DownLoad Link: hxxp://hot18-adult2008.com/download/502/927/0/ File Name: MediaTubeCodec_ver1.927.0.exe VirusTotal Result: 5/32 (15.62%) CAT-QuickHeal 9.50 2008.04.23 (Suspicious) - DNAScan eSafe 7.0.15.0 2008.04.21 Suspicious File Prevx1 V2 2008.04.23 Generic.Dropper.xCodec Sophos 4.28.0 2008.04.23 Mal/EncPk-DB Sunbelt 3.0.1056.0 2008.04.17 VIPRE.Suspicious File Info: File size: 61440 bytes MD5...: 407b5fe202a8ffe4ce767bc25680d248 SHA1..: a65f7d834063efaca60e6112d6b7c852fb058466 SHA256: 5805715b82467f2f67a9e619349aa010b80d0e2e428e69d6f6fd5a8d6beb8921 SHA512: 51f927ea92f774f76ac9f363db92c8ff0523575e19e8b10287d9e6c69c0e50e8 564549ffd2539fe14ea2b1432655cb9830bf713b62c67f2fa62a99946827d458 ***** PE Structure ************************************************* entrypointaddress.: 0x4250ce timedatestamp.....: 0x477bbf57 (Wed Jan 02 16:44:07 2008) machinetype.......: 0x14c (I386) ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 477BBF57 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0103 Magic: 010B Linker version (major): 06 Linker version (minor): 0F Size of code: 00000400 Size of initialized data: 00000600 Size of uninitialized data: 00000000 Address of entry point: 000250CE Base of code: 00025000 Base of data: 00026000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0005 OS version (minor): 0004 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00028000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .υσι 00023000 00001000 0000D400 00000400 C0000040 .υσι 00001000 00024000 00000E00 0000D800 C00000C0 .share 00000384 00025000 00000400 0000E600 E0000020 .code 0000013A 00026000 00000200 0000EA00 40000040 .rsrc 00001000 00027000 00000400 0000EC00 40000040 ***** Import/Export table ****************************************** --- Import table (libraries: 3) ------------------------------------ > kernel32.dll: GetDiskFreeSpaceExA, WritePrivateProfileStructW > gdi32.dll: GetCharABCWidthsA Process Details: Process ID 952 Filename C:\file.exe Filesize 61440 bytes MD5 407b5fe202a8ffe4ce767bc25680d248 Start Reason AnalysisTarget New Files Created: \Device\RasAcd C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat Opened Files: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@download[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwga.112.2o7[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@rad.microsoft[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[1].txt C:\Documents and Settings\Administrator\Cookies\administrator@www.download[2].txt C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[2].txt C:\file.exe \\.\PIPE\svcctl \\.\PIPE\lsarpc c:\autoexec.bat C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Chronological order: Find File: C:\Documents and Settings\Administrator\Cookies\*.txt Open File: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@download[2].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@microsoftwga.112.2o7[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@rad.microsoft[2].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@search.msn[1].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@www.download[2].txt (OPEN_EXISTING) Open File: C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[2].txt (OPEN_EXISTING) Find File: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\*.default Open File: C:\file.exe (OPEN_EXISTING) Open File: \\.\PIPE\svcctl (OPEN_EXISTING) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\System32\Ras\*.pbk Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat Mutexes: Creates Mutex: RasPbFile Registry Changes: HKEY_LOCAL_MACHINE\Software\Microsoft\VideoPlugin "swi" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\Software\Microsoft\VideoPlugin "pn" = 0 HKEY_LOCAL_MACHINE\Software\Microsoft\VideoPlugin "said" = 0 HKEY_LOCAL_MACHINE\Software\Microsoft\VideoPlugin "aid" = 0 HKEY_LOCAL_MACHINE\Software\Microsoft\VideoPlugin "sid" = 0 Registry Reads: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "AppData" Creates Process: CommandLine: (cmd.exe /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat") Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "RASMAN" Process Started: Process ID 1208 Filename cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat Filesize 375808 bytes MD5 84ddf54db542b2eb9ef08144fb6e3645 Start Reason CreateProcess Opened Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Deleted Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP6TM~1.BAT Chronological order: Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\ Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat (OPEN_EXISTING) Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Get File Attributes: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat" Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat () Find File: bx18dxv.dat Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp6.tmp.bat Flags: (SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TMP6TM~1.BAT Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" Creates Process: Filename (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat) CommandLine: ("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat") Process Started: Process ID 776 Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Filesize 350199 bytes MD5 b6e8a742aa97a5b8d5c2172335aee790 Start Reason CreateProcess New Files Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsfB.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vadokmxt.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\qnmargolwdn.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wdpoefan.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\dpevflbg.