Home » Virus List
Trojan.Win32.Generic
Risk Level 1
 
File Size : 2264172 KB
File Type : Portable Executable file
File Name

Xorer.exe

MD5

e5a6277276007273a63888300de78ced

SHA1

df701eeb5f7416346e6381491b90e8f2ac1dd440

SHA256

b021bc0f300ed44580b75b788c6553e384077c138b0a3d7343

General information:

* File name: C:\Users\vmware\Desktop\malware\Xorer.exe

Changes to registry :

* Creates Registry key HKEY_LOCAL_MACHINE\software\Classes\Applications\iexplore.exe\shell\open\command
* Creates value "(Default)=IfObj Property Page" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}
binary data=490066004F0062006A002000500072006F0070006500720074007900200050006100670065000000
* Creates value "(Default)=C:\Windows\system32\com\netcfg.dll" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0063006F006D005C006E00650074006300660067002E0064006C006C000000
* Creates value "(Default)=IfObj Control" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}
binary data=490066004F0062006A00200043006F006E00740072006F006C000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
* Creates Registry key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
* Creates value "(Default)=C:\Windows\system32\com\netcfg.dll" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0063006F006D005C006E00650074006300660067002E0064006C006C000000
* Creates value "ThreadingModel=410070006100720074006D0065006E0074000000" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32
* Creates value "(Default)=30000000" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus
* Creates value "(Default)=131473" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1
binary data=3100330031003400370033000000
* Creates value "(Default)=IFOBJ.IfObjCtrl.1" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID
binary data=490046004F0042004A002E00490066004F0062006A004300740072006C002E0031000000
* Creates value "(Default)=C:\Windows\system32\com\netcfg.dll, 1" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0063006F006D005C006E00650074006300660067002E0064006C006C002C00200031000000
* Creates value "(Default)={814293BA-8708-42E9-A6B7-1BD3172B9DDF}" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib
binary data=7B00380031003400320039003300420041002D0038003700300038002D0034003200450039002D0041003600420037002D003100420044003300310037003200420039004400440046007D000000
* Creates value "(Default)=1.0" in key HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version
binary data=31002E0030000000
* Modifies value "409=Controls safely scriptable!" in key HKEY_LOCAL_MACHINE\software\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
binary data=43006F006E00740072006F006C007300200073006100660065006C0079002000730063007200690070007400610062006C00650021000000
old value "409=Controls that are safely scriptable"
binary data=43006F006E00740072006F006C007300200074006800610074002000610072006500200073006100660065006C0079002000730063007200690070007400610062006C0065000000
* Modifies value "409=Controls safely initializable from persistent data!" in key HKEY_LOCAL_MACHINE\software\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
binary data=43006F006E00740072006F006C007300200073006100660065006C007900200069006E0069007400690061006C0069007A00610062006C0065002000660072006F006D002000700065007200730069007300740065006E0074002000640061007400610021000000
old value "409=Controls safely initializable from persistent data"
binary data=43006F006E00740072006F006C007300200073006100660065006C007900200069006E0069007400690061006C0069007A00610062006C0065002000660072006F006D002000700065007200730069007300740065006E007400200064006100740061000000
* Creates value "(Default)=IfObj Control" in key HKEY_LOCAL_MACHINE\software\Classes\IFOBJ.IfObjCtrl.1
binary data=490066004F0062006A00200043006F006E00740072006F006C000000
* Creates value "(Default)={D9901239-34A2-448D-A000-3705544ECE9D}" in key HKEY_LOCAL_MACHINE\software\Classes\IFOBJ.IfObjCtrl.1\CLSID
binary data=7B00440039003900300031003200330039002D0033003400410032002D0034003400380044002D0041003000300030002D003300370030003500350034003400450043004500390044007D000000
* Creates value "(Default)=_DIfObjEvents" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}
binary data=5F004400490066004F0062006A004500760065006E00740073000000
* Creates value "(Default)=7B00300030003000320030003400320030002D0030003000300030002D0030003000300030002D0043003000300030002D003000300030003000300030003000300030003000340036007D000000" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid
* Creates value "(Default)=7B00300030003000320030003400320030002D0030003000300030002D0030003000300030002D0043003000300030002D003000300030003000300030003000300030003000340036007D000000" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32
* Creates value "(Default)={814293BA-8708-42E9-A6B7-1BD3172B9DDF}" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib
binary data=7B00380031003400320039003300420041002D0038003700300038002D0034003200450039002D0041003600420037002D003100420044003300310037003200420039004400440046007D000000
* Creates value "Version=1.0" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib
binary data=31002E0030000000
* Creates value "(Default)=_DIfObj" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}
binary data=5F004400490066004F0062006A000000
* Creates value "(Default)=7B00300030003000320030003400320030002D0030003000300030002D0030003000300030002D0043003000300030002D003000300030003000300030003000300030003000340036007D000000" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid
* Creates value "(Default)=7B00300030003000320030003400320030002D0030003000300030002D0030003000300030002D0043003000300030002D003000300030003000300030003000300030003000340036007D000000" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32
* Creates value "(Default)={814293BA-8708-42E9-A6B7-1BD3172B9DDF}" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib
binary data=7B00380031003400320039003300420041002D0038003700300038002D0034003200450039002D0041003600420037002D003100420044003300310037003200420039004400440046007D000000
* Creates value "Version=1.0" in key HKEY_LOCAL_MACHINE\software\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib
binary data=31002E0030000000
* Creates value "(Default)=ifObj ActiveX Control module" in key HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0
binary data=690066004F0062006A0020004100630074006900760065005800200043006F006E00740072006F006C0020006D006F00640075006C0065000000
* Creates value "(Default)=C:\Windows\system32\com\netcfg.dll" in key HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0063006F006D005C006E00650074006300660067002E0064006C006C000000
* Creates value "(Default)=32000000" in key HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS
* Creates value "(Default)=C:\Windows\system32\com" in key HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0063006F006D000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\DownloadManager
* Creates value "Blob=030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE4741D0000000100000010000000918AD43A9475F78BB5243DE886D8103C140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF062000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB53000000010000002400000030223020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030406082B0601050507030206082B060105050703030B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000020000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9" in key HKEY_LOCAL_MACHINE\software\microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\iexplore_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\lsass_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "MaxLimit2=CYMJXYWSGL42516" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer
binary data=430059004D004A00580059005700530047004C00340032003500310036000000
* Modifies value "Type=radiooxboxInternet Explorer\iexplore.exe" %1Explorer\iexplore.exe" %1Startup" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
binary data=72006100640069006F0000006F00780000000000620000006F000000780000000000000049006E007400650072006E006500740020004500780070006C006F007200650072005C0069006500780070006C006F00720065002E006500780065002200200025003100000000004500000078000000700000006C0000006F0000007200000065000000720000005C000000690000006500000078000000700000006C0000006F00000072000000650000002E000000650000007800000065000000220000002000000025000000310000000000000053000000740000006100000072000000740000007500000070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
