Trojan.Win32.Swrort.3_08575283f0

by malwarelabrobot on August 4th, 2014 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 08575283f07432e26b260d64cc625090
SHA1: 70ddd1df57f47630328b4d9f029e1f5c78986706
SHA256: b531ee46014cd48be20bdcf477d18f01fb322fb766628a9875b9553fbcd37abc
SSDeep: 6144:te34pDRKRJ tyY2wstYDuUUjHPTDX kbIc0z:fE4tyftBSXz
Size: 264977 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

FlashPlayerUpdateService.exe:468
7z.exe:1452
okozodesktop.exe:2016
vcredist_x86.exe:376
mscorsvw.exe:1912
%original file name%.exe:588
OkozoDesktopInstaller.exe:596
install_flash_player.exe:1656
preinstaller.exe:1160
preinstaller.exe:1064
Setup.exe:1352

The Trojan injects its code into the following process(es):

okozodesktop.exe:464

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process FlashPlayerUpdateService.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes)

The process 7z.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.swf (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\struct.xml (240 bytes)

The process okozodesktop.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-lines-ps3-125x125.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vzO464.d (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\BGg464.d (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\light-speed-125x125.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\tRS464.d (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-spider-125x125.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-fish-125x125.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\tree-frog-125x125.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\dfl464.d (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\lm-white-125x125.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-dog-125x125.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ycW464.d (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\AB-Multi-125x125.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\falling-leaves-125x125.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\live-fish-125x125.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Yys464.d (1682 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\server_struct.xml (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xGg464.d (1382 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\glow-clock-bp-125x125.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\aem464.d (1772 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fKw464.d (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\NlY464.d (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\ml-rainbow-125x125.png (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\3d-digital-clock-125x125.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\version.xml (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-red-125x125.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-ants-125x125.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\pqc464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\iVe464.d (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\mm-grey-125x125.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\pink-speakers-125x125.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\mTs464.d (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-pb-125x125.png (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ifX464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vcr464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\aBowman-hamster-125x125.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\yVR464.d (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-turtles-125x125.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.464 (1644 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Dqn464.d (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xCs464.d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\wxu464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\currentwallpapers.ini (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fnf464.d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PER464.d (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\joystick-car-125x125.png (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-penguins-125x125.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\nPR464.d (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-flies-125x125.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\world-sunlight-map-v2-125x125.png (10 bytes)
%Documents and Settings%\All Users\Application Data\boost_interprocess\20140803032607.187000\okozo_desktop_message_queue (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PJk464.d (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Uhg464.d (16 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\currentwallpapers.ini.qHp464 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\version.xml (0 bytes)

The process okozodesktop.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\boost_interprocess\20140803032607.187000\okozo_desktop_message_queue (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\local_struct.xml (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.2016 (1206 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\166\Starry Night.aesswf (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.aesswf (676 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\166\Starry Night.aesswf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\166 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\struct.xml (0 bytes)

The process vcredist_x86.exe:376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\327de45119f65652f4eba1 (4 bytes)
C:\327de45119f65652f4eba1\1031\SetupResources.dll (680 bytes)
C:\327de45119f65652f4eba1\SetupEngine.dll (12353 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate8.ico (894 bytes)
C:\327de45119f65652f4eba1\1041\eula.rtf (119 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqMet.ico (1 bytes)
C:\327de45119f65652f4eba1\1049\eula.rtf (471 bytes)
C:\327de45119f65652f4eba1\1042\eula.rtf (907 bytes)
C:\327de45119f65652f4eba1\1036\eula.rtf (8 bytes)
C:\327de45119f65652f4eba1\1028\LocalizedData.xml (514 bytes)
C:\327de45119f65652f4eba1\1031\eula.rtf (10 bytes)
C:\327de45119f65652f4eba1\header.bmp (7 bytes)
C:\327de45119f65652f4eba1\vc_red.cab (61610 bytes)
C:\327de45119f65652f4eba1\sqmapi.dll (2385 bytes)
C:\327de45119f65652f4eba1\1033\SetupResources.dll (16 bytes)
C:\327de45119f65652f4eba1\1040\SetupResources.dll (537 bytes)
C:\327de45119f65652f4eba1\2052\LocalizedData.xml (164 bytes)
C:\327de45119f65652f4eba1\watermark.bmp (6023 bytes)
C:\327de45119f65652f4eba1\1033\LocalizedData.xml (1591 bytes)
C:\327de45119f65652f4eba1\1042\SetupResources.dll (14 bytes)
C:\327de45119f65652f4eba1\vc_red.msi (2653 bytes)
C:\327de45119f65652f4eba1\DisplayIcon.ico (1877 bytes)
C:\327de45119f65652f4eba1\Graphics (4 bytes)
C:\327de45119f65652f4eba1\SetupUi.dll (4564 bytes)
C:\327de45119f65652f4eba1\$shtdwn$.req (788 bytes)
C:\327de45119f65652f4eba1\1049\SetupResources.dll (17 bytes)
C:\327de45119f65652f4eba1\1028\SetupResources.dll (396 bytes)
C:\327de45119f65652f4eba1\3082\eula.rtf (389 bytes)
C:\327de45119f65652f4eba1\1036\SetupResources.dll (736 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate5.ico (894 bytes)
C:\327de45119f65652f4eba1\1028\eula.rtf (16 bytes)
C:\327de45119f65652f4eba1\1040\eula.rtf (9 bytes)
C:\327de45119f65652f4eba1\UiInfo.xml (2006 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate2.ico (894 bytes)
C:\327de45119f65652f4eba1\2052\eula.rtf (16 bytes)
C:\327de45119f65652f4eba1\DHtmlHeader.html (16 bytes)
C:\327de45119f65652f4eba1\Graphics\Save.ico (79 bytes)
C:\327de45119f65652f4eba1\ParameterInfo.xml (200 bytes)
C:\327de45119f65652f4eba1\1031\LocalizedData.xml (199 bytes)
C:\327de45119f65652f4eba1\2052\SetupResources.dll (33 bytes)
C:\327de45119f65652f4eba1\3082\LocalizedData.xml (541 bytes)
C:\327de45119f65652f4eba1\1033\eula.rtf (7 bytes)
C:\327de45119f65652f4eba1\Strings.xml (14 bytes)
C:\327de45119f65652f4eba1\Graphics\Print.ico (1 bytes)
C:\327de45119f65652f4eba1\1040\LocalizedData.xml (568 bytes)
C:\327de45119f65652f4eba1\Setup.exe (932 bytes)
C:\327de45119f65652f4eba1\Graphics\Setup.ico (728 bytes)
C:\327de45119f65652f4eba1\Graphics\stop.ico (10 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate3.ico (894 bytes)
C:\327de45119f65652f4eba1\1036\LocalizedData.xml (255 bytes)
C:\327de45119f65652f4eba1\1041\LocalizedData.xml (670 bytes)
C:\327de45119f65652f4eba1\SetupUi.xsd (556 bytes)
C:\327de45119f65652f4eba1\1049\LocalizedData.xml (139 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqNotMet.ico (1 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate4.ico (894 bytes)
C:\327de45119f65652f4eba1\Graphics\warn.ico (10 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate7.ico (894 bytes)
C:\327de45119f65652f4eba1\1041\SetupResources.dll (15 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate1.ico (894 bytes)
C:\327de45119f65652f4eba1\1042\LocalizedData.xml (102 bytes)
C:\327de45119f65652f4eba1\3082\SetupResources.dll (41 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate6.ico (894 bytes)
C:\327de45119f65652f4eba1\SplashScreen.bmp (1049 bytes)

