Technical Information
To ensure autorun and distribution
Sets the following service settings
- [<HKLM>\System\CurrentControlSet\Services\PFHttpContentFilter.exe] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\PFHttpContentFilter.exe] 'ImagePath' = '"%ProgramFiles%\netfilter\PFHttpContentFilter.exe"'
- [<HKLM>\System\CurrentControlSet\Services\netfilter2] 'Start' = '00000001'
- [<HKLM>\System\CurrentControlSet\Services\netfilter2] 'ImagePath' = '<DRIVERS>\netfilter2.sys'
Creates the following services
- 'PFHttpContentFilter.exe' "%ProgramFiles%\netfilter\PFHttpContentFilter.exe"
- 'PFHttpContentFilter.exe' %ProgramFiles%\netfilter\PFHttpContentFilter.exe
- 'netfilter2' <DRIVERS>\netfilter2.sys
Modifies file system
Creates the following files
- %TEMP%\7zipsfx.000\55919031bb4c2.gif
- %ProgramFiles%\netfilter\nss\nspr4.dll
- %ProgramFiles%\netfilter\nss\mozcrt19.dll
- %ProgramFiles%\netfilter\nss\certutil.exe
- %ProgramFiles%\netfilter\netfiltersdk.cer
- %ProgramFiles%\netfilter\import_root_cert.exe
- %ProgramFiles(x86)%\netfilter\netfiltersdk.cer
- %ProgramFiles%\netfilter\uninstall.bat
- %ProgramFiles(x86)%\netfilter\nss\softokn3.dll
- %ProgramFiles(x86)%\netfilter\nss\plds4.dll
- %ProgramFiles(x86)%\netfilter\nss\plc4.dll
- %ProgramFiles(x86)%\netfilter\nss\nss3.dll
- %ProgramFiles(x86)%\netfilter\nss\nspr4.dll
- %ProgramFiles(x86)%\netfilter\nss\mozcrt19.dll
- %ProgramFiles(x86)%\netfilter\nss\certutil.exe
- %ProgramFiles(x86)%\netfilter\nss\smime3.dll
- %ProgramFiles(x86)%\netfilter\import_root_cert.exe
- %ProgramFiles%\netfilter\nss\nss3.dll
- %PROGRAMDATA%\microsoft\windows\start menu\programs\x-rates\x-rates.lnk
- %WINDIR%\temp\netfilter2\ssl\sample ca.pvk
- %WINDIR%\temp\netfilter2\ssl\sample ca.cer
- %WINDIR%\temp\uddf534.tmp
- <DRIVERS>\netfilter2.sys
- %TEMP%\cae8.tmp\install.bat
- %PROGRAMDATA%\microsoft\windows\start menu\programs\x-rates\x-rates_x64.lnk
- %ProgramFiles%\netfilter\nss\plds4.dll
- %ProgramFiles%\netfilter\nss\plc4.dll
- %WINDIR%\installer\{e4194676-4da5-4d17-87a4-d9f2365f48dc}\ksign.exe
- %ProgramFiles%\netfilter\x-rates.exe
- %ProgramFiles(x86)%\netfilter\x-rates.exe
- %ProgramFiles%\netfilter\netfilter2.sys
- %ProgramFiles%\netfilter\nss\softokn3.dll
- %ProgramFiles%\netfilter\nss\smime3.dll
- %PROGRAMDATA%\microsoft\windows\start menu\programs\x-rates\~-rates.tmp
- %ProgramFiles%\netfilter\install.bat
- %ProgramFiles(x86)%\netfilter\uninstall.bat
- %ProgramFiles(x86)%\netfilter\install.bat
- %TEMP%\7zipsfx.000\55919031c4848.doc
- %TEMP%\7zipsfx.000\55919031bcac9.doc
- %TEMP%\7zipsfx.000\55919031c81e5.txt
- %TEMP%\7zipsfx.000\55919031b8a76.txt
- %TEMP%\7zipsfx.000\55919031d47f2.bmp
- %TEMP%\7zipsfx.000\ro_8894_5373.exe
