Trojan.Win32.Swrort_261ad8bccf
Trojan.GenericKD.30975625 (BitDefender), Trojan:Win32/Eqtonex.C (Microsoft), Trojan.Win32.EquationDrug.kp (Kaspersky), Trojan.DownLoader26.51072 (DrWeb), Trojan.GenericKD.30975625 (B) (Emsisoft), Artemis!261AD8BCCF0B (McAfee), Trojan.Gen.2 (Symantec), Trojan.Win32.Themida (Ikarus), Trojan.GenericKD.30975625 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R004C0DFH18 (TrendMicro), GenericEmailWorm.YR, TrojanSwrort.YR, PackedThemida.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, Packed, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 261ad8bccf0baaf82d01009f12c60a98
SHA1: 8fe60526248e0e02eab7b11dd48114bde4ea40e9
SHA256: a111bc5d529d9071a232750de0383d5e1fb87c552f17f6b090da77efb6b323f0
SSDeep: 98304:EtnliX/8Hv1Z1dQ6jQxm1Zhyn1zg5GN738x0rbbU/T/FYZmtiQHEd/oHXVB:EtcYdxum1Zs1zBN6mb DOZwi3qB
Size: 6594560 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CHIP Digital GmbH
Created at: 2018-06-15 03:37:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
regedit.exe:3968
netsh.exe:2736
netsh.exe:3820
netsh.exe:760
netsh.exe:2924
netsh.exe:1264
netsh.exe:3000
netsh.exe:3652
netsh.exe:2344
netsh.exe:2380
netsh.exe:952
netsh.exe:4048
netsh.exe:2036
netsh.exe:2508
netsh.exe:812
netsh.exe:2240
netsh.exe:2440
netsh.exe:2720
netsh.exe:2420
netsh.exe:3932
netsh.exe:3644
netsh.exe:3560
netsh.exe:3568
netsh.exe:3372
netsh.exe:3684
netsh.exe:2144
netsh.exe:3988
netsh.exe:720
netsh.exe:2696
netsh.exe:372
netsh.exe:1740
%original file name%.exe:1064
The Trojan injects its code into the following process(es):
CPUInfo.exe:3228
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process CPUInfo.exe:3228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\IIS\esco-0.dll (13 bytes)
C:\Windows\IIS\etebCore-2.x86.dll (112 bytes)
C:\Windows\IIS\pcre-0.dll (146 bytes)
C:\Windows\IIS\ucl.dll (58 bytes)
C:\Windows\end.bat (15 bytes)
C:\Windows\IIS\exma-1.dll (10 bytes)
C:\Windows\IIS\adfw.dll (11 bytes)
C:\Windows\IIS\tucl.dll (6 bytes)
C:\Windows\IIS\trfo-0.dll (45 bytes)
C:\Windows\IIS\libcurl.dll (212 bytes)
C:\Windows\IIS\zibe.dll (262 bytes)
C:\Windows\IIS\adfw-2.dll (14 bytes)
C:\Windows\IIS\1.BAT (32 bytes)
C:\Windows\IIS\etchCore-0.x86.dll (142 bytes)
C:\Windows\IIS\Cstr.fb (503 bytes)
C:\Windows\IIS\tucl-1.dll (9 bytes)
C:\Windows\IIS\Eternalchampion-2.0.0.xml (11 bytes)
C:\Windows\IIS\cnli-0.dll (106 bytes)
C:\Windows\IIS\exma.dll (6 bytes)
C:\Windows\IIS\tibe.dll (270 bytes)
C:\Windows\IIS\qdx.bat (113 bytes)
C:\Windows\IIS\libiconv-2.dll (970 bytes)
C:\Windows\IIS\Esteemaudit-2.1.0.exe (69 bytes)
C:\Windows\IIS\pcla-0.dll (337 bytes)
C:\Windows\IIS\crli-0.dll (17 bytes)
C:\Windows\IIS\Esteemaudittouch-2.1.0.xml (2 bytes)
C:\Windows\IIS\Esteemaudit-2.1.0.fb (987 bytes)
C:\Windows\IIS\Eternalchampion-2.0.0.fb (1 bytes)
C:\Windows\IIS\riar.dll (16 bytes)
C:\Windows\IIS\iis.reg (1 bytes)
C:\Windows\IIS\pcrecpp-0.dll (32 bytes)
C:\Windows\IIS\posh.dll (6 bytes)
C:\Windows\IIS\posh-0.dll (11 bytes)
C:\Windows\IIS\riar-2.dll (32 bytes)
C:\Windows\IIS\tibe-1.dll (233 bytes)
C:\Windows\IIS\Esteemaudittouch-2.1.0.exe (53 bytes)
C:\Windows\IIS\chrome..xml (5 bytes)
C:\Windows\IIS\pcreposix-0.dll (9 bytes)
C:\Windows\IIS\etchCore-0.x64.dll (179 bytes)
C:\Windows\IIS\dmgd-4.dll (479 bytes)
C:\Windows\IIS\iconv.dll (22 bytes)
C:\Windows\IIS\Esteemaudit-2.1.0.xml (47 bytes)
C:\Windows\IIS\cnli-1.dll (100 bytes)
C:\Windows\IIS\Esteemaudittouch-2.1.0.fb (246 bytes)
C:\Windows\IIS\etch-0.dll (158 bytes)
C:\Windows\IIS\chrome..fb (242 bytes)
C:\Windows\IIS\trch-0.dll (73 bytes)
C:\Windows\IIS\srvany.exe (8 bytes)
C:\Windows\IIS\xdvl-0.dll (32 bytes)
C:\Windows\IIS\libeay32.dll (903 bytes)
C:\Windows\IIS\libxml2.dll (826 bytes)
C:\Windows\IIS\trfo.dll (38 bytes)
C:\Windows\IIS\etebCore-2.x64.dll (141 bytes)
C:\Windows\IIS\coli-0.dll (15 bytes)
C:\Windows\IIS\trfo-2.dll (29 bytes)
C:\Windows\IIS\tibe-2.dll (237 bytes)
C:\Windows\IIS\trch.dll (49 bytes)
C:\Windows\IIS\Eternalchampion-2.0.0.exe (158 bytes)
C:\Windows\IIS\trch-1.dll (59 bytes)
C:\Windows\IIS\chrome..exe (45 bytes)
C:\Windows\IIS\dmgd-1.dll (35 bytes)