The Trojan deletes the following file(s):

C:\327de45119f65652f4eba1 (0 bytes)
C:\327de45119f65652f4eba1\1031\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\SetupEngine.dll (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate8.ico (0 bytes)
C:\327de45119f65652f4eba1\1041\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1033 (0 bytes)
C:\327de45119f65652f4eba1\2052 (0 bytes)
C:\327de45119f65652f4eba1\1031 (0 bytes)
C:\327de45119f65652f4eba1\1049\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1042\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1036\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqMet.ico (0 bytes)
C:\327de45119f65652f4eba1\1031\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1028 (0 bytes)
C:\327de45119f65652f4eba1\header.bmp (0 bytes)
C:\327de45119f65652f4eba1\3082\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\sqmapi.dll (0 bytes)
C:\327de45119f65652f4eba1\1033\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\watermark.bmp (0 bytes)
C:\327de45119f65652f4eba1\1028\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Setup.ico (0 bytes)
C:\327de45119f65652f4eba1\1041\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate4.ico (0 bytes)
C:\_663500_ (0 bytes)
C:\327de45119f65652f4eba1\Setup.exe (0 bytes)
C:\327de45119f65652f4eba1\1042\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\vc_red.msi (0 bytes)
C:\327de45119f65652f4eba1\DisplayIcon.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics (0 bytes)
C:\327de45119f65652f4eba1\Strings.xml (0 bytes)
C:\327de45119f65652f4eba1\1049\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\3082\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1036\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate5.ico (0 bytes)
C:\327de45119f65652f4eba1\3082 (0 bytes)
C:\327de45119f65652f4eba1\1028\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1040\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\UiInfo.xml (0 bytes)
C:\327de45119f65652f4eba1\1040\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\1031\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\1036 (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Print.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Save.ico (0 bytes)
C:\327de45119f65652f4eba1\ParameterInfo.xml (0 bytes)
C:\327de45119f65652f4eba1\2052\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\2052\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\vc_red.cab (0 bytes)
C:\327de45119f65652f4eba1\1033\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1040\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\DHtmlHeader.html (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate2.ico (0 bytes)
C:\327de45119f65652f4eba1\SetupUi.dll (0 bytes)
C:\327de45119f65652f4eba1\2052\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\stop.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate3.ico (0 bytes)
C:\327de45119f65652f4eba1\1036\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\1028\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\SetupUi.xsd (0 bytes)
C:\327de45119f65652f4eba1\1049\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqNotMet.ico (0 bytes)
C:\327de45119f65652f4eba1\1033\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\warn.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate7.ico (0 bytes)
C:\327de45119f65652f4eba1\1042 (0 bytes)
C:\327de45119f65652f4eba1\1040 (0 bytes)
C:\327de45119f65652f4eba1\1041\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\1049 (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate1.ico (0 bytes)
C:\327de45119f65652f4eba1\1041 (0 bytes)
C:\327de45119f65652f4eba1\1042\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\3082\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate6.ico (0 bytes)
C:\327de45119f65652f4eba1\SplashScreen.bmp (0 bytes)

The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ip.xml (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\version.xml (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OkozoDesktopInstaller.exe (821835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tick.bmp (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp.okozo (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\country.xml (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cross.bmp (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\XML.dll (2005 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ip.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\version.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OkozoDesktopInstaller.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp.okozo (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\country.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\XML.dll (0 bytes)

The process OkozoDesktopInstaller.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\close.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\preinstaller.exe (5494 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\libglog.dll (3631 bytes)
%Documents and Settings%\%current user%\Desktop\Okozo Desktop.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Close Okozo Desktop.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\desk3DHook.dll (20685 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\server_struct.xml (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtWebKit4.dll (275351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\D3DX9_43.dll (50358 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtCore4.dll (50901 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.dll (28789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\server_struct[1].xml (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtGui4.dll (180886 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtNetwork4.dll (24858 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtXml4.dll (11311 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\crypter.dll (2800 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\Uninstall.exe (1334 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\iistaskpanel.dll (14083 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Okozo Desktop.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#Security\FlashPlayerTrust\okozodesktop.cfg (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktop.exe (24420 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\Okozo Intro\Okozo Intro.aesswf (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.exe (3688 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Uninstall Okozo Desktop.lnk (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\System.dll (0 bytes)

The process install_flash_player.exe:1656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\Macromed\Flash\FlashInstall.log (2 bytes)
%System%\Macromed\Flash\flashplayer.xpt (856 bytes)
%System%\FlashPlayerApp.exe (3772 bytes)
%System%\Macromed\Flash\plugin.vch (7972 bytes)
%System%\Macromed\Flash\FlashPlayerUpdateService.exe (262 bytes)
%System%\FlashPlayerCPLApp.cpl (71 bytes)
%System%\Macromed\Flash\NPSWF32_14_0_0_145.dll (126514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB}\fpb.tmp (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708}\fpb.tmp (3924 bytes)
%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe (3924 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB}\fpb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708}\fpb.tmp (0 bytes)