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\olgdqarf.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\System.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat Opened Files: \\.\PIPE\lsarpc \\.\PIPE\ntsvcs C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Deleted Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa9.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\dpevflbg.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\olgdqarf.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\qnmargolwdn.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vadokmxt.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wdpoefan.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\System.dll Chronological order: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa9.tmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Flags: (SECURITY_ANONYMOUS) Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsfB.tmp Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp Get File Attributes: C:\DOCUME~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2 Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1 Find File: C:\DOCUME~1\ADMINI~1 Find File: C:\DOCUME~1 Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\*.* Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vadokmxt.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vadokmxt.dll Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vadokmxt.dll Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\qnmargolwdn.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\qnmargolwdn.dll Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\qnmargolwdn.dll Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wdpoefan.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wdpoefan.dll Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wdpoefan.dll Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\dpevflbg.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\dpevflbg.dll Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\dpevflbg.dll Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\olgdqarf.exe Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\olgdqarf.exe Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\olgdqarf.exe Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\dpevflbg.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\dpevflbg.dll Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\olgdqarf.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\olgdqarf.exe Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\qnmargolwdn.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\qnmargolwdn.dll Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vadokmxt.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\vadokmxt.dll Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wdpoefan.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wdpoefan.dll Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\System.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\System.dll Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\*.* Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\blowfish.dll Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\System.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\System.dll Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\ Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsvD.tmp\ Flags: (SECURITY_ANONYMOUS) Creates Process: CommandLine: (cmd.exe /Q /C "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat") As User: () Creation Flags: () CommandLine: (cmd.exe /Q /C C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat") Process Started: Process ID 1364 Filename cmd.exe /Q /C C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat Filesize 375808 bytes MD5 84ddf54db542b2eb9ef08144fb6e3645 Start Reason CreateProcess New Files Created: nul C:\WINDOWS\vadokmxt.dll C:\WINDOWS\wdpoefan.dll C:\WINDOWS\olgdqarf.exe C:\WINDOWS\dpevflbg.dll C:\WINDOWS\wxvgsdbq.exe C:\WINDOWS\qnmargolwdn.dll Opened Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat vadokmxt.dll wdpoefan.dll olgdqarf.exe dpevflbg.dll wxvgsdbq.exe qnmargolwdn.dll \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe Chronological order: Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2 Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1 Find File: C:\DOCUME~1\ADMINI~1 Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1 Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2 Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\install.bat (OPEN_EXISTING) Create File: nul Get File Attributes: vadokmxt.dll Flags: (SECURITY_ANONYMOUS) Find File: vadokmxt.dll Open File: vadokmxt.dll (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\vadokmxt.dll Flags: (SECURITY_ANONYMOUS) Copy File: vadokmxt.dll to C:\WINDOWS\vadokmxt.dll Set File Attributes: C:\WINDOWS\vadokmxt.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Set File Time: Get File Attributes: wdpoefan.dll Flags: (SECURITY_ANONYMOUS) Find File: wdpoefan.dll Open File: wdpoefan.dll (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\wdpoefan.dll Flags: (SECURITY_ANONYMOUS) Copy File: wdpoefan.dll to C:\WINDOWS\wdpoefan.dll Set File Attributes: C:\WINDOWS\wdpoefan.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Get File Attributes: olgdqarf.exe Flags: (SECURITY_ANONYMOUS) Find File: olgdqarf.exe Open File: olgdqarf.exe (OPEN_EXISTING) Get File Attributes: C:\WINDOWS Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\olgdqarf.exe Flags: (SECURITY_ANONYMOUS) Copy File: olgdqarf.exe to C:\WINDOWS\olgdqarf.exe Set File Attributes: C:\WINDOWS\olgdqarf.