C:\Windows\IIS\zlib1.dll (60 bytes)
C:\Windows\IIS\Cstr.xml (7 bytes)
C:\Windows\IIS\ssleay32.dll (184 bytes)
C:\Windows\IIS\Cstr.exe (129 bytes)
C:\Windows\IIS\eteb-2.dll (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ips138[1].htm (7792 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9839388\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9791543\TemporaryFile (0 bytes)
C:\Windows\end.bat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9830886\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9815629 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9803602 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9818656\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9812634 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9830902\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9809608\TemporaryFile (0 bytes)
C:\Windows\IIS\1.BAT (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9809608 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9815645 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9818640 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9800591\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9812634\TemporaryFile (0 bytes)
C:\Windows\IIS\qdx.bat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9806612 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9830871\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9809623 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9806597 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9806597\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9830886 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9794585\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9812618\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9791543 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9830871 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9803586 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9797611 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9830902 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9815645\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9803602\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9800591 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9839373 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9815629\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9794553 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9806612\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9803586\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9818656 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9794553\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9800575\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9809623\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9794600 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9794585 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9797595 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9839373\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9797595\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9791558 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9839388 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9812618 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9800575 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9797611\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9818640\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9791558\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9794600\TemporaryFile (0 bytes)
The process %original file name%.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\boy.exe (6 bytes)
C:\Windows\IIS\CPUInfo.exe (1024 bytes)
Registry activity
The process CPUInfo.exe:3228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\CPUInfo_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\CPUInfo_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\CPUInfo_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\CPUInfo_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\CPUInfo_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\CPUInfo_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\CPUInfo_RASMANCS]