The process preinstaller.exe:1160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb8C.tmp (0 bytes)

The process preinstaller.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\install_flash_player[1].exe (1232953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcredist_x86.exe (323259 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install_flash_player.exe (1232953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vcredist_x86[1].exe (323259 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\System.dll (0 bytes)

The process Setup.exe:1352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup_20140803 (1172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030.html (136546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030-MSI_vc_red.msi.txt (152863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp.html (26876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI85.tmp.html (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup_20140803_041031452.html (52962 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HFI84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI87.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp (0 bytes)

Registry activity

The process FlashPlayerUpdateService.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 EC E0 0D 6F C6 92 C8 1B 9A B8 D9 0A 0F E3 D5"

[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"

The process 7z.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C A9 8B 9F 22 AE 4E EB F9 C9 82 F7 2C 37 D4 EF"

The process okozodesktop.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 FD DE A8 90 BB 72 2D 52 A3 B1 11 E8 73 C3 A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "okozodesktop.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process okozodesktop.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 1D 8A 98 98 5C DC 02 46 45 5E DB 1A 4A 7D 95"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "okozodesktop.exe"

The process vcredist_x86.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 2B 62 84 D3 77 39 43 6C F5 01 4D 6C 5A 39 2A"

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 E9 A0 2C D7 42 80 00 B5 0E B0 43 DB 8D 03 CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk7F.tmp\XML.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop]
"okozodesktoplauncher.exe" = "okozodesktoplauncher"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process OkozoDesktopInstaller.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd1\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe wallpapers"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Classes\Directory\Background\shell\OkozoContext]
"ExtendedSubCommandsKey" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Classes\Okozo.Wall\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd2]
"MUIVerb" = "Exit"

[HKCU\Software\Classes\.okozo]
"(Default)" = "Okozo.Wall"

[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd1]
"Icon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\OkozoApp]
"AppGUID" = "{2290B09B-D2C9-C147-8E50-0C01669D41AD}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Okozo]
"Start Menu Folder" = "Okozo Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"NoRepair" = "1"

[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd2]
"Icon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,5"

[HKCU\Software\Classes\Directory\Background\shell\OkozoContext]
"Icon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"
"MUIVerb" = "Okozo Desktop"

[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd2\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe exit"

[HKCU\Software\Classes\Directory\Background\shell\OkozoContext]
"Position" = "bottom"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Classes\.okozo\Okozo.Wall\ShellNew]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"Publisher" = "Okozo"

"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"DisplayVersion" = "3.0.2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 7E 94 73 4A F1 DE 9E FC 6B 06 49 1C 19 72 9A"

[HKCU\Software\Classes\Okozo.Wall\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Classes\Okozo.Wall\shell\open]
"(Default)" = "&Open"

[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd1]
"MUIVerb" = "Wallpapers"

[HKCU\Software\Classes\.okozo]
"Progid" = "Okozo.Wall"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"Launchee" = "okozodesktop.exe"
"EstimatedSize" = "30962"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"DisplayName" = "Okozo Desktop"
"Launcher" = "okozodesktoplauncher.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\Directory\Background\shell\OkozoContext\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\Okozo.Wall\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Okozo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process install_flash_player.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"Version" = "14.0.0.145"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description" = "Adobe® Flash® Player 14.0.0.145 Plugin"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerPlugin_14_0_0_145.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"ProductName" = "Adobe® Flash® Player 14.0.0.145 Plugin"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"vendor" = "Adobe Systems Incorporated"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"EstimatedSize" = "6144"

[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"XPTPath" = "%System%\Macromed\Flash\flashplayer.xpt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"NoRepair" = "1"

[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"PlayerPath" = "%System%\Macromed\Flash\NPSWF32_14_0_0_145.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"URLInfoAbout" = "http://www.adobe.com"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_145_Plugin.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"RequiresIESysFile" = "4.70.0.1155"
"DisplayName" = "Adobe Flash Player 14 Plugin"

[HKCU\Software\Macromedia\FlashPlayer]
"FlashPlayerVersion" = "14.0.0.145~installVector=1"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "install_flash_player.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"DisplayIcon" = "%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe"

[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"UninstallerPath" = "%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe"

[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Version" = "14.0.0.145"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"
"Publisher" = "Adobe Systems Incorporated"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 35 B5 CD 46 65 77 7F 3F BB 95 40 A9 C1 46 AE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"UninstallString" = "%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe -maintain plugin"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_145_pepper.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Path" = "%System%\Macromed\Flash\NPSWF32_14_0_0_145.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"DisplayVersion" = "14.0.0.145"
"NoModify" = "1"
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{2CA4F306-B280-4ab2-B5E1-1DFA3583F046}\%System%]
"FlashPlayerCPLApp.cpl" = "10"

[HKLM\SOFTWARE\Macromedia\FlashPlayerPluginReleaseType]
"Release" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"VersionMajor" = "14"

[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"isScriptDebugger" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"VersionMinor" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Macromedia\FlashPlayer]
"ConflictingProcs"
"RerunInUIMode"

The process preinstaller.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 B8 05 19 D4 46 9C 10 FB CA 96 F6 8A 5E 44 BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process preinstaller.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE F5 28 2F C2 24 F4 B5 DF 7A AF 17 85 83 9A 90"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Setup.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 26 74 7C 6A EA 41 FD C7 2C D2 CB 82 27 B5 1B"