- %TEMP%\7zipsfx.000\55919031d2a01.bmp
- %TEMP%\7zipsfx.000\55919031be06d.bmp
- %TEMP%\7zipsfx.000\55919031b9d69.bmp
- %TEMP%\7zipsfx.000\55919031d0a6d.gif
- %TEMP%\7zipsfx.000\55919031cde0c.gif
- %TEMP%\7zipsfx.000\55919031cbfb3.gif
- %TEMP%\7zipsfx.000\55919031c040a.gif
- %TEMP%\7zipsfx.000\55919031c9b49.bmp
- %TEMP%\7zipsfx.000\sro_8894_5373.exe
- %TEMP%\7zipsfx.000\55919031cafcd.doc
- %TEMP%\7zipsfx.001\sro_8894_5373.exe
- %ProgramFiles%\netfilter\ssleay32.dll
- %ProgramFiles(x86)%\netfilter\config.reg
- %ProgramFiles%\netfilter\protocolfilters.dll
- %ProgramFiles%\netfilter\pfhttpcontentfilter.exe
- %ProgramFiles%\netfilter\nfapinet.dll
- %ProgramFiles%\netfilter\nfapi.dll
- %ProgramFiles%\netfilter\libeay32.dll
- %ProgramFiles%\netfilter\config.reg
- %ProgramFiles(x86)%\netfilter\nfregdrv.exe
- %APPDATA%\contentfilter company\x-rates 1.1.1.2\install\x-rates.msi
- %APPDATA%\contentfilter company\x-rates 1.1.1.2\install\disk1.cab
- %TEMP%\aibb_536.tmp
- %TEMP%\{2abcffa7-9ef0-4698-b66f-4dc0d4536dc4}.bat
- %TEMP%\ai_resourcecleanerlog.txt
- %TEMP%\msifb174.log
- %APPDATA%\contentfilter company\x-rates 1.1.1.2\install\x-rates.x64.msi
- ctrlnetfilter2
- %ProgramFiles(x86)%\pidgin\ca-certs\sample ca.pem
Deletes the following files
- %TEMP%\7zipsfx.001\sro_8894_5373.exe
- %TEMP%\7zipsfx.000\sro_8894_5373.exe
- %TEMP%\7zipsfx.000\ro_8894_5373.exe
- %TEMP%\7zipsfx.000\55919031d47f2.bmp
- %TEMP%\7zipsfx.000\55919031d2a01.bmp
- %TEMP%\7zipsfx.000\55919031d0a6d.gif
- %TEMP%\7zipsfx.000\55919031cde0c.gif
- %TEMP%\7zipsfx.000\55919031cbfb3.gif
- %TEMP%\7zipsfx.000\55919031cafcd.doc
- %TEMP%\7zipsfx.000\55919031c9b49.bmp
- %TEMP%\7zipsfx.000\55919031c81e5.txt
- %TEMP%\7zipsfx.000\55919031c4848.doc
- %TEMP%\7zipsfx.000\55919031c040a.gif
- %TEMP%\7zipsfx.000\55919031be06d.bmp
- %TEMP%\7zipsfx.000\55919031bcac9.doc
- %TEMP%\7zipsfx.000\55919031bb4c2.gif
- %TEMP%\7zipsfx.000\55919031b9d69.bmp
- %TEMP%\7zipsfx.000\55919031b8a76.txt
- %APPDATA%\contentfilter company\x-rates 1.1.1.2\install\disk1.cab
- %APPDATA%\contentfilter company\x-rates 1.1.1.2\install\x-rates.x64.msi
- %APPDATA%\contentfilter company\x-rates 1.1.1.2\install\x-rates.msi
- %PROGRAMDATA%\microsoft\windows\start menu\programs\x-rates\x-rates.lnk~rffc7ac.tmp
- %WINDIR%\temp\uddf534.tmp
- %TEMP%\cae8.tmp\install.bat
Moves the following files
- from %PROGRAMDATA%\microsoft\windows\start menu\programs\x-rates\x-rates.lnk to %PROGRAMDATA%\microsoft\windows\start menu\programs\x-rates\x-rates.lnk~rffc7ac.tmp
Substitutes the following files
- %PROGRAMDATA%\microsoft\windows\start menu\programs\x-rates\x-rates.lnk
Network activity
UDP
- DNS ASK ag##ated.ru
Miscellaneous
Adds a root certificate