"MaxFileSize" = "1048576"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process regedit.exe:3968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\iis]
"Description" = ""
"ErrorControl" = "1"
"DisplayName" = "iis"
"Start" = "2"
"Type" = "16"
"ObjectName" = "LocalSystem"
[HKLM\System\CurrentControlSet\services\iis\Parameters]
"SrvanyUI" = "{637800A7-1458-425B-965D-EC8C0E750A72}"
[HKLM\System\CurrentControlSet\services\iis]
"ImagePath" = "C:\Windows\IIS\srvany.exe"
[HKLM\System\CurrentControlSet\services\iis\Parameters]
"Application" = "C:\Windows\IIS\CPUInfo.exe"
"AppDirectory" = "C:\Windows\IIS\"
The process netsh.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:3820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecName" = "ipsec_ply"
"whenChanged" = "1529382895"
"ipsecDataType" = "256"
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}"
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"Name" = "ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
"ipsecID" = "{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\System\CurrentControlSet\services\IPSec]
"OperationMode" = "3"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference"
[HKLM\System\CurrentControlSet\services\IPSec]
"OperationMode"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"description"
The process netsh.exe:760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{b3a77d92-7348-45dc-995d-00e09e8094a0}]
"Name" = "ipsecFilter{b3a77d92-7348-45dc-995d-00e09e8094a0}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "allow_pt"
"whenChanged" = "1529382885"
"ClassName" = "ipsecFilter"
"ipsecID" = "{b3a77d92-7348-45dc-995d-00e09e8094a0}"
"ipsecDataType" = "256"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{b3a77d92-7348-45dc-995d-00e09e8094a0}]
"description"
The process netsh.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{0c12528e-a472-49b1-bbcc-65bef5830d58}]
"ipsecID" = "{0c12528e-a472-49b1-bbcc-65bef5830d58}"
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
"ClassName" = "ipsecNegotiationPolicy"
"Name" = "ipsecNegotiationPolicy{0c12528e-a472-49b1-bbcc-65bef5830d58}"
"whenChanged" = "1529382886"
"ipsecName" = "deny"
"ipsecDataType" = "256"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{0c12528e-a472-49b1-bbcc-65bef5830d58}]
"description"
The process netsh.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:3652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:2380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{e579a724-da52-4780-a45c-6ad8cdacbe0e}]
"ipsecDataType" = "256"
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction" = "{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ClassName" = "ipsecNegotiationPolicy"
"ipsecName" = "allow"
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecID" = "{e579a724-da52-4780-a45c-6ad8cdacbe0e}"
"Name" = "ipsecNegotiationPolicy{e579a724-da52-4780-a45c-6ad8cdacbe0e}"
"whenChanged" = "1529382886"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{e579a724-da52-4780-a45c-6ad8cdacbe0e}]
"description"
The process netsh.exe:952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ClassName" = "ipsecFilter"
"whenChanged" = "1529382886"
"ipsecID" = "{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"Name" = "ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"ipsecDataType" = "256"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "deny_pt"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"description"
The process netsh.exe:4048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecName" = "ipsec_ply"
"whenChanged" = "1529382888"
"ipsecDataType" = "256"
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}"
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"Name" = "ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
"ipsecID" = "{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\System\CurrentControlSet\services\IPSec]
"OperationMode" = "3"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"description"
