c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c
m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm
nRsSsh
evg%f
m.tRa
gtr%x
Q%SKg
f.ebp>QI
y.yxT
fn:q%uN
aw.Toiz
RMeXe
S#S$S%S;ScSdSrSsStSuS
`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`
^ ^!^"^#^$^%^&^'^.^}^
c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe
f f!f"f#f$f%f&f'f(f)f*f f,f-f
m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;mm?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm
u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu
U U!U"U#U$U%U&U'U(U4UJU
](^)^*^ ^,^-^/^0^1^
m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m
x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;xx?x@xAxXy_yaycydyeygyiyjykylynyoy
} }!}"}#}$}%}&}'}
] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]
]2^3^4^5^6^7^8^9^:^;^<^>^
cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX
d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele
s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs
u$u%u&u/ujukulumunuouqurusutu
duewexeyeze{e
~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0
| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|
{3~3}3|3
eZl%u
Q.YeY
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei
s4s/s)s%s>sNsOs
s&t*t)t.tbt
2%2.bx
{ | }9},
d6exe9j
]%sOu4](n
m.t.zB}
w%xIyWy
^vcÓv
%f?iCt
U>_.lE
f.ebp
.nrR=
{fn:q%uN
25.exe
name="Microsoft.Windows.ErrorReporter"
version="5.1.0.0"
publicKeyToken="6595b64144ccf1df" />
Windows Error Reporting
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
1%s\%s\%s\%s\%s\%s\%s\%s
AppName: %s AppVer: %s AppStamp:%s
ModName: %s ModVer: %s ModStamp:%s
fDebug: %s Offset: %s
Main_AlwaysReportBtn=
Main_NoReportBtn=
Main_ReportBtn=
General_Reportee=
CheckBoxRegKey=
ReportingFlags=
Stage1URL=
Stage2URL=
%General_Reportee%
%u %s
%u.%u %s
%s %s %s %s in %s %s %s fDebug %s at offset %s
Bucket: d
BucketTable %d
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s
\dw.log
policy.txt
crash.log
status.txt
hits.log
count.txt
%s\%s\%s
%s\%s\%s\%s
eDWQueuedReporting
DWPersistentQueuedReporting
"%s\%s" -%c
dwtrig20.exe
ReportSize=
\*.cab
dwq.snt
"%s" -%c %u
SEventSystem.EventSubscription
SubscriptionID=%s
#$%&%&'(
Comctl32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\8267C.dmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
.NET Runtime 2.0 Error Reporting
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log
Microsoft Application Error Reporting
11.0.8160
Windows
DW20.Exe

svchost.exe_1480:




.text
`.data
.idata
.rsrc
RegCloseKey
RegCreateKeyExA
GetWindowsDirectoryA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
5.1.0.0
svchost.exe
Windows
Operating System


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    583.exe:1868
    %original file name%.exe:480
    rundll32.exe:1348
    rundll32.exe:212
    rundll32.exe:596
    rundll32.exe:1772
    rundll32.exe:1784
    rundll32.exe:1720
    rundll32.exe:1568
    rundll32.exe:240
    rundll32.exe:488
    rundll32.exe:280
    rundll32.exe:1752
    rundll32.exe:1672
    QSSSSS~1.EXE:424
    QSSSSS~1.EXE:772
    qqq.exe:568
    qqq.exe:324
    DW20.EXE:1852

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\aa.jpg (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qqq.exe (3727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wwwwwwwww.jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\z.jpg (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\images.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cc.jpg (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dd.jpg (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\w.jpg (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\x.jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\s.jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\g.jpg (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\v.jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aaa.jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QSSSSS~1.EXE (21345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\a.jpg (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\25.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\583.exe (5442 bytes)
    %WinDir%\Kurulum\Server.exe (4185 bytes)
    %WinDir%\svchost.exe (1895 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1NX1M5O\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dw.log (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8267C.dmp (272187 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZDB4QO0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\545QUVC9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A2MX3ODE\desktop.ini (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKCU" = "%WinDir%\Kurulum\Server.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HKLM" = "%WinDir%\Kurulum\Server.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now