Dropped PE files

MD5 File path
04ad4b80880b32c94be8d0886482c774 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.dll
a51d90f2f9394f5ea0a3acae3bd2b219 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.exe
86e39e9161c3d930d93822f1563c280d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\D3DX9_43.dll
d61b9b5358e9fc3b22b4bce083aace92 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtCore4.dll
7a2829da1f1f4112d984a13bc71b95f5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtGui4.dll
91ecdb5de396a4a61cd1bbb974a8b00f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtNetwork4.dll
c9d99a6276c39cbb3c4ce53a6b82dc61 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtWebKit4.dll
aedf5459d4f0caa8600a6c6f80886927 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtXml4.dll
99bcba3b01c9c4eb1710d65f95f57391 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\Uninstall.exe
5bf5e85ff3133b887f68b8aca05f9686 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\crypter.dll
515bf9c52032c51c187e202ef4a96485 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\desk3DHook.dll
45b961a4e06118cf6752d02af46d52e7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\iistaskpanel.dll
298c6bf1f7b7f6ea8a71a40efd8b1b35 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\libglog.dll
05447e2379a4e99c045bc81bea396a99 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktop.exe
6b3d35910ae5a3afb4bfdf807a3ea536 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe
81fe82a562bc47c0c80d4ea44162a916 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\preinstaller.exe
668931e57a0d0a3c10225442d2672653 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\install_flash_player.exe
42df1fbaa87567adf2b4050805a1a545 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk7F.tmp\XML.dll
cede02d7af62449a2c38c49abecc0cd3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\vcredist_x86.exe
668931e57a0d0a3c10225442d2672653 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\install_flash_player[1].exe
cede02d7af62449a2c38c49abecc0cd3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vcredist_x86[1].exe
1fc6060e2b7da45e4e9fb7f3e75adc0a c:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll
c8bc9a2dc599f1a52dc6b42fdd47b01e c:\WINDOWS\system32\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe
4390ccd3790f8d9c427c0c29590c62d7 c:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll
00d2c06a552f782c1f16acf77db765a5 c:\WINDOWS\system32\atl100.dll
a807596cb3cb377a1a687c9734d67a37 c:\WINDOWS\system32\mfc100.dll
f7e75862299194c1b9103f7742ea7b25 c:\WINDOWS\system32\mfc100chs.dll
8280a96d8b44abbfe8a22f19eaf9ec0d c:\WINDOWS\system32\mfc100cht.dll
4af4b6e8a4d185b75122773562d25975 c:\WINDOWS\system32\mfc100deu.dll
f908fe45f8fe9e0d4cbe65f9ff5df6da c:\WINDOWS\system32\mfc100enu.dll
9328256796efad2ac9632fd9a76eed95 c:\WINDOWS\system32\mfc100esn.dll
ecaf994dbdde7409a4c2270cda8177a6 c:\WINDOWS\system32\mfc100fra.dll
d460f47453e2e186a981e1eb0dc7f6c9 c:\WINDOWS\system32\mfc100ita.dll
bf7b39a609b1c84a888158bbe6cadc3b c:\WINDOWS\system32\mfc100jpn.dll
17f28e88c2006eb6447fb31f25d7d937 c:\WINDOWS\system32\mfc100kor.dll
e25790e6e0612b621c8ea80206036672 c:\WINDOWS\system32\mfc100rus.dll
f32077df74efd435a1dcdf415e189df1 c:\WINDOWS\system32\mfc100u.dll
dfae4207ce3f2b3b88dabc6a7c73c450 c:\WINDOWS\system32\mfcm100.dll
0b6c9e162b102f7b819e61a80257ca92 c:\WINDOWS\system32\mfcm100u.dll
e3c817f7fe44cc870ecdbcbc3ea36132 c:\WINDOWS\system32\msvcp100.dll
bf38660a9125935658cfa3e53fdc7d65 c:\WINDOWS\system32\msvcr100.dll