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Get File Attributes: dpevflbg.dll Flags: (SECURITY_ANONYMOUS) Find File: dpevflbg.dll Open File: dpevflbg.dll (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\dpevflbg.dll Flags: (SECURITY_ANONYMOUS) Copy File: dpevflbg.dll to C:\WINDOWS\dpevflbg.dll Set File Attributes: C:\WINDOWS\dpevflbg.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Get File Attributes: wxvgsdbq.exe Flags: (SECURITY_ANONYMOUS) Find File: wxvgsdbq.exe Open File: wxvgsdbq.exe (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\wxvgsdbq.exe Flags: (SECURITY_ANONYMOUS) Copy File: wxvgsdbq.exe to C:\WINDOWS\wxvgsdbq.exe Set File Attributes: C:\WINDOWS\wxvgsdbq.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Get File Attributes: qnmargolwdn.dll Flags: (SECURITY_ANONYMOUS) Find File: qnmargolwdn.dll Open File: qnmargolwdn.dll (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\qnmargolwdn.dll Flags: (SECURITY_ANONYMOUS) Copy File: qnmargolwdn.dll to C:\WINDOWS\qnmargolwdn.dll Set File Attributes: C:\WINDOWS\qnmargolwdn.dll Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe Get File Attributes: ewmn.exe Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe () Find File: ewmn.exe Find File: C:\WINDOWS\system32\regsvr32.exe Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\regsvr32.exe Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\regsvr32.exe.* Get File Attributes: regsvr32.exe Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe () Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" Process Management: Creates Process - Filename (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe) CommandLine: (ewmn.exe C:\WINDOWS\wdpoefan.dll wdpoefan) As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\regsvr32.exe) CommandLine: (C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\qnmargolwdn.dll) As User: () Creation Flags: () Creates Process - Filename (C:\WINDOWS\system32\regsvr32.exe) CommandLine: (regsvr32.exe /s dpevflbg.dll) As User: () Creation Flags: () Creates Process - Filename (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe) CommandLine: (ewmn.exe C:\WINDOWS\vadokmxt.dll vadokmxt) As User: () Creation Flags: () Creates Process - Filename (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe) CommandLine: (wxvgsdbq.exe reg) As User: () Creation Flags: () Creates Process - Filename (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe) Process Started: Process ID 1468 Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe ewmn.exe C:\WINDOWS\wdpoefan.dll wdpoefan Filesize 159744 bytes MD5 eca2e8e18e548cc078f43a690cc2aec4 Start Reason CreateProcess Registry Changes: HKEY_CLASSES_ROOT\CLSID\{24304517-8732-4E63-A2F9-AF998B0673C9}\InProcServer32 "" = C:\WINDOWS\wdpoefan.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "wdpoefan" = {24304517-8732-4E63-A2F9-AF998B0673C9} Process Started: Process ID 352 Filename C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\qnmargolwdn.dll Filesize 9728 bytes MD5 29987dbd0ec36ff87cd572f0d75c2c5a Start Reason CreateProcess Opened Files: C:\WINDOWS\qnmargolwdn.dll Chronological order: Open File: C:\WINDOWS\qnmargolwdn.dll (OPEN_EXISTING) Registry Changes: HKEY_CLASSES_ROOT\MSVPS.MSVPSApp "" = DVA HKEY_CLASSES_ROOT\MSVPS.MSVPSApp\CLSID "" = {D1DE7404-BFDF-430B-AB48-3EBF39F05C9F} HKEY_CLASSES_ROOT\MSVPS.MSVPSApp\CurVer "" = DVA.Gate HKEY_CLASSES_ROOT\CLSID\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F} "" = DVA Gate HKEY_CLASSES_ROOT\CLSID\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F}\ProgID "" = DVA.Gate HKEY_CLASSES_ROOT\CLSID\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F}\VersionIndependentProgID "" = DVA.Gate HKEY_CLASSES_ROOT\CLSID\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F}\InprocServer32 "" = C:\WINDOWS\qnmargolwdn.dll HKEY_CLASSES_ROOT\CLSID\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F}\InprocServer32 "ThreadingModel" = Apartment HKEY_CLASSES_ROOT\CLSID\{D1DE7404-BFDF-430B-AB48-3EBF39F05C9F}\TypeLib "" = {7944E322-5E53-47A0-BA35-A9042ABCBEEE} HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0 "" = abme TL HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0\FLAGS "" = 0 HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0\0\win32 "" = C:\WINDOWS\qnmargolwdn.dll HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0\HELPDIR "" = C:\WINDOWS\ HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49} "" = _IabmeEvents HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\ProxyStubClsid "" = {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\ProxyStubClsid32 "" = {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\TypeLib "" = {7944E322-5E53-47A0-BA35-A9042ABCBEEE} HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\TypeLib "Version" = 1.0 HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7} "" = Iabme HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\ProxyStubClsid "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\ProxyStubClsid32 "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\TypeLib "" = {7944E322-5E53-47A0-BA35-A9042ABCBEEE} HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\TypeLib "Version" = 1.0 Registry Reads: HKEY_CLASSES_ROOT\.dll "" HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0 "" HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0\FLAGS "" HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{7944E322-5E53-47A0-BA35-A9042ABCBEEE}\1.0\HELPDIR "" HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49} "" HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\ProxyStubClsid "" HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\ProxyStubClsid32 "" HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{11638744-0674-4E9B-8E09-253BEB5C0E49}\TypeLib "Version" HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7} "" HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\ProxyStubClsid "" HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\ProxyStubClsid32 "" HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{EC5B9043-E064-4A09-9E5E-5AC1D1FB0FA7}\TypeLib "Version" Process Started: Process ID 1332 Filename C:\WINDOWS\system32\regsvr32.exe regsvr32.exe /s dpevflbg.dll Filesize 9728 bytes MD5 29987dbd0ec36ff87cd572f0d75c2c5a Start Reason CreateProcess Opened Files: C:\WINDOWS\dpevflbg.dll Chronological order: Open File: C:\WINDOWS\dpevflbg.dll (OPEN_EXISTING) Registry Changes: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar "{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}" = [REG_BINARY, size: 0 bytes] HKEY_CLASSES_ROOT\dpevflbg.ToolBar.1 "" = dpevflbg HKEY_CLASSES_ROOT\dpevflbg.ToolBar.1\CLSID "" = {547D68A0-5DA7-46A9-AF9A-AF8E80321F8C} HKEY_CLASSES_ROOT\dpevflbg.begp "" = dpevflbg HKEY_CLASSES_ROOT\dpevflbg.begp\CLSID "" = {547D68A0-5DA7-46A9-AF9A-AF8E80321F8C} HKEY_CLASSES_ROOT\dpevflbg.begp\CurVer "" = dpevflbg.1 HKEY_CLASSES_ROOT\CLSID\{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C} "" = dpevflbg HKEY_CLASSES_ROOT\CLSID\{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}\ProgID "" = dpevflbg.1 HKEY_CLASSES_ROOT\CLSID\{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}\VersionIndependentProgID "" = dpevflbg HKEY_CLASSES_ROOT\CLSID\{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}\InprocServer32 "" = C:\WINDOWS\dpevflbg.dll HKEY_CLASSES_ROOT\CLSID\{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}\InprocServer32 "ThreadingModel" = Apartment HKEY_CLASSES_ROOT\CLSID\{547D68A0-5DA7-46A9-AF9A-AF8E80321F8C}\TypeLib "" = {6B07F9E4-138B-45C2-9A82-8651EEC5765B} HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0 "" = dpevflbg HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0\FLAGS "" = 0 HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0\0\win32 "" = C:\WINDOWS\dpevflbg.dll HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0\HELPDIR "" = C:\WINDOWS\ HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9} "" = Ibegp HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\ProxyStubClsid "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\ProxyStubClsid32 "" = {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\TypeLib "" = {6B07F9E4-138B-45C2-9A82-8651EEC5765B} HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\TypeLib "Version" = 1.0 Registry Reads: HKEY_CLASSES_ROOT\.dll "" HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0 "" HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0\FLAGS "" HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{6B07F9E4-138B-45C2-9A82-8651EEC5765B}\1.0\HELPDIR "" HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9} "" HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\ProxyStubClsid "" HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\ProxyStubClsid32 "" HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{82A4F352-6C5B-4D62-ADF3-16D4641FA2F9}\TypeLib "Version" Process Started: Process ID 1848 Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe ewmn.exe C:\WINDOWS\vadokmxt.dll vadokmxt Filesize 159744 bytes MD5 eca2e8e18e548cc078f43a690cc2aec4 Start Reason CreateProcess Registry Changes: HKEY_CLASSES_ROOT\CLSID\{3580FA59-5E05-4518-AB77-B0067ACE5661}\InProcServer32 "" = C:\WINDOWS\vadokmxt.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "vadokmxt" = {3580FA59-5E05-4518-AB77-B0067ACE5661} Process Started: Process ID 1992 Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\wxvgsdbq.exe wxvgsdbq.exe reg Filesize 81920 bytes MD5 d69167840b54fde283202f6ded168411 Start Reason CreateProcess Registry Changes: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo "DisplayName" = WebVideo Support HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo "uninstallString" = C:\WINDOWS\wxvgsdbq.exe Process Started: Process ID 1952 Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\ewmn.exe ewmn.exe rembg Filesize 159744 bytes MD5 eca2e8e18e548cc078f43a690cc2aec4 Start Reason CreateProcess Process Started: Process ID 244 Filename cmd.exe /Q /C C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Filesize 375808 bytes MD5 84ddf54db542b2eb9ef08144fb6e3645 Start Reason CreateProcess Opened Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat Deleted Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NSD26T~1.BAT Chronological order: Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1 Find File: C:\DOCUME~1\ADMINI~1 Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1 Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat (OPEN_EXISTING) Create File: nul Get File Attributes: R Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\R Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bx18dxv.dat Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsd26.tmp.bat Flags: (SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NSD26T~1.BAT Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" Network Activity: DNS Lookup: Host Name (IP Address) websoftcodecdriver.com (77.91.228.187) Download URLs: hxxp://77.91.228.187/dw.php?code=00-0C-29-14-25-8F&hash=4ABB18E3E2AB122ABF96E5731BF527A2 (websoftcodecdriver.com) hxxp://77.91.228.187/soft/WebSoftCodecDrivern.exe (websoftcodecdriver.com) Outgoing connection to remote server: websoftcodecdriver.com TCP port 80