old value "Type=checkbox"
binary data=63006800650063006B0062006F0078000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Deletes Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "AppInit_DLLs=C:\Windows\system32\dnsq.dllplorer\iexplore.exe" %1Explorer\iexplore.exe" %1Startup" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows
binary data=43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0064006E00730071002E0064006C006C00000070006C006F007200650072005C0069006500780070006C006F00720065002E006500780065002200200025003100000000004500000078000000700000006C0000006F0000007200000065000000720000005C000000690000006500000078000000700000006C0000006F00000072000000650000002E000000650000007800000065000000220000002000000025000000310000000000000053000000740000006100000072000000740000007500000070000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
old value "AppInit_DLLs=0000"
* Deletes Registry key HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\Safer
* Creates value "PendingFileRenameOperations=\??\c:\windows\system32\com\lsass.exe!\??\C:\Windows\system32\com\lsass.exe\??\C:\Windows\system32\9474330.log!\??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe.9475329.exe" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
binary data=5C003F003F005C0063003A005C00770069006E0064006F00770073005C00730079007300740065006D00330032005C0063006F006D005C006C0073006100730073002E00650078006500000021005C003F003F005C0043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0063006F006D005C006C0073006100730073002E0065007800650000005C003F003F005C0043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0039003400370034003300330030002E006C006F006700000021005C003F003F005C0043003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005300740061007200740020004D0065006E0075005C00500072006F006700720061006D0073005C0053007400610072007400750070005C007E002E006500780065002E0039003400370035003300320039002E0065007800650000000000
* Creates value "Type=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EverestDriver
* Creates value "Start=00000003" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EverestDriver
* Creates value "ErrorControl=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EverestDriver
* Creates value "DisplayName=Lavalys EVEREST Kernel Driver" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EverestDriver
binary data=4C006100760061006C00790073002000450056004500520045005300540020004B00650072006E0065006C0020004400720069007600650072000000
* Creates value "ImagePath=C:\Users\vmware\desktop\malware\kerneld.wnt" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EverestDriver
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C006400650073006B0074006F0070005C006D0061006C0077006100720065005C006B00650072006E0065006C0064002E0077006E0074000000
* Creates value "Type=00000001" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetApi000
* Creates value "Start=00000003" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetApi000
* Creates value "DisplayName=NetApi000" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetApi000
binary data=4E00650074004100700069003000300030000000
* Creates value "ImagePath=C:\NetApi000.sys" in key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetApi000
binary data=43003A005C004E00650074004100700069003000300030002E007300790073000000
* Creates value "LastUsedBuild=4.20.1300 Beta" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
binary data=34002E00320030002E003100330030003000200042006500740061000000
* Creates value "WindowState=30000000" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
* Creates value "WindowPosX=330" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
binary data=3300330030000000
* Creates value "WindowPosY=39" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
binary data=330039000000
* Creates value "WindowSizeX=935" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
binary data=3900330035000000
* Creates value "WindowSizeY=670" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
binary data=3600370030000000
* Creates value "MenuSizeX=191" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
binary data=3100390031000000
* Creates value "ListviewMode=Details" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
binary data=440065007400610069006C0073000000
* Creates value "Toolbars=31000000" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
* Creates value "StatusBar=31000000" in key HKEY_CURRENT_USER\software\Lavalys\EVEREST
* Creates value "UnattendLoaded=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\BrowserEmulation
* Empties value "TLDUpdates" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\BrowserEmulation
old value "TLDUpdates=00000001"
* Empties value "StaleIETldCache" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\IETld
old value "StaleIETldCache=00000001"
* Modifies value "LinksFolderMigrate=04FFFEE81FB7D101" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar
old value "LinksFolderMigrate=EC4E2FF625B0D101"
* Creates value "MarketingLinksMigrate=858408E91FB7D101" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar
* Creates value "Path=C:\Users\vmware\Favorites\Links\Suggested Sites.url" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C004600610076006F00720069007400650073005C004C0069006E006B0073005C005300750067006700650073007400650064002000530069007400650073002E00750072006C000000
* Creates value "Handler={B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
binary data=7B00420030004600410037004400370043002D0037003100390035002D0034004600300033002D0042003000330045002D003900440043003100430039004500420043003300390034007D000000
* Creates value "FeedUrl=https://ieonline.microsoft.com/#ieslice" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
binary data=680074007400700073003A002F002F00690065006F006E006C0069006E0065002E006D006900630072006F0073006F00660074002E0063006F006D002F0023006900650073006C006900630065000000
* Creates value "DisplayName=Suggested Sites" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
binary data=5300750067006700650073007400650064002000530069007400650073000000
* Creates value "DisplayMask=00000004" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
* Creates value "ErrorState=00000040" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
* Creates value "Path=C:\Users\vmware\Favorites\Links\Web Slice Gallery.url" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C004600610076006F00720069007400650073005C004C0069006E006B0073005C00570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C000000
* Creates value "Handler={B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
binary data=7B00420030004600410037004400370043002D0037003100390035002D0034004600300033002D0042003000330045002D003900440043003100430039004500420043003300390034007D000000
* Creates value "FeedUrl=http://go.microsoft.com/fwlink/?LinkId=121315" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
binary data=68007400740070003A002F002F0067006F002E006D006900630072006F0073006F00660074002E0063006F006D002F00660077006C0069006E006B002F003F004C0069006E006B00490064003D003100320031003300310035000000
* Creates value "DisplayName=Web Slice Gallery" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
binary data=570065006200200053006C006900630065002000470061006C006C006500720079000000
* Creates value "DisplayMask=00000004" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
* Creates value "ErrorState=00000040" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
* Creates value "FullScreen=no" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
binary data=6E006F000000
* Creates value "Window_Placement=2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF27000000270000000C0400007F020000" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
* Creates value "IE8RunOnceLastShown=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
* Creates value "IE8RunOnceLastShown_TIMESTAMP=4B6D9BFA1FB7D101" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
* Creates value "IE8TourShown=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
* Creates value "IE8TourShownTime=8698CAFE1FB7D101" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
* Creates value "Check_Associations=yes" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main
binary data=7900650073000000
* Creates value "Version=WS scopes not configured" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\WindowsSearch