The process netsh.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ClassName" = "ipsecFilter"
"whenChanged" = "1529382891"
"ipsecID" = "{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"whenChanged" = "1529382889"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"Name" = "ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"ipsecDataType" = "256"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "deny_pt"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"whenChanged" = "1529382891"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"description"
The process netsh.exe:812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ClassName" = "ipsecFilter"
"whenChanged" = "1529382885"
"ipsecID" = "{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"Name" = "ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"ipsecDataType" = "256"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "deny_pt"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"description"
The process netsh.exe:2720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecName" = "ipsec_ply"
"whenChanged" = "1529382894"
"ipsecDataType" = "256"
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}"
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
"ClassName" = "ipsecPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"Name" = "ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
"ipsecID" = "{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\System\CurrentControlSet\services\IPSec]
"OperationMode" = "3"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference"
[HKLM\System\CurrentControlSet\services\IPSec]
"OperationMode"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"description"
The process netsh.exe:2420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:3932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ClassName" = "ipsecFilter"
"whenChanged" = "1529382892"
"ipsecID" = "{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"whenChanged" = "1529382888"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"Name" = "ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"ipsecDataType" = "256"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "deny_pt"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"whenChanged" = "1529382890"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"description"
The process netsh.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ClassName" = "ipsecFilter"
"whenChanged" = "1529382892"
"ipsecID" = "{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"whenChanged" = "1529382890"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"Name" = "ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"ipsecDataType" = "256"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "deny_pt"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"whenChanged" = "1529382892"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"description"
The process netsh.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ClassName" = "ipsecFilter"
"whenChanged" = "1529382885"
"ipsecID" = "{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"Name" = "ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"ipsecDataType" = "256"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "deny_pt"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"description"
The process netsh.exe:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ClassName" = "ipsecFilter"
"whenChanged" = "1529382891"
"ipsecID" = "{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"whenChanged" = "1529382887"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"Name" = "ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
"ipsecDataType" = "256"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "deny_pt"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"whenChanged" = "1529382889"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"description"
The process netsh.exe:2144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:3988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:2696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}, SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}"
