Trojan.DownLoader26.904

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] '{e6e75766-da0f-4ba2-9788-6ea593ce702d}' = '"%ALLUSERSPROFILE%\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\v...

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\caloa agent service 1.5] 'ImagePath' = '%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_client.exe --StartMode AsService'
[<HKLM>\SYSTEM\ControlSet001\Services\caloa agent service 1.5] 'ImagePath' = '%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_client.exe'
[<HKLM>\SYSTEM\ControlSet001\Services\caloa agent service 1.5] 'Start' = '00000002'

Modifies file system:

Creates the following files:

C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\cab54A5CABBE7274D8A22EB58060AAB7623
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\vcRuntimeMinimum_x86
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\vcRuntimeAdditional_x86
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
%WINDIR%\Installer\2d586.msi
%WINDIR%\Installer\2d588.ipi
%WINDIR%\Installer\MSI6.tmp
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\cabB3E1576D1FEFBB979E13B1A5379E0B16
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
%ALLUSERSPROFILE%\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\state.rsm
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
%ALLUSERSPROFILE%\Application Data\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\vcredist_x86.exe
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
<SYSTEM32>\mfc120jpn.dll
<SYSTEM32>\mfc120kor.dll
<SYSTEM32>\mfc120rus.dll
<SYSTEM32>\mfc120esn.dll
<SYSTEM32>\mfc120fra.dll
<SYSTEM32>\mfc120ita.dll
<SYSTEM32>\mfc120u.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\uninstall.exe
%TEMP%\nsn5.tmp\SimpleSC.dll
%ALLUSERSPROFILE%\Start Menu\Programs\pcvisit Software\pcvisit RemoteHost 15.0\Uninstall.lnk
<SYSTEM32>\mfcm120.dll
<SYSTEM32>\mfcm120u.dll
%WINDIR%\Installer\2d58f.msi
<SYSTEM32>\mfc120enu.dll
<SYSTEM32>\vcomp120.dll
%WINDIR%\Installer\2d58a.msi
%WINDIR%\Installer\2d58b.msi
C:\Config.Msi\2d589.rbs
<SYSTEM32>\msvcp120.dll
<SYSTEM32>\msvcr120.dll
%WINDIR%\Installer\2d58d.ipi
<SYSTEM32>\mfc120chs.dll
<SYSTEM32>\mfc120cht.dll
<SYSTEM32>\mfc120deu.dll
%WINDIR%\Installer\MSI9.tmp
C:\Config.Msi\2d58e.rbs
<SYSTEM32>\mfc120.dll
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\shared_app_elements_de.qm
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\shared_app_elements_en.qm
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\client.exe
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_client_de.qm
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_client_en.qm
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\qtbase_de.qm
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_15_km_starter.exe
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\vcredist_x86.exe
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\libeay32.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\msvcp120.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_client.exe
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvvncserver.exe
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\vcredist_x64.exe
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\application_en.qm
%TEMP%\nsn5.tmp\System.dll
%TEMP%\nsn5.tmp\AccessControl.dll
%TEMP%\nsn5.tmp\nsislog.dll
%TEMP%\1.tmp\2.bat
<Current directory>\pcvisit_RemoteHost_15_Setup.exe
%TEMP%\nsn5.tmp\UserInfo.dll
%ALLUSERSPROFILE%\Application Data\pcvisit Software AG\caloa\Logging\13_12_2017_144017_install.log
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\CommandLineInstallAndStart.txt
%TEMP%\nsn5.tmp\nsis7z.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\application_de.qm
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvRh.7z
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\imageformats\pcvRhAddAssets.7z
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\platforms\pcvRhAddPlatformAssets.7z
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\wixstdba.dll
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\thm.xml
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\thm.wxl
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\imageformats\qjpeg.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\imageformats\qsvg.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\platforms\qwindows.dll
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\logo.png
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\license.rtf
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\BootstrapperApplicationData.xml
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.be\vcredist_x86.exe
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\imageformats\qico.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\Qt5Network.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\Qt5Svg.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\Qt5Widgets.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\msvcr120.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\Qt5Core.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\Qt5Gui.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\remoteProcStart_x64.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\wodKeys.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\wodTunnel.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\imageformats\qgif.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\remoteProcStart_x86.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\ssleay32.dll
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\wodFTPD.dll

Deletes the following files:

%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\thm.wxl
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\thm.xml
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\wixstdba.dll
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\BootstrapperApplicationData.xml
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\license.rtf
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.ba1\logo.png
%TEMP%\nsn5.tmp\SimpleSC.dll
%TEMP%\nsn5.tmp\System.dll
%TEMP%\nsn5.tmp\UserInfo.dll
%TEMP%\nsn5.tmp\AccessControl.dll
%TEMP%\nsn5.tmp\nsis7z.dll
%TEMP%\nsn5.tmp\nsislog.dll
%WINDIR%\Installer\MSI6.tmp
C:\Config.Msi\2d589.rbs
%WINDIR%\Installer\2d586.msi
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\imageformats\pcvRhAddAssets.7z
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvRh.7z
%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\platforms\pcvRhAddPlatformAssets.7z
%WINDIR%\Installer\2d58b.msi
%WINDIR%\Installer\2d58d.ipi
%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.be\vcredist_x86.exe
%WINDIR%\Installer\2d588.ipi
%WINDIR%\Installer\MSI9.tmp
C:\Config.Msi\2d58e.rbs

Moves the following files:

from %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\vcRuntimeAdditional_x86 to %ALLUSERSPROFILE%\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi
from %TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\vcRuntimeAdditional_x86 to %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\vcRuntimeAdditional_x86
from %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 to %ALLUSERSPROFILE%\Application Data\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86\cab1.cab
from %TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\cabB3E1576D1FEFBB979E13B1A5379E0B16 to %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16
from %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\vcRuntimeMinimum_x86 to %ALLUSERSPROFILE%\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi
from %TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\vcRuntimeMinimum_x86 to %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\vcRuntimeMinimum_x86
from %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 to %ALLUSERSPROFILE%\Application Data\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86\cab1.cab
from %TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\cab54A5CABBE7274D8A22EB58060AAB7623 to %ALLUSERSPROFILE%\Application Data\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623

Network activity:

Connects to:

'20#.#6.232.182':80
'wp#d':80

TCP:

HTTP GET requests:

http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl via 20#.#6.232.182
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl via 20#.#6.232.182
http://11#.#11.111.1/wpad.dat via wp#d
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl via 20#.#6.232.182

UDP:

DNS ASK crl.microsoft.com
DNS ASK wp#d

Miscellaneous:

Searches for the following windows:

ClassName: '#32770' WindowName: ''

Creates and executes the following:

'%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_client.exe' -I CommandLineInstallAndStart.txt --saveCompanyForSupportRequestsOnly "F9583308998" --registerAtCompanyAndApplyItsPolicies "F9583308998"
'%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\pcvisit_client.exe' --StartMode AsService
'%TEMP%\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\.be\vcredist_x86.exe' -q -burn.elevated BurnPipe.{B4AD4E50-E885-4B0F-9B41-84E0A18AA416} {6419EACD-C493-492A-AAB8-5F79BC464B7B} 2932
'<Current directory>\pcvisit_RemoteHost_15_Setup.exe' /S /SupporterID=F9583308998 /UseCompanyPreset
'%ProgramFiles%\pcvisit Software AG\pcvisit RemoteHost 15.0\vcredist_x86.exe' /q /norestart

Executes the following:

'<SYSTEM32>\msiexec.exe' /V
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\1.tmp\2.bat" <Full path to file>"

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial