Trojan.GenericKD.3597375_38b6956442

by malwarelabrobot on October 20th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.3597375 (B) (Emsisoft), Trojan.GenericKD.3597375 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 38b69564426b76353075d72eac5cac57
SHA1: 61f6c319b5898746a1d603cec6ba6ca95f11be6c
SHA256: cd640c843f96ddeb01cb598d7c14cc590b7830608f8163bca5ad697ed9b78514
SSDeep: 3072:9ehZOgWT7c9b4KdZNZGX6rBvCRdYHzxY:9ehZBWhITrBvCIH
Size: 103936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-12 19:14:11
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:2432
%original file name%.exe:192

The Trojan injects its code into the following process(es):

svchost.exe:2244
iexplore.exe:2232

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2432 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

The process %original file name%.exe:192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (601 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)

Registry activity

The process %original file name%.exe:2432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "rLokNsD0owQ6"

The process %original file name%.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: f1goami3.exe
Internal Name: f1goami3.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 98420 98816 5.1028 2e8af85c659f1b34c7b3f2aaadb088a5
.rsrc 114688 4096 4096 0.473091 6df07f382101fb6fdce7990f3e467aec
.reloc 122880 12 512 0.070639 fb63265899ee5eaebea8bef22f71b210

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.google.com/ 173.194.113.212
hxxp://www.google.com.ua/?gfe_rd=cr&ei=jEcHWN-hH8fHZMqdi8gB 173.194.113.216
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCO1K2+o5D5i
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAMwQYKxJVsR
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://a1363.dscg.akamai.net/pki/crl/products/WinPCA.crl
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCO1K2+o5D5i 173.194.44.65
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon 173.194.44.65
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 212.30.134.169
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAMwQYKxJVsR 173.194.44.65
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.37.43.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY 173.194.44.65
ssl.gstatic.com 173.194.44.87
clients1.google.com.ua 74.125.232.248


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1
Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 404 Not Found
Date: Wed, 19 Oct 2016 10:15:12 GMT
Content-Type: text/html; charset=UTF-8
Server: ocsp_responder
Content-Length: 1668
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY HTTP/1.1


Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 404 Not Found
Date: Wed, 19 Oct 2016 10:15:17 GMT
Content-Type: text/html; charset=UTF-8
Server: ocsp_responder
Content-Length: 1668
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha
<<< skipped >>>


GET / HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google.com
Connection: Keep-Alive
Cookie: NID=88=C6CEKO82itAhdU0twN6URqunh6Sn9EPCs-teRRQ4QRgNCJP-EG6VgSTOkC7BafUzPUi-GjuRAoRi6F4Sx78Gd_cLieG7apk740DNnT0oV6phUdJTT3H8MUyjxWiFq3Dm


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=jEcHWN-hH8fHZMqdi8gB
Content-Length: 260
Date: Wed, 19 Oct 2016 10:14:36 GMT
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=jEcHWN-hH8fH
ZMqdi8gB">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=jEcHWN-hH8fHZMqdi8g
B..Content-Length: 260..Date: Wed, 19 Oct 2016 10:14:36 GMT..<HTML&
gt;<HEAD><meta http-equiv="content-type" content="text/html;c
harset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><
;BODY>.<H1>302 Moved</H1>.The document has moved.<A 
HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=jEcHWN-hH8fHZMqdi8gB"
>here</A>...</BODY></HTML>....



GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Oct 2013 05:02:51 GMT
If-None-Match: "8071417b63bece1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 02 Dec 2015 18:30:06 GMT
Accept-Ranges: bytes
ETag: "0cb60772f2dd11:0"
Server: Microsoft-IIS/8.5
VTag: 279207026700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 530
Cache-Control: max-age=900
Date: Wed, 19 Oct 2016 10:15:28 GMT
Connection: keep-alive
0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows
 Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0.......p.
...........<.J0... .....7.......0...U......90...*.H..............I.
..MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G..s.D....
.....g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~..mS./p..F
......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C)....U..3Mt
.}......X......H.....|d...s..`.8F.l.......R.C....HTTP/1.1 200 OK..Cont
ent-Type: application/pkix-crl..Last-Modified: Wed, 02 Dec 2015 18:30:
06 GMT..Accept-Ranges: bytes..ETag: "0cb60772f2dd11:0"..Server: Micros
oft-IIS/8.5..VTag: 279207026700000000..P3P: CP="ALL IND DSP COR ADM CO
No CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PH
Y PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 530..Cache-Cont
rol: max-age=900..Date: Wed, 19 Oct 2016 10:15:28 GMT..Connection: kee
p-alive..0...0.....0...*.H........0..1.0...U....US1.0...U....Washingto
n1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsof
t Windows Verification PCA..151202080000Z..430418080000Z.A0?0...U.#..0
.......p............<.J0... .....7.......0...U......90...*.H.......
.......I...MYp.....yh..$3..F.D....Qe]....~...>.Ye.h...L.nQ..091.=.G
..s.D.........g)...4.'........B....l#....c...e..U......Z .[.,.x..h:M~.
.mS./p..F......l.G.H<.".y.B.5.."\|.Hi`N=j.....;w.......o.*......C).
...U..3Mt.}......X......H.....|d...s..`.8F.l.......R.C.....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Cache-Control: max-age = 440358
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 18 Nov 2013 13:12:21 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1452
content-transfer-encoding: binary
Cache-Control: max-age=418782, public, no-transform, must-revalidate
Last-Modified: Mon, 17 Oct 2016 06:32:09 GMT
Expires: Mon, 24 Oct 2016 06:32:09 GMT
Date: Wed, 19 Oct 2016 10:15:23 GMT
Connection: keep-alive
0..........0..... .....0......0...0.........Yt...........z.(...2016101
7063209Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20161017063209Z....20161024063209Z0...*.H........
..... >[email protected]. ..`m.G.H.p..vP....o..."...m<._......=.c"
...._Y.6..e.]..#-......p.S....o..VZ|'b..l..6LIK.t..v..<.jL...s.N...
...~#(.=...z.4..J{C.k^C..2.J... .v....M*.....t....s.i....%,...O~..Yt.;
.GM^....nx..&..$nqw6.rW.._]OH.,..en..D...sY..A.O\[o..T...6.h....0...0.
[email protected]...*.H........0_1.0...U....US1.0...U....
VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authorit
y0...151124000000Z..161214235959Z0..1.0...U....US1.0...U....Symantec C
orporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3
 PCA - G1 OCSP Responder Certificate 40.."0...*.H.............0.......
...K...8..p...<.\"J6.A!../.nL...6.........!.),......9].N6Kz.WC..8.)
z.by.z..[% #..^t.^...*..M....p..{AW..[...d.]p...VY..F..d....>wv.5..
.?......g>qJ...oF.jOW:.'n....4vK.....p..@.%......=..^..1.^..e^..w..
.g.......gM...H..m..P..t (..)B.....1,`..!&.Ry.=:.6-c..=w........0..0..
.U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.c
om/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0
...U........0... .....0......0 ..U....0...0.1.0...U....TGV-C-570...*.H
............o....8qO..."....5.E.....S.k&.Bd...2T@=._..H...S%...m. ...G
d........#.Ty/r..GH/..].G....o5..J.v.$...."...R.><....Jl..z.....
=^`8....
<<< skipped >>>


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCO1K2+o5D5i HTTP/1.1
Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Sun, 16 Oct 2016 17:18:10 GMT
Expires: Thu, 20 Oct 2016 17:18:10 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 233786
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2016101
6070232Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.#. o..>b....20161016070232Z....20161023070232Z0...*.H.............
l.:......%8......`[...4....`..6...._......-......p.....x......Y.#..^..
...d..'.Sh....I.I......2P.q....jb.W.N....{..\o....m.....t.2..O.!E..G..
}|.c........a...V)..F..Z.#..&K..^./.;?...._...........m._..s.C......1p
}..gni......<.-..............O.X...q.U......o_HTTP/1.1 200 OK..Cont
ent-Type: application/ocsp-response..Date: Sun, 16 Oct 2016 17:18:10 G
MT..Expires: Thu, 20 Oct 2016 17:18:10 GMT..Server: ocsp_responder..Co
ntent-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: S
AMEORIGIN..Age: 233786..Cache-Control: public, max-age=345600..0......
....0..... .....0......0...0......J......h.v....b..Z./..20161016070232
Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..#. o..
>b....20161016070232Z....20161023070232Z0...*.H.............l.:....
..%8......`[...4....`..6...._......-......p.....x......Y.#..^.....d..'
.Sh....I.I......2P.q....jb.W.N....{..\o....m.....t.2..O.!E..G..}|.c...
.....a...V)..F..Z.#..&K..^./.;?...._...........m._..s.C......1p}..gni.
.....<.-..............O.X...q.U......o_....
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAMwQYKxJVsR HTTP/1.1


Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Sat, 15 Oct 2016 22:59:48 GMT
Expires: Wed, 19 Oct 2016 22:59:48 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 299689
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2016101
5130203Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
..0A..%[.....20161015130203Z....20161022130203Z0...*.H.............O._
W..7...s.....f....hv.,.r....9......h..k...o..-..ogC..8..9....d.L....:.
r.ba.xmCz][email protected]_.n8J.f....R
...`d...,[..T.Y2..E....l..`dY..qn...~m..W..{oA4.........)..|j=...2n...
$:L.H..i.s.]...i!K.GQ.gGeW..].r..&d.~.> ...HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Sat, 15 Oct 2016 22:59:48 GMT.
.Expires: Wed, 19 Oct 2016 22:59:48 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Age: 299689..Cache-Control: public, max-age=345600..0.........
.0..... .....0......0...0......J......h.v....b..Z./..20161015130203Z0k
0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./...0A..%[..
...20161015130203Z....20161022130203Z0...*.H.............O._W..7...s..
...f....hv.,.r....9......h..k...o..-..ogC..8..9....d.L....:.r.ba.xmCz]
[email protected]_.n8J.f....R...`d...,[
..T.Y2..E....l..`dY..qn...~m..W..{oA4.........)..|j=...2n...$:L.H..i.s
.]...i!K.GQ.gGeW..].r..&d.~.> .....



GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAMwQYKxJVsR HTTP/1.1
Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Tue, 18 Oct 2016 22:00:50 GMT
Expires: Sat, 22 Oct 2016 22:00:50 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 44027
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..2016101
8130159Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
..0A..%[.....20161018130159Z....20161025130159Z0...*.H................
..._..Wl..T.s..m..'.!. ...q..K9.....N.c."...i.i..K..e..V......*.-..P.!
..;..%....$c.)r.....S....c.....].........S...?.o!..r..*.g...E..^@.<
. zl.'.?y=.....9...'..Df......]...0.. 4^.m..AL|/... ..W..A.AX....].6..
:..qu.z.X;M...cpO...F...v.gZ..u.N.a.......:.. HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Tue, 18 Oct 2016 22:00:50 GMT.
.Expires: Sat, 22 Oct 2016 22:00:50 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Age: 44027..Cache-Control: public, max-age=345600..0..........
0..... .....0......0...0......J......h.v....b..Z./..20161018130159Z0k0
i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./...0A..%[...
..20161018130159Z....20161025130159Z0...*.H..................._..Wl..T
.s..m..'.!. ...q..K9.....N.c."...i.i..K..e..V......*.-..P.!..;..%....$
c.)r.....S....c.....].........S...?.o!..r..*.g...E..^@.<. zl.'.?y=.
....9...'..Df......]...0.. 4^.m..AL|/... ..W..A.AX....].6..:..qu.z.X;M
...cpO...F...v.gZ..u.N.a.......:.. ..