binary data=570053002000730063006F0070006500730020006E006F007400200063006F006E0066006900670075007200650064000000
* Creates value "DefaultScope=7B00300036003300330045004500390033002D0044003700370036002D0034003700320066002D0041003000460046002D004500310034003100360042003800420032004500330041007D000000" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes
* Creates value "SuggestionsURLFallback=http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
binary data=68007400740070003A002F002F006100700069002E00620069006E0067002E0063006F006D002F00710073006D006C002E0061007300700078003F00710075006500720079003D007B007300650061007200630068005400650072006D0073007D0026006D0061007800770069006400740068003D007B00690065003A006D0061007800570069006400740068007D00260072006F0077006800650069006700680074003D007B00690065003A0072006F0077004800650069006700680074007D002600730065006300740069006F006E004800650069006700680074003D007B00690065003A00730065006300740069006F006E004800650069006700680074007D00260046004F0052004D003D0049004500380053005300430026006D00610072006B00650074003D007B006C0061006E00670075006100670065007D000000
* Creates value "FaviconURLFallback=http://www.bing.com/favicon.ico" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
binary data=68007400740070003A002F002F007700770077002E00620069006E0067002E0063006F006D002F00660061007600690063006F006E002E00690063006F000000
* Creates value "DisplayName=Bing" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
binary data=420069006E0067000000
* Creates value "URL=http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
binary data=68007400740070003A002F002F007700770077002E00620069006E0067002E0063006F006D002F007300650061007200630068003F0071003D007B007300650061007200630068005400650072006D0073007D0026007300720063003D00490045002D0053006500610072006300680042006F007800260046004F0052004D003D004900450038005300520043000000
* Creates value "HaveCreatedQuickLaunchItems=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Setup
* Creates value "MigrationTime=6A868FFA1FB7D101" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Suggested Sites
* Creates value "SlicePath=C:\Users\vmware\Favorites\Links\Suggested Sites.url" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Suggested Sites
binary data=43003A005C00550073006500720073005C0076006D0077006100720065005C004600610076006F00720069007400650073005C004C0069006E006B0073005C005300750067006700650073007400650064002000530069007400650073002E00750072006C000000
* Creates value "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977=01000000D08C9DDF0115D1118C7A00C04FC297EB010000006E6BE1BEB6E64C41A4332E2C994F0BB700000000020000000000106600000001000020000000F1D0E531D5740CD612301181D0681AC0F39153AC38E348349A9DB0B2BD123DD6000000000E80000000020000200000006C5244121A77E423CBA913F5766B28E87B1362BF2AB3975DEA76DF66C9AE512750000000979F8DF5A7BEF7A599446EBD24FDCBC630724804FA922A4DD5F4FF6DF6D25CE3992B87BED366270EB0FADB1612815AF6AF0B0D1889796290EC8FDED4692568BC59930048AF5DC0F39262577FF1928B5B40000000C8977BBEA67F6CC6FE4594CC0190B93538465B72D1F575C6FA72F56A8FCBED20070D996931282FA9E189CB409E90F2A3E7C21C3F270C9D6FBAF5D3B89F65F0E7" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\User Preferences
* Creates value "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81=01000000D08C9DDF0115D1118C7A00C04FC297EB010000006E6BE1BEB6E64C41A4332E2C994F0BB700000000020000000000106600000001000020000000AAB0383D5B8D9F4F510F49EFBCBBBBFB17EBBA7CC8FCE57E2B4146D193A42AA0000000000E800000000200002000000019C62FDBC06DE1DA4793A08063C901FA61A199A7EC0A7610D5EE1653B3E18409100000007332438B043DF0642FA12A57B4036C45400000002E73F5ED1664BDD40B46448C3684A93CFD9A7D20A3322AF319D038A92B8568B3C58947405D2F9526FA56ED566362018DF2568FCBA3EBB0C1B8EDF228C4BA1B58" in key HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\User Preferences
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d830145d-1c80-11e6-b8aa-806e6f6e6963}
old value empty
* Creates value "Order=08000000020000000C01000001000000020000007E0000000000000070003200EC000000BA48633B20005355474745537E312E55524C0000540008000400EFBEBA48613BBA48613B2A0000003C52FFFFFFFFFCFF00000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000B148C4522000574542534C497E312E55524C0000580008000400EFBEB148C452B148C4522A00000058A30000000001000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
* Creates value "CachePath=%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016052620160527" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052620160527
binary data=25005500530045005200500052004F00460049004C00450025005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C0048006900730074006F00720079005C0048006900730074006F00720079002E004900450035005C004D00530048006900730074003000310032003000310036003000350032003600320030003100360030003500320037000000
* Creates value "CachePrefix=:2016052620160527: " in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052620160527
binary data=3A0032003000310036003000350032003600320030003100360030003500320037003A0020000000
* Creates value "CacheLimit=00002000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052620160527
* Creates value "CacheOptions=0000000B" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016052620160527
* Creates value "CachePath=%APPDATA%\Microsoft\Windows\PrivacIE" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:
binary data=2500410050005000440041005400410025005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C00500072006900760061006300490045000000
* Creates value "CachePrefix=PrivacIE:" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:
binary data=500072006900760061006300490045003A000000
* Creates value "CacheLimit=00000400" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:
* Creates value "CacheOptions=00000009" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:
* Modifies value "SavedLegacySettings=460000001A00000009000000000000000000000000000000040000000000000050FDBCC56EB6D101000000000000000000000000020000001700000000000000FE8000000000000091B4647A012657FF0B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8EE86000000000000000058652F00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=460000001200000009000000000000000000000000000000040000000000000050FDBCC56EB6D101000000000000000000000000020000001700000000000000FE8000000000000091B4647A012657FF0B0000001C00000000000000000000000000000000200000002000000010000001000000ED0300000906020008000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFC0B0EAF9D426D011BBBF00AA006C34E402000000C0A8EE86000000000000000058652F00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
* Creates value "SecuritySafe=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000
* Creates value "Xorer.exe=Xorer.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\vmware\Desktop\malware
binary data=58006F007200650072002E006500780065000000
* Creates value "cacls.exe=Control ACLs Program" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=43006F006E00740072006F006C002000410043004C0073002000500072006F006700720061006D000000
* Creates value "xorer.exe.log=xorer.exe.log" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\user\current\desktop\malware
binary data=78006F007200650072002E006500780065002E006C006F0067000000
* Creates value "cmd.exe=Windows Command Processor" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=570069006E0064006F0077007300200043006F006D006D0061006E0064002000500072006F0063006500730073006F0072000000
* Creates value "lsass.exe=lsass.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\drive\C\Windows\system32\com
binary data=6C0073006100730073002E006500780065000000
* Creates value "xorer.exe=EVEREST Ultimate Edition" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\user\current\desktop\malware
binary data=4500560045005200450053005400200055006C00740069006D006100740065002000450064006900740069006F006E000000
* Creates value "smss.exe=smss.exe" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Sandbox\vmware\DefaultBox\drive\C\Windows\system32\com
binary data=73006D00730073002E006500780065000000
* Creates value "PING.EXE=TCP/IP Ping Command" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Windows\System32
binary data=5400430050002F00490050002000500069006E006700200043006F006D006D0061006E0064000000
* Creates value "iexplore.exe=Internet Explorer" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Internet Explorer
binary data=49006E007400650072006E006500740020004500780070006C006F007200650072000000