a7e63d69f1d55a3662907ecd48b345ca c:\WINDOWS\system32\vcomp100.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 45056 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 237568 120912 121344 5.16132 8d7ba821362fd8e0bf9a56e9c6f17766

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 7
7c29401e7faa1c87c2496a51f7d45071
64de58073ada9e8de1cd1513d656bc50
b46d615e85361ceba4211059a5337a80
0a0aca89c3064b40f78badadeb32c56b
2f6f0f18e2785229ed675312329ecd88
7cfe8cf4f2a765dd13758697bebcc6b7
00f33fcbb73c1f1e5e61c0e6665860bf

URLs

URL IP
hxxp://a74.dscg10.akamai.net/version.xml
hxxp://okozo.com/wp-content/plugins/download-monitor/download.php?id=290
hxxp://a74.dscg10.akamai.net/okozodesktop-3.0.2-x86.exe
hxxp://a74.dscg10.akamai.net/server_struct.xml
hxxp://a74.dscg10.akamai.net/vcredist_x86.exe
hxxp://a1363.g.akamai.net/pki/crl/products/tspca.crl
hxxp://e891.p.akamaiedge.net/pub/flashplayer/current/support/install_flash_player.exe
hxxp://checkip.dyndns.com/
hxxp://api.ipinfodb.com/v3/ip-country/?key=82bb81cf4feda76515b25af41fbfd382a120c83c48d47e3b19d8ceb4a65e5642&format=xml&ip="%local server IP%"
hxxp://okozo.com/updates/software/installation.html?utm_source=okozodesktop-3.0.2&utm_medium=okozodesktop&utm_campaign=0
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://a82.dscg10.akamai.net/3d-digital-clock-125x125.png
hxxp://a82.dscg10.akamai.net/AB-Multi-125x125.png
hxxp://a82.dscg10.akamai.net/abstract-background-pb-125x125.png
hxxp://a82.dscg10.akamai.net/abstract-background-red-125x125.png
hxxp://a82.dscg10.akamai.net/abowman-dog-125x125.png
hxxp://a82.dscg10.akamai.net/abowman-fish-125x125.png
hxxp://a82.dscg10.akamai.net/aBowman-hamster-125x125.png
hxxp://a82.dscg10.akamai.net/abowman-penguins-125x125.png
hxxp://a82.dscg10.akamai.net/abowman-spider-125x125.png
hxxp://a82.dscg10.akamai.net/tree-frog-125x125.png
hxxp://a82.dscg10.akamai.net/abstract-lines-ps3-125x125.png
hxxp://a82.dscg10.akamai.net/falling-leaves-125x125.png
hxxp://a82.dscg10.akamai.net/glow-clock-bp-125x125.png
hxxp://a82.dscg10.akamai.net/interactive-ants-125x125.png
hxxp://a82.dscg10.akamai.net/interactive-flies-125x125.png
hxxp://a82.dscg10.akamai.net/joystick-car-125x125.png
hxxp://a82.dscg10.akamai.net/lm-white-125x125.png
hxxp://a82.dscg10.akamai.net/light-speed-125x125.png
hxxp://a82.dscg10.akamai.net/live-fish-125x125.png
hxxp://a82.dscg10.akamai.net/mm-grey-125x125.png
hxxp://a82.dscg10.akamai.net/ml-rainbow-125x125.png
hxxp://a82.dscg10.akamai.net/pink-speakers-125x125.png
hxxp://a82.dscg10.akamai.net/world-sunlight-map-v2-125x125.png
hxxp://a82.dscg10.akamai.net/abowman-turtles-125x125.png
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=2046495618&utmhn=okozo.com&utmcs=ISO-8859-1&utmsr=1024x768&utmvp=640x480&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=14.0 r0&utmhid=1905301063&utmr=-&utmp=/updates/software/installation.html?utm_source=okozodesktop-3.0.2&utm_medium=okozodesktop&utm_campaign=0&utmht=1407028256140&utmac=UA-20094791-1&utmcc=__utma=149491368.505603269.1407028256.1407028256.1407028256.1;+__utmz=149491368.1407028256.1.1.utmcsr=okozodesktop-3.0.2|utmccn=0|utmcmd=okozodesktop;&utmu=q~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=2&utmn=1764794223&utmhn=okozo.com&utmt=event&utme=5(Install*Wallpapers*InstallCore)&utmcs=ISO-8859-1&utmsr=1024x768&utmvp=640x480&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=14.0 r0&utmhid=1905301063&utmr=-&utmp=/updates/software/installation.html?utm_source=okozodesktop-3.0.2&utm_medium=okozodesktop&utm_campaign=0&utmht=1407028256150&utmac=UA-20094791-1&utmcc=__utma=149491368.505603269.1407028256.1407028256.1407028256.1;+__utmz=149491368.1407028256.1.1.utmcsr=okozodesktop-3.0.2|utmccn=0|utmcmd=okozodesktop;&utmu=6~