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"ipsecName" = "deny"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"ClassName" = "ipsecNFA"
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{5dedc9a0-b066-4d2c-baa4-6b866dd71eb3}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{0c12528e-a472-49b1-bbcc-65bef5830d58}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ClassName" = "ipsecPolicy"
"Name" = "ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
"ipsecID" = "{12f4c46f-bd05-4e3d-899e-292c5f831387}"
"ipsecName" = "ipsec_ply"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"Name" = "ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}"
"ipsecID" = "{d4392489-9095-4ef3-8cd7-c982693985e8}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"whenChanged" = "1529382887"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"whenChanged" = "1529382886"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{0c12528e-a472-49b1-bbcc-65bef5830d58}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{d4392489-9095-4ef3-8cd7-c982693985e8}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"description"
The process netsh.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The process netsh.exe:1740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}"
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecID" = "{e7d60752-7072-406e-af56-35faa509bfd9}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"whenChanged" = "1529382885"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E\@%SystemRoot%\system32]
"tsgqec.dll,-102" = "1.0"
"tsgqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-3" = "Microsoft Corporation"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-4" = "1.0"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"ClassName" = "ipsecNFA"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"ipsecNegotiationPolicyType" = "{62f49e13-6c37-11d1-864c-14a300000000}"
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ClassName" = "ipsecISAKMPPolicy"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ClassName" = "ipsecPolicy"
"Name" = "ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
"ipsecID" = "{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"ipsecNegotiationPolicyAction" = "{8a171dd3-77e3-11d1-8659-a04f00000000}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecName" = "ipsec_ply"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"ClassName" = "ipsecNegotiationPolicy"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E\@%SystemRoot%\system32]
"dhcpqec.dll,-102" = "Microsoft Corporation"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"Name" = "ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"Name" = "ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}"
"whenChanged" = "1529382885"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"ipsecID" = "{2d616f7e-1b22-43f4-b53d-c50b47e3431e}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"whenChanged" = "1529382884"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E\@%SystemRoot%\system32]
"eapqec.dll,-102" = "1.0"
"eapqec.dll,-103" = "Microsoft Corporation"
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"whenChanged" = "1529382884"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"ipsecDataType" = "256"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}]
"Name" = "ipsecISAKMPPolicy{e7d60752-7072-406e-af56-35faa509bfd9}"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"ipsecID" = "{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}"
[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{275a847c-45a9-4ab2-857c-db4cc6cbbc4e}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{2d616f7e-1b22-43f4-b53d-c50b47e3431e}]
"description"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{12f4c46f-bd05-4e3d-899e-292c5f831387}]
"description"
The process %original file name%.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run" = "C:\Windows\boy.exe"