Changes to filesystem:

* Creates file (hidden) C:\037589.log
* Creates file (hidden) C:\AUTORUN.INF
* Creates file (hidden) C:\pagefile.pif
* Creates file C:\Windows\system32\9474330.log
* Modifies file C:\Windows\system32\CatRoot2\edb.chk
* Creates file (hidden) C:\Windows\system32\com\lsass.exe
* Creates file (hidden) C:\Windows\system32\com\netcfg.000
* Creates file (hidden) C:\Windows\system32\com\netcfg.dll
* Creates file (hidden) C:\Windows\system32\com\smss.exe
* Creates file (hidden) C:\Windows\system32\dnsq.dll
* Modifies file C:\Users\vmware\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
* Modifies file (hidden) C:\Users\vmware\AppData\Local\Microsoft\Feeds Cache\index.dat
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Feeds Cache\NITAWQV3\ieonline.microsoft[1]
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{20FF827F-2313-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{65EE3810-2314-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{27FFEEAB-2313-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3C68DB25-2313-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{65EE3811-2314-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{9AD42C87-2314-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{9BD07E64-2314-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9BD07E65-2314-11E6-95AC-000C29164906}.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9BD07E66-2314-11E6-95AC-000C29164906}.dat
* Modifies file (hidden) C:\Users\vmware\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
* Creates hidden folder C:\Users\vmware\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016052620160527
* Creates file (hidden) C:\Users\vmware\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016052620160527\index.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\08ce8e54-41ba-4695-9963-a7669022faec_12[1].eot
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\caf[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\dg2[1].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\domainpark[1].html
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\go[1].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\js3caf[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\MicrosoftAjax[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\orange[1].png
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\siteresource[1].css
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\style[1].css
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\track[1].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\track[2].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3GKWEZHM\track[3].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\15d2470f-0fcf-45e9-bf5b-c943236a61cf_534[1].css
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\arr_3faad3[1].png
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\chalkboard[1].jpg
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\css[1]
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\ga[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\json3.min[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\modernizr.wol[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\r[1].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\style[1].css
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\track[1].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\track[2].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\track[3].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5LRAS79D\windows8_site_ltr[1].css
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\736e3781-6a19-4119-b717-e61f0d8982c0_12[1].eot
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\93e33485-fea3-4687-a642-2c5dd233522f_12[1].eot
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\css[1]
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\css[2]
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\domainpark[1].asp
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\domainpark[1].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\domainpark[1].html
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\domainpark[2].html
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\sale_form[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\sale_simple[1].png
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\slave[1].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\track[1].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\webfont[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FOG1DG7X\wol.common[1].js
* Modifies file (hidden) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\5a7873a1-fd4e-4462-8ab2-32bd729117c6_7[1].png
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\e64030e7-ad8c-4be8-a45a-b69a2df3caef_13[1].eot
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\ie-8-welcome[1].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\jquery-1.8.3.min[1].js
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\pR0sBQVcY0JZc_ciXjFsK2F7WC2UG4aaA4SZk0HPHJg[1].eot
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\qb2[1].htm
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\saledefault[1].css
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\T5vB8h5AY7XmkrpRXqdjXvesZW2xOQ-xsNqO47m55DA[1].eot
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\track[1].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\track[2].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\track[3].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\track[4].htm
* Creates file (empty) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KT51VCJF\track[5].htm
* Creates file C:\Users\vmware\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1
* Creates file C:\Users\vmware\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1
* Changes file attributes C:\Users\vmware\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
* Modifies file (hidden) C:\Users\vmware\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
* Modifies file (hidden) C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Cookies\vmware@jj.gxgxy[2].txt
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Cookies\vmware@js.k0102[2].txt
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Cookies\vmware@w.c0mo[2].txt
* Creates hidden folder C:\Users\vmware\AppData\Roaming\Microsoft\Windows\PrivacIE
* Creates file (hidden) C:\Users\vmware\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
* Modifies file C:\Users\vmware\desktop\malware\xorer.exe
* Creates file C:\Users\vmware\Favorites\Links\Suggested Sites.url

Network services:

* Queries DNS "www.baidu.com".
* Queries DNS "go.microsoft.com".
* Queries DNS "w.c0mo.com".
* Queries DNS "www.google.com".
* Queries DNS "d32ffatx74qnju.cloudfront.net".
* Queries DNS "fonts.googleapis.com".
* Queries DNS "www.parkingcrew.net".
* Queries DNS "fonts.gstatic.com".
* Queries DNS "www.google-analytics.com".
* Queries DNS "www.gstatic.com".
* Queries DNS "dp.g.doubleclick.net".
* Queries DNS "ajax.googleapis.com".
* Queries DNS "afs.googleusercontent.com".
* Queries DNS "windows.microsoft.com".
* Queries DNS "res2.windows.microsoft.com".
* Queries DNS "res1.windows.microsoft.com".
* Queries DNS "ieonline.microsoft.com".
* Queries DNS "js.k0102.com".
* Queries DNS "www.bing.com".
* Queries DNS "ajax.aspnetcdn.com".
* Queries DNS "ocsp.omniroot.com".
* Queries DNS "js.microsoft.com".
* Queries DNS "jj.gxgxy.net".
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "54.72.9.51" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.132" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "54.230.191.23" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "74.125.200.95" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "185.53.177.20" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.163" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.174" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.220.2" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.170" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.161" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "23.211.193.138" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "65.52.103.234" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "184.26.162.25" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "204.79.197.200" on port 443 (TCP - HTTPS).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "204.79.197.200" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "68.232.45.201" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "117.18.237.191" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "23.35.10.178" on port 80 (TCP - HTTP).
* C:\Sandbox\vmware\DefaultBox\drive\C\Windows\system32\com\lsass.exe Connects to "216.58.220.14" on port 80 (TCP - HTTP).
* C:\Sandbox\vmware\DefaultBox\drive\C\Windows\system32\com\lsass.exe Connects to "54.230.191.238" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "54.230.191.67" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.142" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.162" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.131" on port 80 (TCP - HTTP).
* C:\Program Files\Internet Explorer\iexplore.exe Connects to "216.58.199.130" on port 80 (TCP - HTTP).
* Downloads file from "w.c0mo.com/r.htm".
* Downloads file from "www.google.com/adsense/domains/caf.js".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/saledefault.css".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/assets/style.css".
* Downloads file from "fonts.googleapis.com/css?family=Libre+Baskerville:400,700".
* Downloads file from "fonts.googleapis.com/css?family=Boogaloo".
* Downloads file from "www.parkingcrew.net/scripts/sale_form.js".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/cleanPeppermintBlack_4b29b84c/style.css".
* Downloads file from "fonts.gstatic.com/s/librebaskerville/v4/pR0sBQVcY0JZc_ciXjFsK2F7WC2UG4aaA4SZk0HPHJg.eot".
* Downloads file from "fonts.gstatic.com/s/boogaloo/v6/T5vB8h5AY7XmkrpRXqdjXvesZW2xOQ-xsNqO47m55DA.eot".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/cleanPeppermintBlack_4b29b84c/images/chalkboard.jpg".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/sale/orange.png".
* Downloads file from "d32ffatx74qnju.cloudfront.net/scripts/js3caf.js".
* Downloads file from "www.google-analytics.com/ga.js".
* Downloads file from "w.c0mo.com/track.php?domain=c0mo.com&toggle=browserjs&uid=MTQ2NDI0NzYwMC40NzM5OjQ5NmJjOTEyMjQwMDBhMDVhYjY4ZWFmNDI3ZmU3MjViMTZiMDhlN2Q1ODExMzNiZDNkYTkxY2YzMmQzNzdjYjM6NTc0NmE1MzA3M2I5Ng%3D%3D".
* Downloads file from "www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=2111889620&utmhn=w.c0mo.com&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=c0mo.com&utmhid=1150002770&utmr=-&utmp=%2Fr.htm&utmht=1464247607567&utmac=UA-48689684-1&utmcc=__utma%3D35451623.66272890.1464247606.1464247606.1464247606.1%3B%2B__utmz%3D35451623.1464247606.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=885079650&utmredir=1&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464247607786&rid=5451888".
* Downloads file from "dp.g.doubleclick.net/static/caf/slave.html".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet03_3ph&channel=bucket011%2Cbucket048&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2325302772630928&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=w.c0mo.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464247607879&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fw.c0mo.com%2Fr.htm".
* Downloads file from "ajax.googleapis.com/ajax/libs/webfont/1/webfont.js".
* Downloads file from "fonts.googleapis.com/css?family=Libre+Baskerville".
* Downloads file from "w.c0mo.com/track.php?domain=c0mo.com&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0NzYwMC40NzM5OjQ5NmJjOTEyMjQwMDBhMDVhYjY4ZWFmNDI3ZmU3MjViMTZiMDhlN2Q1ODExMzNiZDNkYTkxY2YzMmQzNzdjYjM6NTc0NmE1MzA3M2I5Ng%3D%3D".
* Downloads file from "w.c0mo.com/track.php?domain=c0mo.com&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0NzYwMC40NzM5OjQ5NmJjOTEyMjQwMDBhMDVhYjY4ZWFmNDI3ZmU3MjViMTZiMDhlN2Q1ODExMzNiZDNkYTkxY2YzMmQzNzdjYjM6NTc0NmE1MzA3M2I5Ng%3D%3D".
* Downloads file from "afs.googleusercontent.com/dp-teaminternet/arr_3faad3.png".
* Downloads file from "w.c0mo.com/favicon.ico".
* Downloads file from "go.microsoft.com/fwlink/?LinkID=121792".
* Downloads file from "windows.microsoft.com/en-US/internet-explorer/products/ie-8/welcome".
* Downloads file from "windows.microsoft.com/en-us/internet-explorer/ie-8-welcome".
* Downloads file from "windows.microsoft.com/scripts/4.2/wol/modernizr.wol.js".
* Downloads file from "res2.windows.microsoft.com/resources/4.2/wol/shared/css/windows8_site_ltr.css".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/15d2470f-0fcf-45e9-bf5b-c943236a61cf_534.css".
* Downloads file from "res1.windows.microsoft.com/siteresources/siteresource.ashx?id=wolNotificationCSS&hash=82512a82d6c2cb2120298514a390b3a6f2023c70e80c6401d351bc5f357b0368&us=WOLWebUrl&var=LTR".
* Downloads file from "www.bing.com/favicon.ico".
* Downloads file from "js.k0102.com/go.asp".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/e64030e7-ad8c-4be8-a45a-b69a2df3caef_13.eot?".
* Downloads file from "res1.windows.microsoft.com/resbox/en/windows/main/93e33485-fea3-4687-a642-2c5dd233522f_12.eot?".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/736e3781-6a19-4119-b717-e61f0d8982c0_12.eot?".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/08ce8e54-41ba-4695-9963-a7669022faec_12.eot?".