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
SURICATA STREAM FIN out of window
SURICATA STREAM FIN invalid ack
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA STREAM SHUTDOWN RST invalid ack

Traffic

The Trojan connects to the servers at the folowing location(s):

okozodesktoplauncher.exe_660:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
C:\Users\alex\Documents\toby.b\okozo-desktop\trunk\okozo\Win32\Release\OkozoDesktopLauncher.pdb
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
GetCPInfo
9$9(9,9094989<9@9
:(:/:4:8:<:]:
:&;,;0;4;8;
mscoree.dll
@KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
preinstaller.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe

okozodesktop.exe_464:

.text
`.rdata
@.data
.rsrc
@.reloc
u.Wh4
tgHtGHt%S
RSSSh
Antdll.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Boost.Interprocess: Dead reference on non-Phoenix singleton of type
..\common\messageretranslator\messageretranslator.cpp
7z.cpp
7z.exe
animation.cpp
*.exe
config.exe
animationmanager.cpp
application.cpp
http://okozo.com/updates/software/installation.html?utm_source=okozodesktop-%1&utm_medium=okozodesktop&utm_campaign=0
.okozo
2downloadSucceed(const QUrl&)
SSL error: %s
downloadmanager.cpp
filehelper.cpp
1g.AW}
K%U0~
dE.Hpw$
.ocb&
q3(.Vf
-e%f?$8
!q'.eB"
tEXtXML:com.adobe.xmp
xmlns:xap="http://ns.adobe.com/xap/1.0/">
xmlns:dc="http://purl.org/dc/elements/1.1/">
2009 ParaType Ltd. All rights reserved.PT SansRegularParaTypeLtd: PT Sans: 2009PT SansVersion 1.000PTSans-RegularPT Sans is a trademark of the ParaType Ltd.ParaType LtdA.Korolkova, O.Umpeleva, V.YefimovPT Sans is a type family of universal use. It consists of 8 styles: regular and bold weights with corresponding italics form a standard computer font family; two narrow styles (regular and bold) are intended for documents that require tight set; two caption styles (regular and bold) are for texts of small point sizes. The design combines traditional conservative appearance with modern trends of humanistic sans serif and characterized by enhanced legibility. These features beside conventional use in business applications and printed stuff made the fonts quite useable for direction and guide signs, schemes, screens of information kiosks and other objects of urban visual communications.
The fonts next to standard Latin and Cyrillic character sets contain signs of title languages of the national republics of Russian Federation and support the most of the languages of neighboring countries. The fonts were developed and released by ParaType in 2009 with financial support from Federal Agency of Print and Mass Communications of Russian Federation. Design - Alexandra Korolkova with assistance of Olga Umpeleva and supervision of Vladimir Yefimov.http://www.paratype.comhttp://www.paratype.com/help/designers/Copyright
http://www.paratype.ruPT Sans
0000000000
%FRX#Y
%F hadRX#e
%FRX#
%F jadRX#
$$ !*$$#
)!$ .0!)
%%!" $%$
*!%!/1"*
%%"",%&$
 "&!02#*
3532654& 
3254&5432
3254&'&5432
#"'354&#"
#7#737#7373
]0174632
0174632
]72654&#
32676454.
*@5./5".:
#"&5467#
U&X ._N1.Lb4
#"&54632
0174Ȏ=
1U-2p3%F(,
g3%F(,
32654&#"
9--::--9
#"&74632
36454&#"
%4!&  &&  
!7G%ö!
US*,._N1.Lb4
#%&."[7 ;
#"&5467'#
#"&5467#"&5
<5,*88**76
*1,/'3/ 
.TxJNyT 
mPö#
@OZ.NvQ)
'#"&54673
iTJ.PP 
#"&'52654&/
#"&54675.
#"&'4632
#"&'#73&45<
5G&W .YE*,HZ.
>S|E# pI;`C$%D_:>_B"
#7#537#(
<27285536=
%0 *$/-&
#5354632
.null
uni0498.alt
uni0499.alt
uni04AA.alt02
uni04AB.alt02
afii10055.alt
afii10103.alt
uni0492.alt
uni0493.alt
uni04AA.alt
uni04AB.alt
one.numerator
fraction.alt
l.var
.aalt
.ordn
-http://crl.thawte.com/ThawteCodeSigningCA.crl0
http://ocsp.thawte.com0
Certification Services Division1!0
[email protected]
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
http://ocsp.verisign.com0
"http://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0http://crl.verisign.com/ThawteTimestampingCA.crl0
http://www.paratype.com0
/..fpss
(5A.DY
D.Nf0
-YYk}
.FGG)
Ò%U
installedanimationxmlreader.cpp
Windows 7
Windows Vista
Windows 2003
Windows XP
main.cpp
Log dir %s created
http://okozo.com/download/
http://okozo.com/help/
1httpResponseFinished(QNetworkReply*)
1onVersionFileReceived(const QUrl&)
1onWallpaperReceived(const QUrl&)
1onContentLoaded(const QUrl&)
httpResponseFinished with error:
mainwindow.cpp
Error on Configure button click, cannot find a config.exe for
http://okozo.com/updates/software/installation.html?utm_source=okozodesktop-%1&utm_medium=wallpaper&utm_campaign=%2
:/resources/Okozo_Logo.png
:/resources/okozo_small_logo.png
:/resources/mainwindowicon.png
:/resources/settingsicon.png
:/resources/heart.png
:/resources/tick.png
:/resources/PT_Sans.ttf
:/resources/styles.qss
:/resources/settingsbutton.png
:/resources/helpbutton.png
:/resources/monitorbutton.png
:/resources/sortbybutton.png
:/resources/searchbuttonicon.png
previewwidget.cpp
downloadSucceed(QUrl)
urlString
onContentLoaded(QUrl)
onWallpaperReceived(QUrl)
onVersionFileReceived(QUrl)
httpResponseFinished(QNetworkReply*)
selectedanimations.cpp
Unexpected key '
currentwallpapers.ini
serialization\animationxmlserializer.cpp
server_struct.xml
local_struct.xml
version.xml
http://c95272.r72.cf3.rackcdn.com/server_struct.xml
