Troj/Zbot-DQT exhibits the following characteristics:
File Information
- Size
- 175K
- SHA-1
- 7845464df79c911005a3389a6909b4841874785c
- MD5
- 3271e0bea672ecaeb7febb4643049270
- CRC-32
- 433f4d87
- File type
- Windows executable
- First seen
- 2013-01-22
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Application Data\Xozoad\kiaq.tym
- Size
- 1.1K
- SHA-1
- 923a8805ca4a42976a449dc14e794a783e905c60
- MD5
- 181ce02b521708552233c76c64e7e403
- CRC-32
- 28d283f4
- File type
- Unspecified binary - probably data
- First seen
- 2013-01-22
- c:\Documents and Settings\test user\Application Data\Qoqiuv\yniti.exe
- Size
- 175K
- SHA-1
- e41433ec8fe0c965936371148e9d091593b2f617
- MD5
- da9753aaad54fcf967570ee466aec82c
- CRC-32
- 34ccc1ad
- File type
- Windows executable
- First seen
- 2013-01-22
Modified Files
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Folders.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Inbox.dbx
- %PROFILE%\Local Settings\Application Data\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Microsoft\Outlook Express\Offline.dbx
Registry Keys Created
- HKCU\Identities
- Identity Login
- 0x00098053
- HKCU\Software\Microsoft\Internet Explorer\Privacy
- CleanCookies
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- {72DCEAA3-9374-AA28-88D4-B29D3C4B2163}
- "c:\Documents and Settings\test user\Application Data\Qoqiuv\yniti.exe"
- HKCU\Software\Microsoft\Diaw
- Fupiytq
- □□□P□□□!□`{□0□□ □□□□□P□□P□□□□□@F□□ □□□□□□□□□□□□□□H□□□□@□□0□□□□□□□□□□□@□□□□□□h□□□□□D□□□□ □□p□□□`□ □□□□□□□□□.□□□□□□□□0□□□□0□□□□□□□□@X□□$□p□□p□□□]□□p□`_□□m□□□□□□□□□□0□□□□□□&□0□□
Registry Keys Modified
- HKCU\Identities\{E2564744-A8ED-497D-924B-A548B20CA034}\Software\Microsoft\Outlook Express\5.0
- Compact Check Count
- 0x00000008
- HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\user@example.com
- TimeStamp
- 74 75 af 68 63 f8 cd 01
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 1609
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- 1609
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\qoqiuv\yniti.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://topcomany.co.za/law/upload/config.bin
- http://www.google.bg/webhp
- http://www.google.com/webhp
DNS Requests
- topcomany.co.za
- www.google.bg
- www.google.com