"load" = "C:\Windows\boy.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe C:\Windows\boy.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 8c80dd97c37525927c1e549cb59bcbf3 | c:\Windows\IIS\Cstr.exe |
| 1d2db6d8d77c2e072db34ca7377722be | c:\Windows\IIS\Esteemaudit-2.1.0.exe |
| e30d66be8ddf31f44bb66b8c3ea799ae | c:\Windows\IIS\Esteemaudittouch-2.1.0.exe |
| d2fb01629fa2a994fbd1b18e475c9f23 | c:\Windows\IIS\Eternalchampion-2.0.0.exe |
| 31d696f93ec84e635c4560034340e171 | c:\Windows\IIS\adfw-2.dll |
| 770d0caa24d964ea7c04ff5daf290f08 | c:\Windows\IIS\adfw.dll |
| c24315b0585b852110977dacafe6c8c1 | c:\Windows\IIS\chrome..exe |
| ee2d6e1d976a3a92fb1c2524278922ae | c:\Windows\IIS\cnli-0.dll |
| a539d27f33ef16e52430d3d2e92e9d5c | c:\Windows\IIS\cnli-1.dll |
| 3c2fe2dbdf09cfa869344fdb53307cb2 | c:\Windows\IIS\coli-0.dll |
| f82fa69bfe0522163eb0cf8365497da2 | c:\Windows\IIS\crli-0.dll |
| 1ca9e6eb86036daea4dfa3297f70d542 | c:\Windows\IIS\dmgd-1.dll |
| a05c7011ab464e6c353a057973f5a06e | c:\Windows\IIS\dmgd-4.dll |
| d9b5b26f0423230e99768092f17919a3 | c:\Windows\IIS\esco-0.dll |
| 3e5d06dc6e7890e1800cf24c9f599856 | c:\Windows\IIS\etch-0.dll |
| 4ff94c163565a38a27cf997ad07b3d69 | c:\Windows\IIS\etchCore-0.x64.dll |
| 1f0669f13dc0545917e8397063f806db | c:\Windows\IIS\etchCore-0.x86.dll |
| 47106682e18b0c53881252061ffcaa2d | c:\Windows\IIS\eteb-2.dll |
| 24aa99837d14bee5da2e2339b07f9d4c | c:\Windows\IIS\etebCore-2.x64.dll |
| 89b7dac7d9ce5b75b08f5d037edd3869 | c:\Windows\IIS\etebCore-2.x86.dll |
| ba629216db6cf7c0c720054b0c9a13f3 | c:\Windows\IIS\exma-1.dll |
| 649b368c52de83e52474a20ce4f83425 | c:\Windows\IIS\exma.dll |
| 4803a7863da607333378b773b6a17f4c | c:\Windows\IIS\iconv.dll |
| 43aac72a9602ef53c5769f04e1be7386 | c:\Windows\IIS\libcurl.dll |
| f01f09fe90d0f810c44dce4e94785227 | c:\Windows\IIS\libeay32.dll |
| 5adcbe8bbba0f6e733550ce8a9762fa0 | c:\Windows\IIS\libiconv-2.dll |
| 9a5cec05e9c158cbc51cdc972693363d | c:\Windows\IIS\libxml2.dll |
| 6fe4544d00b77e0295e779e82d8f0fe5 | c:\Windows\IIS\pcla-0.dll |
| 00dd6b018c3c2d347df43f779715bca5 | c:\Windows\IIS\pcre-0.dll |
| 09836461312a3781af6e1298c6b2c249 | c:\Windows\IIS\pcrecpp-0.dll |
| 30017e300c6d92e126bf92017c195c37 | c:\Windows\IIS\pcreposix-0.dll |
| 2f0a52ce4f445c6e656ecebbcaceade5 | c:\Windows\IIS\posh-0.dll |
| b777086fd83d0bc1dccdc7c126b207d0 | c:\Windows\IIS\posh.dll |
| 8969668746ae64ca002cc7289cd1c5da | c:\Windows\IIS\riar-2.dll |
| e53f9e6f1916103aab8703160ad130c0 | c:\Windows\IIS\riar.dll |
| 4635935fc972c582632bf45c26bfcb0e | c:\Windows\IIS\srvany.exe |
| 5e8ecdc3e70e2ecb0893cbda2c18906f | c:\Windows\IIS\ssleay32.dll |
| 0647dcd31c77d1ee6f8fac285104771a | c:\Windows\IIS\tibe-1.dll |
| f0881d5a7f75389deba3eff3f4df09ac | c:\Windows\IIS\tibe-2.dll |
| f61e81eaf4a9ac9cd52010da3954c2a9 | c:\Windows\IIS\tibe.dll |
| 8b0a4ce79f5ecdb17ad168e35db0d0f9 | c:\Windows\IIS\trch-0.dll |
| 838ceb02081ac27de43da56bec20fc76 | c:\Windows\IIS\trch-1.dll |
| 01d5adbfee39c5807ee46f7990f5fda7 | c:\Windows\IIS\trch.dll |
| 46f7b320b13a4b618946042360215179 | c:\Windows\IIS\trfo-0.dll |
| 3e89c56056e5525bf4d9e52b28fbbca7 | c:\Windows\IIS\trfo-2.dll |
| d1aae806243cc0bedb83a22919a3a660 | c:\Windows\IIS\trfo.dll |
| 83076104ae977d850d1e015704e5730a | c:\Windows\IIS\tucl-1.dll |
| 1fa609bc0d252ca0915d6aed2df7ccc2 | c:\Windows\IIS\tucl.dll |
| 6b7276e4aa7a1e50735d2f6923b40de4 | c:\Windows\IIS\ucl.dll |
| 5b72ccfa122e403919a613785779af49 | c:\Windows\IIS\xdvl-0.dll |
| 9744f0000284c2807de0651c7e0d980a | c:\Windows\IIS\zibe.dll |
| e4ad4df4e41240587b4fe8bbcb32db15 | c:\Windows\IIS\zlib1.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: boy
Product Name: HD Audio Background Process
Product Version: 1.8.4.6
Legal Copyright: boy ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.8.4.6
File Description: HD Audio Background Process
Comments: HD Audio Background Process
Language: German (Germany)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| 4096 | 13049856 | 6012928 | 5.53101 | 6266ce77ba96c6447ea3488788bed81f | |
| .rsrc | 13053952 | 58144 | 16384 | 4.4764 | 98dbdd5a660e907b8104c19e997cfb32 |