http://c95272.r72.cf3.rackcdn.com/version.xml
Okozo Intro/Okozo Intro.swf
Could not query for key value for disabled monitors, error:
settings.cpp
Could not find launcher data in UninstallKey
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
s6//bd@Yxc{Ljo{ H;X5W]s.YSok.rSejf@z[Yr2XxX3}Tx~h-*Q9M!37H$GYW^5
wallpaperinstaller.cpp
Animation id is not a number in struct.xml
Animation name is empty in struct.xml
Could not read the installed animation data from struct.xml
struct.xml
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
boost thread: trying joining itself
crypter.dll
?keyPressEvent@iisIconLabel@@MAEXPAVQKeyEvent@@@Z
iistaskpanel.dll
??0QNetworkRequest@@QAE@ABVQUrl@@@Z
?metaData@QNetworkDiskCache@@UAE?AVQNetworkCacheMetaData@@ABVQUrl@@@Z
?data@QNetworkDiskCache@@UAEPAVQIODevice@@ABVQUrl@@@Z
?remove@QNetworkDiskCache@@UAE_NABVQUrl@@@Z
?url@QNetworkReply@@QBE?AVQUrl@@XZ
QtNetwork4.dll
?load@QWebView@@QAEXABVQUrl@@@Z
?setAttribute@QWebSettings@@QAEXW4WebAttribute@1@_N@Z
?settings@QWebView@@QBEPAVQWebSettings@@XZ
??0QWebView@@QAE@PAVQWidget@@@Z
?metaObject@QWebView@@UBEPBUQMetaObject@@XZ
?qt_metacast@QWebView@@UAEPAXPBD@Z
?qt_metacall@QWebView@@UAEHW4Call@QMetaObject@@HPAPAX@Z
?event@QWebView@@UAE_NPAVQEvent@@@Z
?sizeHint@QWebView@@UBE?AVQSize@@XZ
?mousePressEvent@QWebView@@MAEXPAVQMouseEvent@@@Z
?mouseReleaseEvent@QWebView@@MAEXPAVQMouseEvent@@@Z
?mouseDoubleClickEvent@QWebView@@MAEXPAVQMouseEvent@@@Z
?mouseMoveEvent@QWebView@@MAEXPAVQMouseEvent@@@Z
?wheelEvent@QWebView@@MAEXPAVQWheelEvent@@@Z
?keyPressEvent@QWebView@@MAEXPAVQKeyEvent@@@Z
?keyReleaseEvent@QWebView@@MAEXPAVQKeyEvent@@@Z
?focusInEvent@QWebView@@MAEXPAVQFocusEvent@@@Z
?focusOutEvent@QWebView@@MAEXPAVQFocusEvent@@@Z
?paintEvent@QWebView@@MAEXPAVQPaintEvent@@@Z
?resizeEvent@QWebView@@MAEXPAVQResizeEvent@@@Z
?contextMenuEvent@QWebView@@MAEXPAVQContextMenuEvent@@@Z
?dragEnterEvent@QWebView@@MAEXPAVQDragEnterEvent@@@Z
?dragMoveEvent@QWebView@@MAEXPAVQDragMoveEvent@@@Z
?dragLeaveEvent@QWebView@@MAEXPAVQDragLeaveEvent@@@Z
?dropEvent@QWebView@@MAEXPAVQDropEvent@@@Z
?changeEvent@QWebView@@MAEXPAVQEvent@@@Z
?inputMethodEvent@QWebView@@MAEXPAVQInputMethodEvent@@@Z
?inputMethodQuery@QWebView@@UBE?AVQVariant@@W4InputMethodQuery@Qt@@@Z
?focusNextPrevChild@QWebView@@MAE_N_N@Z
?createWindow@QWebView@@MAEPAV1@W4WebWindowType@QWebPage@@@Z
??1QWebView@@UAE@XZ
?networkAccessManager@QWebPage@@QBEPAVQNetworkAccessManager@@XZ
?page@QWebView@@QBEPAVQWebPage@@XZ
QtWebKit4.dll
;?winEvent@QWidget@@MAE_NPAUtagMSG@@PAJ@Z
?keyPressEvent@QPushButton@@MAEXPAVQKeyEvent@@@Z
?keyReleaseEvent@QAbstractButton@@MAEXPAVQKeyEvent@@@Z
?keyPressEvent@QLabel@@MAEXPAVQKeyEvent@@@Z
?keyReleaseEvent@QWidget@@MAEXPAVQKeyEvent@@@Z
?keyPressEvent@QComboBox@@MAEXPAVQKeyEvent@@@Z
?keyReleaseEvent@QComboBox@@MAEXPAVQKeyEvent@@@Z
?keyPressEvent@QWidget@@MAEXPAVQKeyEvent@@@Z
?keyPressEvent@QLineEdit@@MAEXPAVQKeyEvent@@@Z
?exec@QApplication@@SAHXZ
!?openUrl@QDesktopServices@@SA_NABVQUrl@@@Z
?keyPressEvent@QAbstractScrollArea@@MAEXPAVQKeyEvent@@@Z
2;?viewportEvent@QAbstractScrollArea@@MAE_NPAVQEvent@@@Z
j1?setWindowState@QWidget@@QAEXV?$QFlags@W4WindowState@Qt@@@@@Z
??1QKeySequence@@QAE@XZ
?addAction@QMenu@@QAEPAVQAction@@ABVQString@@PBVQObject@@PBDABVQKeySequence@@@Z
??0QKeySequence@@QAE@W4StandardKey@0@@Z
?keyPressEvent@QMenu@@MAEXPAVQKeyEvent@@@Z
?keyPressEvent@QAbstractButton@@MAEXPAVQKeyEvent@@@Z
?keyPressEvent@QDialog@@MAEXPAVQKeyEvent@@@Z
??0QPen@@QAE@ABVQBrush@@NW4PenStyle@Qt@@W4PenCapStyle@3@W4PenJoinStyle@3@@Z
QtGui4.dll
?winEventFilter@QCoreApplication@@UAE_NPAUtagMSG@@PAJ@Z
??1QUrl@@QAE@XZ
??0QUrl@@QAE@ABVQString@@@Z
?toString@QUrl@@QBE?AVQString@@V?$QFlags@W4FormattingOption@QUrl@@@@@Z
?hasShrunk@QHashData@@QAEXXZ
?setUrl@QUrl@@QAEXABVQString@@@Z
?resolved@QUrl@@QBE?AV1@ABV1@@Z
?toUrl@QVariant@@QBE?AVQUrl@@XZ
?toEncoded@QUrl@@QBE?AVQByteArray@@V?$QFlags@W4FormattingOption@QUrl@@@@@Z
?QStringList_join@QtPrivate@@YA?AVQString@@PBVQStringList@@ABV2@@Z
?windowsVersion@QSysInfo@@SA?AW4WinVersion@1@XZ
?path@QUrl@@QBE?AVQString@@XZ
??0QUrl@@QAE@ABV0@@Z
?childKeys@QSettings@@QBE?AVQStringList@@XZ
QtCore4.dll
desk3DHook.dll
libglog.dll
GetProcessHeap
KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
MSVCP100.dll
MSVCR100.dll
_amsg_exit
_acmdln
_crt_debugger_hook
.?AUwindows_bootstamp@ipcdetail@interprocess@boost@@
.?AVQWebView@@
6i6D6_6p6
:":(:/:@:[:
7 8:8@8{8
6 6$6(6,6064686<6@6
? ?$?(?,?0?4?8?
0 0$0(0,0004080<0@0
? ?$?(?,?0?4?
2 2$2(2,20242
> >(>0>8>
=$=,=8=\=|=
Win32_OperatingSystem
http://www.paratype.ru
%&%6%F%V%
#$%&'()* ,-./0123456789:;<=
%-%-%-%-
*" #($,$
''-''-  -('/'' '''')-
*,-,-,-&*
,-,-,-,-
Okozo_Logo.png
gsettingsicon.png
helpbutton.png
PT_Sans.ttf
monitorbutton.png
'searchbuttonicon.png
mainwindowicon.png
styles.qss
'heart.png
tick.png
okozo_small_logo.png
settingsbutton.png
Gsortbybutton.png
eLocal\{ADBB3568-7F3C-11E1-B580-840D4824019C}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    FlashPlayerUpdateService.exe:468
    7z.exe:1452
    okozodesktop.exe:2016
    vcredist_x86.exe:376
    mscorsvw.exe:1912
    %original file name%.exe:588
    OkozoDesktopInstaller.exe:596
    install_flash_player.exe:1656
    preinstaller.exe:1160
    preinstaller.exe:1064
    Setup.exe:1352

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.swf (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\struct.xml (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-lines-ps3-125x125.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vzO464.d (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\BGg464.d (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\light-speed-125x125.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\tRS464.d (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-spider-125x125.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-fish-125x125.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\tree-frog-125x125.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\dfl464.d (296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\lm-white-125x125.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-dog-125x125.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ycW464.d (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\AB-Multi-125x125.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\falling-leaves-125x125.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\live-fish-125x125.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Yys464.d (1682 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\server_struct.xml (95 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xGg464.d (1382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\glow-clock-bp-125x125.png (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\aem464.d (1772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fKw464.d (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\NlY464.d (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\ml-rainbow-125x125.png (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\3d-digital-clock-125x125.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\version.xml (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-red-125x125.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-ants-125x125.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\pqc464.d (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\iVe464.d (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\mm-grey-125x125.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\pink-speakers-125x125.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\mTs464.d (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-pb-125x125.png (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ifX464.d (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vcr464.d (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\aBowman-hamster-125x125.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\yVR464.d (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-turtles-125x125.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.464 (1644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Dqn464.d (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xCs464.d (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\wxu464.d (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\currentwallpapers.ini (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fnf464.d (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PER464.d (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\joystick-car-125x125.png (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-penguins-125x125.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\nPR464.d (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-flies-125x125.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\world-sunlight-map-v2-125x125.png (10 bytes)
    %Documents and Settings%\All Users\Application Data\boost_interprocess\20140803032607.187000\okozo_desktop_message_queue (2144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PJk464.d (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Uhg464.d (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\local_struct.xml (707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.2016 (1206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\166\Starry Night.aesswf (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.aesswf (676 bytes)
    C:\327de45119f65652f4eba1 (4 bytes)
    C:\327de45119f65652f4eba1\1031\SetupResources.dll (680 bytes)
    C:\327de45119f65652f4eba1\SetupEngine.dll (12353 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate8.ico (894 bytes)
    C:\327de45119f65652f4eba1\1041\eula.rtf (119 bytes)
    C:\327de45119f65652f4eba1\Graphics\SysReqMet.ico (1 bytes)
    C:\327de45119f65652f4eba1\1049\eula.rtf (471 bytes)
    C:\327de45119f65652f4eba1\1042\eula.rtf (907 bytes)
    C:\327de45119f65652f4eba1\1036\eula.rtf (8 bytes)
    C:\327de45119f65652f4eba1\1028\LocalizedData.xml (514 bytes)
    C:\327de45119f65652f4eba1\1031\eula.rtf (10 bytes)
    C:\327de45119f65652f4eba1\header.bmp (7 bytes)
    C:\327de45119f65652f4eba1\vc_red.cab (61610 bytes)
    C:\327de45119f65652f4eba1\sqmapi.dll (2385 bytes)
    C:\327de45119f65652f4eba1\1033\SetupResources.dll (16 bytes)
    C:\327de45119f65652f4eba1\1040\SetupResources.dll (537 bytes)
    C:\327de45119f65652f4eba1\2052\LocalizedData.xml (164 bytes)
    C:\327de45119f65652f4eba1\watermark.bmp (6023 bytes)
    C:\327de45119f65652f4eba1\1033\LocalizedData.xml (1591 bytes)
    C:\327de45119f65652f4eba1\1042\SetupResources.dll (14 bytes)
    C:\327de45119f65652f4eba1\vc_red.msi (2653 bytes)
    C:\327de45119f65652f4eba1\DisplayIcon.ico (1877 bytes)
    C:\327de45119f65652f4eba1\SetupUi.dll (4564 bytes)
    C:\327de45119f65652f4eba1\$shtdwn$.req (788 bytes)
    C:\327de45119f65652f4eba1\1049\SetupResources.dll (17 bytes)
    C:\327de45119f65652f4eba1\1028\SetupResources.dll (396 bytes)
    C:\327de45119f65652f4eba1\3082\eula.rtf (389 bytes)
    C:\327de45119f65652f4eba1\1036\SetupResources.dll (736 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate5.ico (894 bytes)
    C:\327de45119f65652f4eba1\1028\eula.rtf (16 bytes)
    C:\327de45119f65652f4eba1\1040\eula.rtf (9 bytes)
    C:\327de45119f65652f4eba1\UiInfo.xml (2006 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate2.ico (894 bytes)
    C:\327de45119f65652f4eba1\2052\eula.rtf (16 bytes)
    C:\327de45119f65652f4eba1\DHtmlHeader.html (16 bytes)
    C:\327de45119f65652f4eba1\Graphics\Save.ico (79 bytes)
    C:\327de45119f65652f4eba1\ParameterInfo.xml (200 bytes)
    C:\327de45119f65652f4eba1\1031\LocalizedData.xml (199 bytes)
    C:\327de45119f65652f4eba1\2052\SetupResources.dll (33 bytes)
    C:\327de45119f65652f4eba1\3082\LocalizedData.xml (541 bytes)
    C:\327de45119f65652f4eba1\1033\eula.rtf (7 bytes)
    C:\327de45119f65652f4eba1\Strings.xml (14 bytes)
    C:\327de45119f65652f4eba1\Graphics\Print.ico (1 bytes)
    C:\327de45119f65652f4eba1\1040\LocalizedData.xml (568 bytes)
    C:\327de45119f65652f4eba1\Setup.exe (932 bytes)
    C:\327de45119f65652f4eba1\Graphics\Setup.ico (728 bytes)
    C:\327de45119f65652f4eba1\Graphics\stop.ico (10 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate3.ico (894 bytes)
    C:\327de45119f65652f4eba1\1036\LocalizedData.xml (255 bytes)
    C:\327de45119f65652f4eba1\1041\LocalizedData.xml (670 bytes)
    C:\327de45119f65652f4eba1\SetupUi.xsd (556 bytes)
    C:\327de45119f65652f4eba1\1049\LocalizedData.xml (139 bytes)
    C:\327de45119f65652f4eba1\Graphics\SysReqNotMet.ico (1 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate4.ico (894 bytes)
    C:\327de45119f65652f4eba1\Graphics\warn.ico (10 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate7.ico (894 bytes)
    C:\327de45119f65652f4eba1\1041\SetupResources.dll (15 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate1.ico (894 bytes)
    C:\327de45119f65652f4eba1\1042\LocalizedData.xml (102 bytes)
    C:\327de45119f65652f4eba1\3082\SetupResources.dll (41 bytes)
    C:\327de45119f65652f4eba1\Graphics\Rotate6.ico (894 bytes)
    C:\327de45119f65652f4eba1\SplashScreen.bmp (1049 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ip.xml (105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\version.xml (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OkozoDesktopInstaller.exe (821835 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tick.bmp (774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp.okozo (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\country.xml (227 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cross.bmp (630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\XML.dll (2005 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\close.ico (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\preinstaller.exe (5494 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\libglog.dll (3631 bytes)
    %Documents and Settings%\%current user%\Desktop\Okozo Desktop.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Close Okozo Desktop.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\desk3DHook.dll (20685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtWebKit4.dll (275351 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\D3DX9_43.dll (50358 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtCore4.dll (50901 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.dll (28789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\server_struct[1].xml (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtGui4.dll (180886 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtNetwork4.dll (24858 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtXml4.dll (11311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\crypter.dll (2800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\Uninstall.exe (1334 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\iistaskpanel.dll (14083 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Okozo Desktop.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#Security\FlashPlayerTrust\okozodesktop.cfg (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe (3941 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktop.exe (24420 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\Okozo Intro\Okozo Intro.aesswf (2104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.exe (3688 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Uninstall Okozo Desktop.lnk (1 bytes)
    %System%\Macromed\Flash\FlashInstall.log (2 bytes)
    %System%\Macromed\Flash\flashplayer.xpt (856 bytes)
    %System%\FlashPlayerApp.exe (3772 bytes)
    %System%\Macromed\Flash\plugin.vch (7972 bytes)
    %System%\Macromed\Flash\FlashPlayerUpdateService.exe (262 bytes)
    %System%\FlashPlayerCPLApp.cpl (71 bytes)
    %System%\Macromed\Flash\NPSWF32_14_0_0_145.dll (126514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB}\fpb.tmp (1793 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708}\fpb.tmp (3924 bytes)
    %System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe (3924 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\install_flash_player[1].exe (1232953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vcredist_x86.exe (323259 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\UAC.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\install_flash_player.exe (1232953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vcredist_x86[1].exe (323259 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup_20140803 (1172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030.html (136546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030-MSI_vc_red.msi.txt (152863 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp.html (26876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HFI85.tmp.html (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Setup_20140803_041031452.html (52962 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Okozo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now