GET /?gfe_rd=cr&ei=jEcHWN-hH8fHZMqdi8gB HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: VVV.google.com.ua


HTTP/1.1 302 Found
Location: hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=jEcHWN-hH8fHZMqdi8gB&gws_rd=ssl
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Wed, 19 Oct 2016 10:14:36 GMT
Server: gws
Content-Length: 276
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=89=eBTpZCTpBzvfIQYHquEQYWhxoufqnqZ8q7LstKQffENb1rpmviuEQoq8NHta0--P6rcv37jBOr_N2IW5amRn7sgBUmDVlEFfZgENFmABrCaPiP_c4T1dX_v17wytSNNI; expires=Thu, 20-Apr-2017 10:14:36 GMT; path=/; domain=.google.com.ua; HttpOnly
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr&ei=jEcHWN-hH8f
HZMqdi8gB&gws_rd=ssl">here</A>...</BODY></HTML&g
t;..HTTP/1.1 302 Found..Location: hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=jEcHWN-hH8fHZMqdi8gB&gws_rd=ssl..Cache-Control: private..Content-T
ype: text/html; charset=UTF-8..P3P: CP="This is not a P3P policy! See 
hXXps://VVV.google.com/support/accounts/answer/151657?hl=en for more i
nfo."..Date: Wed, 19 Oct 2016 10:14:36 GMT..Server: gws..Content-Lengt
h: 276..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..
Set-Cookie: NID=89=eBTpZCTpBzvfIQYHquEQYWhxoufqnqZ8q7LstKQffENb1rpmviu
EQoq8NHta0--P6rcv37jBOr_N2IW5amRn7sgBUmDVlEFfZgENFmABrCaPiP_c4T1dX_v17
wytSNNI; expires=Thu, 20-Apr-2017 10:14:36 GMT; path=/; domain=.google
.com.ua; HttpOnly..<HTML><HEAD><meta http-equiv="conten
t-type" content="text/html;charset=utf-8">.<TITLE>302 Moved&l
t;/TITLE></HEAD><BODY>.<H1>302 Moved</H1>.T
he document has moved.<A HREF="hXXps://VVV.google.com.ua/?gfe_rd=cr
&ei=jEcHWN-hH8fHZMqdi8gB&gws_rd=ssl">here</A>...</
BODY></HTML>....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_2372:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_2324:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

svchost.exe_2244:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

svchost.exe_2244_rwx_10000000_0004A000:

.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ShellExecuteW
ntdll.dll
1 1$1(1,10141
KWindows
TServerKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
127.0.0.1
Pubalihazm2017.no-ip.biz
Server.exe
Cli{VTS3NDMA-52VO-2MM7-110T-W417I8QA7A4Y}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
qexe
Microsoft\Windows\Start MenrLokNsD0owQ6PERSIST
PTF.ftpserver.com
ftpuser

iexplore.exe_2232:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_2232_rwx_10000000_0004A000:

.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
hXXp://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ShellExecuteW
ntdll.dll
1 1$1(1,10141
KWindows
TServerKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
.html
XtremeKeylogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
127.0.0.1
Pubalihazm2017.no-ip.biz
Server.exe
Cli{VTS3NDMA-52VO-2MM7-110T-W417I8QA7A4Y}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
qexe
Microsoft\Windows\Start MenrLokNsD0owQ6PERSIST
PTF.ftpserver.com
ftpuser
c:\%original file name%.exe
%Program Files%\Internet Explorer\iexplore.exe

WMIADAP.EXE_2040:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
wbemcomn.dll
OLEAUT32.dll
ole32.dll
loadperf.dll
FEw.AEw]FEw
`.bik
PSSSSSSh
WMIADAP.exe
?CloseSubKey@CRegistry@@AAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?RewindSubKeys@CRegistry@@QAEXXZ
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
QSSh0
Invalid parameter passed to C runtime function.
ntdll.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegEnumKeyW
RegDeleteKeyW
RegQueryInfoKeyW
_amsg_exit
_acmdln
?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z
WMIADAP.pdb
<assemblyIdentity version="1.0.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
5m6z6
%s_x
%s_x_
Global\WMI_SysEvent_Semaphore_%d
WinMSGWMIADAP
\\.\root\cimv2
WMIADAP Msg window
\\.\root\wmi
PSAPI.DLL
x=%s
Describes all the counters supported via WMI Hi-Performance providers
_new.ini
xx %s%s.ini
xx %s
\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""
WmiApRes.dll
%s\%s
6.1.7600.16385 (win7_rtm.090713-1255)
wmicookr.dll
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2432
    %original file name%.exe:192

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe (601 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "18.exe" = "C:\Users\"%CurrentUserName%"\AppData\RoamingMicrosoft\System\Services\18.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now