| .idata | 13115392 | 4096 | 4096 | 0.153156 | 300c9fb8331bc8767f3c611bdf12648e |
| 13119488 | 675840 | 4096 | 0.029229 | a6b0b097365f65b49f1b286c287e495e | |
| vswyuhxh | 13795328 | 548864 | 548864 | 5.41508 | f9a61794800430ae26f010bb3d4f8fb7 |
| fyoxvnwa | 14344192 | 4096 | 4096 | 0.374979 | 86ff3131580a4359bec12f33f50d1042 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://dyndns.s.3322.net/ |  |
| hxxp://www.ip138.com.lxdns.com/ips138.asp?ip= |  157.185.149.167 |
| hxxp://www.ip138.com/ips138.asp?ip= | 157.185.149.167 |
| ip.3322.net | 118.184.176.12 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY Unsupported/Fake Windows NT Version 5.0
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regedit.exe:3968
netsh.exe:2736
netsh.exe:3820
netsh.exe:760
netsh.exe:2924
netsh.exe:1264
netsh.exe:3000
netsh.exe:3652
netsh.exe:2344
netsh.exe:2380
netsh.exe:952
netsh.exe:4048
netsh.exe:2036
netsh.exe:2508
netsh.exe:812
netsh.exe:2240
netsh.exe:2440
netsh.exe:2720
netsh.exe:2420
netsh.exe:3932
netsh.exe:3644
netsh.exe:3560
netsh.exe:3568
netsh.exe:3372
netsh.exe:3684
netsh.exe:2144
netsh.exe:3988
netsh.exe:720
netsh.exe:2696
netsh.exe:372
netsh.exe:1740
%original file name%.exe:1064 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\IIS\esco-0.dll (13 bytes)
C:\Windows\IIS\etebCore-2.x86.dll (112 bytes)
C:\Windows\IIS\pcre-0.dll (146 bytes)
C:\Windows\IIS\ucl.dll (58 bytes)
C:\Windows\end.bat (15 bytes)
C:\Windows\IIS\exma-1.dll (10 bytes)
C:\Windows\IIS\adfw.dll (11 bytes)
C:\Windows\IIS\tucl.dll (6 bytes)
C:\Windows\IIS\trfo-0.dll (45 bytes)
C:\Windows\IIS\libcurl.dll (212 bytes)
C:\Windows\IIS\zibe.dll (262 bytes)
C:\Windows\IIS\adfw-2.dll (14 bytes)
C:\Windows\IIS\1.BAT (32 bytes)
C:\Windows\IIS\etchCore-0.x86.dll (142 bytes)
C:\Windows\IIS\Cstr.fb (503 bytes)
C:\Windows\IIS\tucl-1.dll (9 bytes)
C:\Windows\IIS\Eternalchampion-2.0.0.xml (11 bytes)
C:\Windows\IIS\cnli-0.dll (106 bytes)
C:\Windows\IIS\exma.dll (6 bytes)
C:\Windows\IIS\tibe.dll (270 bytes)
C:\Windows\IIS\qdx.bat (113 bytes)
C:\Windows\IIS\libiconv-2.dll (970 bytes)
C:\Windows\IIS\Esteemaudit-2.1.0.exe (69 bytes)
C:\Windows\IIS\pcla-0.dll (337 bytes)
C:\Windows\IIS\crli-0.dll (17 bytes)
C:\Windows\IIS\Esteemaudittouch-2.1.0.xml (2 bytes)
C:\Windows\IIS\Esteemaudit-2.1.0.fb (987 bytes)
C:\Windows\IIS\Eternalchampion-2.0.0.fb (1 bytes)
C:\Windows\IIS\riar.dll (16 bytes)
C:\Windows\IIS\iis.reg (1 bytes)
C:\Windows\IIS\pcrecpp-0.dll (32 bytes)
C:\Windows\IIS\posh.dll (6 bytes)
C:\Windows\IIS\posh-0.dll (11 bytes)
C:\Windows\IIS\riar-2.dll (32 bytes)
C:\Windows\IIS\tibe-1.dll (233 bytes)
C:\Windows\IIS\Esteemaudittouch-2.1.0.exe (53 bytes)
C:\Windows\IIS\chrome..xml (5 bytes)
C:\Windows\IIS\pcreposix-0.dll (9 bytes)
C:\Windows\IIS\etchCore-0.x64.dll (179 bytes)
C:\Windows\IIS\dmgd-4.dll (479 bytes)
C:\Windows\IIS\iconv.dll (22 bytes)
C:\Windows\IIS\Esteemaudit-2.1.0.xml (47 bytes)
C:\Windows\IIS\cnli-1.dll (100 bytes)
C:\Windows\IIS\Esteemaudittouch-2.1.0.fb (246 bytes)
C:\Windows\IIS\etch-0.dll (158 bytes)
C:\Windows\IIS\chrome..fb (242 bytes)
C:\Windows\IIS\trch-0.dll (73 bytes)
C:\Windows\IIS\srvany.exe (8 bytes)
C:\Windows\IIS\xdvl-0.dll (32 bytes)
C:\Windows\IIS\libeay32.dll (903 bytes)
C:\Windows\IIS\libxml2.dll (826 bytes)
C:\Windows\IIS\trfo.dll (38 bytes)
C:\Windows\IIS\etebCore-2.x64.dll (141 bytes)
C:\Windows\IIS\coli-0.dll (15 bytes)
C:\Windows\IIS\trfo-2.dll (29 bytes)
C:\Windows\IIS\tibe-2.dll (237 bytes)
C:\Windows\IIS\trch.dll (49 bytes)
C:\Windows\IIS\Eternalchampion-2.0.0.exe (158 bytes)
C:\Windows\IIS\trch-1.dll (59 bytes)
C:\Windows\IIS\chrome..exe (45 bytes)
C:\Windows\IIS\dmgd-1.dll (35 bytes)
C:\Windows\IIS\zlib1.dll (60 bytes)
C:\Windows\IIS\Cstr.xml (7 bytes)
C:\Windows\IIS\ssleay32.dll (184 bytes)
C:\Windows\IIS\Cstr.exe (129 bytes)
C:\Windows\IIS\eteb-2.dll (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ips138[1].htm (7792 bytes)
C:\Windows\boy.exe (6 bytes)
C:\Windows\IIS\CPUInfo.exe (1024 bytes) - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe C:\Windows\boy.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