* Downloads file from "res2.windows.microsoft.com/resbox/en/windows/main/5a7873a1-fd4e-4462-8ab2-32bd729117c6_7.png".
* Downloads file from "ajax.aspnetcdn.com/ajax/4.5.1/1/MicrosoftAjax.js".
* Downloads file from "ajax.aspnetcdn.com/ajax/jQuery/jquery-1.8.3.min.js".
* Downloads file from "windows.microsoft.com/scripts/4.2/wol/wol.common.js".
* Downloads file from "ocsp.omniroot.com/baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D".
* Downloads file from "js.microsoft.com/library/svy/windows/pre_broker.js".
* Downloads file from "www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=1678327964&utmhn=js.k0102.com&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmvp=388x198&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=k0102.com&utmhid=673316303&utmr=-&utmp=%2Fgo.asp&utmht=1464247645413&utmac=UA-48689684-1&utmcc=__utma%3D210768270.919903980.1464247645.1464247645.1464247645.1%3B%2B__utmz%3D210768270.1464247645.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=2032183097&utmredir=1&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "d32ffatx74qnju.cloudfront.net/scripts/json3.min.js".
* Downloads file from "js.k0102.com/track.php?domain=k0102.com&toggle=browserjs&uid=MTQ2NDI0NzYzOC4yMTU3OjZiMTYzMjNkMGRmYmNjMGQzMWJjN2RlYTViYzU3M2RkZjkyZTU4ZDE4NTU1NzcwMmJjN2E5NzU1YmIyMTA4NjI6NTc0NmE1NTYzNGFmNQ%3D%3D".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464247650296&rid=590643".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket042&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2823696925907968&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=js.k0102.com&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464247650296&u_w=1596&u_h=748&biw=388&bih=198&psw=388&psh=198&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjs.k0102.com%2Fgo.asp".
* Downloads file from "js.k0102.com/track.php?domain=k0102.com&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0NzYzOC4yMTU3OjZiMTYzMjNkMGRmYmNjMGQzMWJjN2RlYTViYzU3M2RkZjkyZTU4ZDE4NTU1NzcwMmJjN2E5NzU1YmIyMTA4NjI6NTc0NmE1NTYzNGFmNQ%3D%3D".
* Downloads file from "js.k0102.com/track.php?domain=k0102.com&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0NzYzOC4yMTU3OjZiMTYzMjNkMGRmYmNjMGQzMWJjN2RlYTViYzU3M2RkZjkyZTU4ZDE4NTU1NzcwMmJjN2E5NzU1YmIyMTA4NjI6NTc0NmE1NTYzNGFmNQ%3D%3D".
* Downloads file from "jj.gxgxy.net/html/qb2.html".
* Downloads file from "d32ffatx74qnju.cloudfront.net/themes/sale/sale_simple.png".
* Downloads file from "www.google-analytics.com/r/__utm.gif?utmwv=5.6.7&utms=1&utmn=2108403946&utmhn=jj.gxgxy.net&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=gxgxy.net&utmhid=388656735&utmr=-&utmp=%2Fhtml%2Fqb2.html&utmht=1464247837765&utmac=UA-48689684-1&utmcc=__utma%3D210745806.660855929.1464247836.1464247836.1464247836.1%3B%2B__utmz%3D210745806.1464247836.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=1505610952&utmredir=1&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&toggle=browserjs&uid=MTQ2NDI0NzgzNS4yMDk6MWEzNjVlN2NmYWJmN2EyMDM1MGI3MjZlZTc3Y2FjZGM4YjVjNzA5YWRmZWNlMzQwMDU2M2FmMTZhZjhmYmMwYjo1NzQ2YTYxYjMzMDg1".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464247838810&rid=1100944".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket047&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2347195947241528&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=jj.gxgxy.net&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464247838825&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjj.gxgxy.net%2Fhtml%2Fqb2.html".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0NzgzNS4yMDk6MWEzNjVlN2NmYWJmN2EyMDM1MGI3MjZlZTc3Y2FjZGM4YjVjNzA5YWRmZWNlMzQwMDU2M2FmMTZhZjhmYmMwYjo1NzQ2YTYxYjMzMDg1".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0NzgzNS4yMDk6MWEzNjVlN2NmYWJmN2EyMDM1MGI3MjZlZTc3Y2FjZGM4YjVjNzA5YWRmZWNlMzQwMDU2M2FmMTZhZjhmYmMwYjo1NzQ2YTYxYjMzMDg1".
* Downloads file from "jj.gxgxy.net/favicon.ico".
* Downloads file from "jj.gxgxy.net/html/dg2.html".
* Downloads file from "www.google-analytics.com/__utm.gif?utmwv=5.6.7&utms=2&utmn=915075319&utmhn=jj.gxgxy.net&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=gxgxy.net&utmhid=1839811070&utmr=-&utmp=%2Fhtml%2Fdg2.html&utmht=1464248133603&utmac=UA-48689684-1&utmcc=__utma%3D210745806.660855929.1464247836.1464247836.1464247836.1%3B%2B__utmz%3D210745806.1464247836.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&toggle=browserjs&uid=MTQ2NDI0ODEzMC45MTQxOmRkODVjNjI0MDQ3ZjlmNzQyNWY3MGQ5NzQzYzJkMGY3YWZjODk3ZGYxMzcyYjVkY2U4OGIzM2JjNGQ1NTI5YjA6NTc0NmE3NDJkZjMxNQ%3D%3D".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464248136708&rid=5240133".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket048&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2347195947241528&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=jj.gxgxy.net&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464248136739&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjj.gxgxy.net%2Fhtml%2Fdg2.html".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=feed&feed=afc&uid=MTQ2NDI0ODEzMC45MTQxOmRkODVjNjI0MDQ3ZjlmNzQyNWY3MGQ5NzQzYzJkMGY3YWZjODk3ZGYxMzcyYjVkY2U4OGIzM2JjNGQ1NTI5YjA6NTc0NmE3NDJkZjMxNQ%3D%3D".
* Downloads file from "jj.gxgxy.net/track.php?domain=gxgxy.net&caf=1&toggle=answercheck&answer=yes&uid=MTQ2NDI0ODEzMC45MTQxOmRkODVjNjI0MDQ3ZjlmNzQyNWY3MGQ5NzQzYzJkMGY3YWZjODk3ZGYxMzcyYjVkY2U4OGIzM2JjNGQ1NTI5YjA6NTc0NmE3NDJkZjMxNQ%3D%3D".
* Downloads file from "www.google-analytics.com/__utm.gif?utmwv=5.6.7&utms=3&utmn=1556373926&utmhn=jj.gxgxy.net&utme=8(Theme*Theme%20Type*Category%20ID*5!domty)9(CleanPeppermintBlack*two*0*5!ascii)11(1)&utmcs=utf-8&utmsr=1596x748&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=-&utmdt=gxgxy.net&utmhid=667778495&utmr=-&utmp=%2Fhtml%2Fdg2.html&utmht=1464248146879&utmac=UA-48689684-1&utmcc=__utma%3D210745806.660855929.1464247836.1464247836.1464247836.1%3B%2B__utmz%3D210745806.1464247836.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=&utmu=qxQAAAAAAAAAAAAAAAAAAAAE~".
* Downloads file from "www.gstatic.com/domainads/tracking/caf.gif?ts=1464248147612&rid=2949206".
* Downloads file from "dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?max_radlink_len=40&r=m&fexp=21404&client=dp-teaminternet02_3ph&channel=bucket011%2Cbucket048&hl=hi&adtest=off&type=3&optimize_terms=on&drid=as-drid-2347195947241528&uiopt=false&oe=UTF-8&ie=UTF-8&format=r10%7Cs&adrep=0&num=0&output=caf&domain_name=jj.gxgxy.net&v=3&allwcallad=1&adext=as1%2Csr1%2Cctc1&bsl=8&u_his=0&u_tz=330&dt=1464248147612&u_w=1596&u_h=748&biw=0&bih=0&psw=0&psh=0&frm=0&uio=uv3cs1ff2sa16fa2sl1sr1cc1-wi666st22sa14lt33-&jsv=13427&rurl=http%3A%2F%2Fjj.gxgxy.net%2Fhtml%2Fdg2.html".