Searches for the following windows
- ClassName: 'RegEdit_RegEdit' WindowName: ''
Creates and executes the following
- '%TEMP%\7zipsfx.000\sro_8894_5373.exe'
- '%TEMP%\7zipsfx.001\sro_8894_5373.exe' Robo 1
- '%TEMP%\7zipsfx.000\ro_8894_5373.exe' /quiet
- '%WINDIR%\installer\msic9f8.tmp'
- '%ProgramFiles%\netfilter\import_root_cert.exe'
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu,Cuw,Tuw" -i "NetFilterSDK.cer" -n "NetFilterSDK" -d "%APPDATA%\Thunderbird\Profiles\wjj9aet2.default"
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu,Cuw,Tuw" -i "NetFilterSDK.cer" -n "NetFilterSDK" -d "%APPDATA%\Mozilla\Firefox\Profiles\gn7ryp3k.default"
- '%ProgramFiles%\netfilter\pfhttpcontentfilter.exe'
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu" -i "%WINDIR%\temp\netfilter2\SSL\Sample CA.cer" -n "Sample CA" -d "%APPDATA%\Thunderbird\Profiles\wjj9aet2.default"
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu" -i "%WINDIR%\temp\netfilter2\SSL\Sample CA.cer" -n "Sample CA" -d "%APPDATA%\Mozilla\Firefox\Profiles\gn7ryp3k.default"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CAE8.tmp\install.bat" "%WINDIR%\Installer\MSIC9F8.tmp""' (with hidden window)
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu,Cuw,Tuw" -i "NetFilterSDK.cer" -n "NetFilterSDK" -d "%APPDATA%\Thunderbird\Profiles\wjj9aet2.default"' (with hidden window)
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu,Cuw,Tuw" -i "NetFilterSDK.cer" -n "NetFilterSDK" -d "%APPDATA%\Mozilla\Firefox\Profiles\gn7ryp3k.default"' (with hidden window)
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu" -i "%WINDIR%\temp\netfilter2\SSL\Sample CA.cer" -n "Sample CA" -d "%APPDATA%\Thunderbird\Profiles\wjj9aet2.default"' (with hidden window)
- '%ProgramFiles%\netfilter\nss\certutil.exe' -A -t "TCu" -i "%WINDIR%\temp\netfilter2\SSL\Sample CA.cer" -n "Sample CA" -d "%APPDATA%\Mozilla\Firefox\Profiles\gn7ryp3k.default"' (with hidden window)
Executes the following
- '<SYSTEM32>\msiexec.exe' /i "%APPDATA%\ContentFilter Company\x-rates 1.1.1.2\install\x-rates.x64.msi" /quiet AI_SETUPEXEPATH="%TEMP%\7ZipSfx.000\Ro_8894_5373.exe" SETUPEXEDIR="%TEMP%\7ZipSfx.000\" EXE_CMD_LINE="/exeno...
- '%WINDIR%\syswow64\cmd.exe' "%TEMP%\{2ABCFFA7-9EF0-4698-B66F-4DC0D4536DC4}.bat"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\CAE8.tmp\install.bat" "%WINDIR%\Installer\MSIC9F8.tmp""
- '%WINDIR%\regedit.exe' /s config.reg
- '<SYSTEM32>\sc.exe' create netfilter2 type= kernel start= system error= ignore binPath= <DRIVERS>\netfilter2.sys
- '<SYSTEM32>\net.exe' start netfilter2
- '<SYSTEM32>\net1.exe' start netfilter2
- '<SYSTEM32>\net.exe' start netfsrv
- '<SYSTEM32>\net1.exe' start netfsrv