Process/window/string information:

* Keylogger functionality.
* Gets user name information.
* Gets input locale identifiers.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Modifies access control lists (ACLs) of files.
* Creates process "null, cmd.exe /c echo ok, null".
* Injects code into process "C:\Windows\System32\cmd.exe".
* Creates process "C:\Windows\System32\cacls.exe, "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g vmware:F, C:\Users\vmware\Desktop\malware".
* Injects code into process "C:\Windows\System32\cacls.exe".
* Creates process "C:\Windows\System32\cacls.exe, "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F, C:\Users\vmware\Desktop\malware".
* Enables privilege SeDebugPrivilege.
* Creates a service named "NetApi000".
* Starts a service.
* Enumerates running processes.
* Creates process "c:\users\vmware\desktop\malware\xorer.exe.log, null, null".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\user\current\desktop\malware\xorer.exe.log".
* Creates process "C:\Windows\system32\cacls.exe, "C:\Windows\system32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g vmware:F, C:\Users\vmware\desktop\malware".
* Creates process "C:\Windows\system32\cacls.exe, "C:\Windows\system32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F, C:\Users\vmware\desktop\malware".
* Opens a service named "NetApi000".
* Creates process "null, cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe", null".
* Creates process "null, cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe", null".
* Creates process "C:\Windows\system32\com\lsass.exe, null, null".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\drive\C\Windows\system32\com\lsass.exe".
* Creates process "C:\Users\vmware\Desktop\malware\xorer.exe, "C:\Users\vmware\Desktop\malware\xorer.exe" , C:\Users\vmware\desktop\malware".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\user\current\desktop\malware\xorer.exe".
* Creates process "C:\Windows\system32\com\lsass.exe, ^c:\users\vmware\desktop\malware\xorer.exe.log, null".
* Creates process "C:\Windows\system32\cacls.exe, "C:\Windows\system32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g vmware:F, C:\Users\vmware\desktop\malware".
* Creates process "C:\Windows\system32\cacls.exe, "C:\Windows\system32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F, C:\Users\vmware\desktop\malware".
* Creates process "null, cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe", null".
* Opens a service named "EverestDriver".
* Creates a service named "EverestDriver".
* Stops a service.
* Deletes a service.
* Creates process "C:\Windows\system32\regsvr32.exe, "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s, C:\Users\vmware\desktop\malware".
* Injects code into process "C:\Windows\System32\regsvr32.exe".
* Creates process "C:\Windows\system32\com\smss.exe, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe, null".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\drive\C\Windows\system32\com\smss.exe".
* Creates process "null, cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll", null".
* Modifies screensaver status.
* Creates process "C:\ntfsus.exe, null, null".
* Creates process "null, cmd.exe /c rd /s /q "C:\Windows\system32\com\bak", null".
* Creates process "null, ping.exe -f -n 1 www.baidu.com, null".
* Injects code into process "C:\Windows\System32\PING.EXE".
* Creates process "c:\program files\internet explorer\iexplore.exe, http://w.c0mo.com/r.htm, null".
* Injects code into process "C:\Program Files\Internet Explorer\iexplore.exe".
* Creates process "null, "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon, null".
* Injects code into process "C:\Windows\System32\ie4uinit.exe".
* Creates a mutex "Local\!IETld!Mutex".
* Creates a mutex "Local\!BrowserEmulation!SharedMemory!Mutex".
* Creates an event named "Isolation Signal Registry Event (20FF827E-2313-11E6-95AC-000C29164906, 0)".
* Opens a service named "Sens".
* Opens a service named "rasman".
* Creates a mutex "ConnHashTable<1384>_HashTable_Mutex".
* Creates a mutex "IESQMMUTEX_0_208".
* Opens a service named "WSearch".
* Creates an event named "OleDfRoot388845E180BE8074".
* Creates an event named "Isolation Signal Registry Event (27FFEEAC-2313-11E6-95AC-000C29164906, 0)".
* Creates an event named "OleDfRoot5F904A584EDB5010".
* Enables privilege SeAuditPrivilege.
* Creates a mutex "Local\RSS Eventing Connection Database Mutex 00000568".
* Creates an event named "Local\RSS Eventing Event Event 00000568".
* Creates a mutex "Local\Feed Eventing Shared Memory Mutex S-1-5-21-4181251035-1584676081-2777171207-1000".
* Creates an event named "Local\Feed Arbitration Lock Event [ Process : 0x00000568 ]".
* Creates an event named "Local\Feed Arbitration Unlock Event [ Process : 0x00000568 ]".
* Creates a mutex "Local\Feed Arbitration Shared Memory Mutex [ User : S-1-5-21-4181251035-1584676081-2777171207-1000 ]".
* Creates an event named "OleDfRoot842C470952C609A".
* Creates a mutex "Local\Feeds Store Mutex S-1-5-21-4181251035-1584676081-2777171207-1000".
* Creates an event named "OleDfRoot91029DB75E411170".
* Creates a mutex "Local\!PrivacIE!SharedMemory!Mutex".
* Creates a mutex "_!SHMSFTHISTORY!_".
* Creates an event named "IEFrame.EventCheckDefaultBrowser".
* Creates an event named "Isolation Signal Registry Event (3C68DB26-2313-11E6-95AC-000C29164906, 0)".
* Creates a mutex "Local\Feed Arbitration Validity Mutex [ Write Request : {3C68DB27-2313-11E6-95AC-000C29164906} ]".
* Creates an event named "Local\Feed Arbitration Unlock Event [ Write Request : {3C68DB27-2313-11E6-95AC-000C29164906} ]".
* Creates an event named "OleDfRootBAC3D53A69744EE4".
* Creates an event named "OleDfRootBB13BC955EA45FEE".
* Creates an event named "OleDfRoot9B3D9F66513EAFBE".
* Creates an event named "OleDfRoot80D859C48891A827".
* Creates an event named "OleDfRootAE6614DA9A0357D9".
* Creates an event named "OleDfRootAB31D1335062D9FF".
* Creates an event named "OleDfRoot2C63211E2DB5249A".
* Creates an event named "OleDfRootF9EC88B78F8200E0".
* Creates an event named "OleDfRoot2841EF5AD14B3840".
* Creates an event named "OleDfRoot687AEF9ED3704F18".
* Creates an event named "OleDfRoot1F89003F45A68FCB".
* Injects code into process "C:\Program Files\Sandboxie\SandboxieCrypto.exe".
* Opens a service named "CryptSvc".
* Opens a service named "AudioSrv".
* Creates a mutex "Local\MidiMapper_modLongMessage_RefCnt".
* Creates process "c:\program files\internet explorer\iexplore.exe, http://jj.gxgxy.net/html/qb2.html, null".
* Creates an event named "Isolation Signal Registry Event (AD35AF0E-2313-11E6-95AC-000C29164906, 0)".
* Creates a mutex "ConnHashTable<2572>_HashTable_Mutex".
* Creates an event named "OleDfRoot3253F8837BB5B73D".
* Creates an event named "Isolation Signal Registry Event (B391DC49-2313-11E6-95AC-000C29164906, 0)".
* Creates a mutex "Local\RSS Eventing Connection Database Mutex 00000a0c".
* Creates an event named "Local\RSS Eventing Event Event 00000a0c".
* Creates an event named "OleDfRoot809A24FB0C6ACFA7".
* Creates an event named "Local\Feed Arbitration Lock Event [ Process : 0x00000a0c ]".
* Creates an event named "Local\Feed Arbitration Unlock Event [ Process : 0x00000a0c ]".
* Creates an event named "OleDfRootBA99F0D518DE924B".
* Creates an event named "OleDfRoot49D298FC14015248".
* Creates an event named "OleDfRoot481563F8B1F1C2D4".
* Creates process "c:\program files\internet explorer\iexplore.exe, http://jj.gxgxy.net/html/dg2.html, null".
* Creates an event named "Isolation Signal Registry Event (5EF9B2C5-2314-11E6-95AC-000C29164906, 0)".
* Creates a mutex "ConnHashTable<304>_HashTable_Mutex".
* Creates an event named "OleDfRoot1EF4AD9C0E4BCA45".
* Creates an event named "OleDfRootF52A6B35A10BE7A6".
* Creates an event named "Isolation Signal Registry Event (65EE3812-2314-11E6-95AC-000C29164906, 0)".
* Creates an event named "OleDfRootA3163E5CC8D85861".
* Creates a mutex "Local\RSS Eventing Connection Database Mutex 00000130".
* Creates an event named "Local\RSS Eventing Event Event 00000130".
* Creates an event named "Local\Feed Arbitration Lock Event [ Process : 0x00000130 ]".
* Creates an event named "Local\Feed Arbitration Unlock Event [ Process : 0x00000130 ]".
* Creates an event named "OleDfRootE97A23F07014AAD1".
* Creates an event named "OleDfRootFEC43406A4F21CAE".
* Creates an event named "OleDfRootC4059E1BD4C1A5AF".
* Creates an event named "OleDfRootC6C3329D7B6AA260".
* Creates an event named "OleDfRootDFF04C075E5E5E39".
* Creates an event named "OleDfRoot55F6674F86486E0".
* Creates an event named "OleDfRoot75E854133CBB3A6".
* Creates an event named "OleDfRootF779F6DA29C0B0FA".
* Creates an event named "OleDfRootA32C9B41C9E81835".
* Enables process privileges.
* Loads a system driver named "netapi000".
* Loads a system driver named "everestdriver".
* Sleeps 33755 seconds.

Additional Information:

How To Remove Xorer.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where Xorer.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top