ThreatExpert Report: W32.Virut.CF, Virus.Win32.Virut.ce, W32/Virut.n.gen, W32/Scribble-B..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 8 May 2012, 03:08:47
Processing time: 11 min 25 sec
Submitted sample:

File MD5: 0xFE9985A8D0F72249F22E35877DF0A24C
File SHA-1: 0xA2D89196336B11838AAE2CB9AF2DC7F0450EE595
Filesize: 141,312 bytes
Alias:

W32.Virut.CF [Symantec]
Virus.Win32.Virut.ce [Kaspersky Lab]
W32/Virut.n.gen [McAfee]
W32/Scribble-B [Sophos]
Virus:Win32/Virut.BN [Microsoft]
Trojan-GameThief.Win32.Taworm [Ikarus]
Win32/Virut.F [AhnLab]

Summary of the findings:

What's been found	Severity Level
Capability to block security-related software by modifying firewall settings and by disabling security services, such as Windows Update, Norton Autoprotect, Kaspersky Anti-Virus, etc.
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	55 bytes	MD5: 0x24DE82EECA31C110970F9FE7EE760729 SHA-1: 0x9DEE53BD350C1AF8508AADF42C57D27E9AAA213C	Trojan.Win32.AutoRun.ama [Kaspersky Lab] Troj/Taterf-D [Sophos]
2	%AppData%\3rs6qt3a.exe	28,160 bytes	MD5: 0x0AEBF47E013A8219D0530C28DB20AFD3 SHA-1: 0x98445AB42595EE55B8FF757C05479FE1D4638558	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Backdoor.Win32.VB [Ikarus] Win32/Virut.F [AhnLab]
3	%AppData%\MouseDriver.bat	109 bytes	MD5: 0x0A2049724DEC1945260B6784E0409F13 SHA-1: 0x649CC77116FD9E7B3D5FE8A2260BEABA5EA6B0B2	Generic BackDoor.se!bat [McAfee] Troj/Runstub-A [Sophos]
4	%AppData%\osjk8s.exe	59,392 bytes	MD5: 0x81A056D6CFEAA4D3FC99542D1A04C3F2 SHA-1: 0x52897620AB36100581DC2C6C3ECB34FEA403F286	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Backdoor.Win32.VB [Ikarus] Win32/Virut.F [AhnLab]
5	%AppData%\osjk8s.log	1,282 bytes	MD5: 0x13C5B0170B1D88F1CCD545ADED70B772 SHA-1: 0x2CF188A9E0E5B11D93D8E576A4948B7F271EA439	(not available)
6	%AppData%\Plug.bat	110 bytes	MD5: 0xDAF7BC42E7DF29FD6E3A3F8E60FFB40D SHA-1: 0x0195BF60C9281A7862083130C1EEF38D79B0E4DF	Generic BackDoor.se!bat [McAfee] Troj/Runstub-A [Sophos]
7	%AppData%\svchost.exe	138,752 bytes	MD5: 0xC1451E42C4577F07FB64DEA9F51B2980 SHA-1: 0x16B33044E5F1ACA4849C3B857C5AC83F47358EEE	Generic PWS.yw [McAfee] TrojanSpy:Win32/VB.BZ [Microsoft] Trojan.Win32.VB [Ikarus]
8	%Temp%\dsoqq.exe c:\g6jk.exe [file and pathname of the sample #1]	141,312 bytes	MD5: 0xFE9985A8D0F72249F22E35877DF0A24C SHA-1: 0xA2D89196336B11838AAE2CB9AF2DC7F0450EE595	W32.Virut.CF [Symantec] Virus.Win32.Virut.ce [Kaspersky Lab] W32/Virut.n.gen [McAfee] W32/Scribble-B [Sophos] Virus:Win32/Virut.BN [Microsoft] Trojan-GameThief.Win32.Taworm [Ikarus] Win32/Virut.F [AhnLab]
9	%Temp%\dsoqq0.dll %Temp%\dsoqq1.dll %Temp%\dsoqq2.dll	76,800 bytes	MD5: 0xAD5F4C488CC281EAA40585C77DDEF4DE SHA-1: 0x298EC9F6F46BC7D7A895026CEDFFE0EC92E38419	W32.Gammima.AG [Symantec] Trojan-GameThief.Win32.Magania.dlnb [Kaspersky Lab] Generic PWS.ak [McAfee] Mal/Taterf-B [Sophos] Trojan-GameThief.Win32.Magania [Ikarus] Win-Trojan/Onlinegamehack.76800.AD [AhnLab]
10	%System%\nwcwks.dll	8,192 bytes	MD5: 0x560F8147E9BB5A728D8715120D2F7E7F SHA-1: 0xBBE08F172EAE8F6E49A6E1B8BB121816C326F8E3	Trojan.Gen [Symantec] Trojan.Win32.Inject.bgkf [Kaspersky Lab] Generic BackDoor.s [McAfee] Troj/Inject-OJ [Sophos] Trojan:Win32/Orsam!rts [Microsoft] Trojan.Win32.Inject [Ikarus]
11	%Windir%\Temp\datafile1	784 bytes	MD5: 0xA77117B1555519ED69D7F899A8BD449E SHA-1: 0xF7D3FF33ACA3B22742147E17154B1E7958774350	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The following files were modified:

[pathname with a string SHARE]\msinfo32.exe
[pathname with a string SHARE]\sapisvr.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn1.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwconn2.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwrmind.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\icwtutor.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\inetwiz.exe
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.exe
%ProgramFiles%\Internet Explorer\iedw.exe
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE
%ProgramFiles%\MSN\MSNIA\msniasvc.exe
%ProgramFiles%\MSN\MSNIA\prestp.exe
%ProgramFiles%\MSN\MsnInstaller\msninst.exe
%ProgramFiles%\NetMeeting\cb32.exe
%ProgramFiles%\NetMeeting\conf.exe
%ProgramFiles%\NetMeeting\wb32.exe
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Outlook Express\oemig50.exe
%ProgramFiles%\Outlook Express\setup50.exe
%ProgramFiles%\Outlook Express\wab.exe
%ProgramFiles%\Outlook Express\wabmig.exe
%ProgramFiles%\Web Publish\WPWIZ.EXE
%ProgramFiles%\Windows Media Player\migrate.exe
%ProgramFiles%\Windows Media Player\mplayer2.exe
%ProgramFiles%\Windows Media Player\setup_wm.exe
%ProgramFiles%\Windows Media Player\wmplayer.exe
%ProgramFiles%\Windows NT\Accessories\wordpad.exe
%ProgramFiles%\Windows NT\dialer.exe
%ProgramFiles%\Windows NT\hypertrm.exe
%ProgramFiles%\Windows NT\Pinball\PINBALL.EXE
%Windir%\Cache\Adobe Reader 6.0.1\ENUBIG\setup.exe
%Windir%\hh.exe
%Windir%\inf\unregmp2.exe
%Windir%\Installer\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}\places.exe
%Windir%\Microsoft.NET\Framework\NETFXSBS10.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\jsc.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
%Windir%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
%Windir%\msagent\agentsvr.exe
%Windir%\mui\muisetup.exe
%Windir%\NOTEPAD.EXE
%Windir%\pchealth\helpctr\binaries\HelpCtr.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.exe
%Windir%\pchealth\helpctr\binaries\HelpSvc.exe
%Windir%\pchealth\helpctr\binaries\HscUpd.exe
%Windir%\pchealth\helpctr\binaries\msconfig.exe
%Windir%\pchealth\helpctr\binaries\notiflag.exe
%Windir%\pchealth\UploadLB\Binaries\UploadM.exe
%Windir%\regedit.exe
%System%\accwiz.exe
%System%\actmovie.exe
%System%\ahui.exe
%System%\alg.exe
%System%\arp.exe
%System%\asr_fmt.exe
%System%\asr_ldm.exe
%System%\asr_pfu.exe
%System%\at.exe
%System%\atmadm.exe
%System%\attrib.exe
%System%\auditusr.exe
%System%\blastcln.exe
%System%\bootcfg.exe
%System%\bootok.exe
%System%\bootvrfy.exe
%System%\cacls.exe
%System%\calc.exe
%System%\charmap.exe
%System%\chkdsk.exe
%System%\chkntfs.exe
%System%\cidaemon.exe
%System%\cipher.exe
%System%\cisvc.exe
%System%\ckcnv.exe
%System%\cleanmgr.exe
%System%\clean_all.exe
%System%\cliconfg.exe
%System%\clipbrd.exe
%System%\clipsrv.exe
%System%\cmd.exe
%System%\cmdl32.exe
%System%\cmmon32.exe
%System%\cmstp.exe
%System%\Com\comrepl.exe
%System%\Com\comrereg.exe
%System%\comp.exe
%System%\compact.exe
%System%\conime.exe
%System%\control.exe
%System%\convert.exe
%System%\cscript.exe
%System%\ctfmon.exe

Notes:

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directories were created:

c:\System Volume Information\.
c:\System Volume Information\..

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
osjk8s.exe	%AppData%\osjk8s.exe	135,168 bytes
svchost.exe	%AppData%\svchost.exe	57,344 bytes
3rs6qt3a.exe	%AppData%\3rs6qt3a.exe	53,248 bytes

There was a new memory page created in the address space of the system process(es):

Process Name	Process Filename	Allocated Size
IEXPLORE.EXE	%ProgramFiles%\internet explorer\iexplore.exe	36,864 bytes

The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
nwcwks.dll	%System%\nwcwks.dll	Process name: svchost.exe Process filename: %System%\svchost.exe Address space: 0x10000000 - 0x10006000

There were new services created in the system:

Service Name	Display Name	Status	Service Filename
MouseDriver	MouseDriver	"Stopped"	%AppData%\MouseDriver.bat
NWCWorkstation	Client Service for NetWare	"Running"	%System%\svchost.exe -k netsvcs
Mshost Manager	Mshost Manager	"Stopped"	%AppData%\Plug.bat

The following system services were modified:

Service Name	Display Name	New Status	Service Filename
ALG	Application Layer Gateway Service	"Stopped"	%System%\alg.exe
SharedAccess	Windows Firewall/Internet Connection Sharing (ICS)	"Stopped"	%System%\svchost.exe -k netsvcs
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\osjk8s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\osjk8s\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT1\DEBUG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute
HKEY_LOCAL_MACHINE\SOFTWARE\mdlwe42dgd
HKEY_LOCAL_MACHINE\SOFTWARE\tgs90gv74r
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mshost Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mshost Manager\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Enum
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

The following Registry Keys were deleted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\osjk8s\DEBUG]

Trace Level = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\VRT1\DEBUG]

Trace Level = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

osjk8s = "%AppData%\osjk8s.exe"
Mshost Manager = "%AppData%\svchost.exe"

so that osjk8s.exe runs every time Windows starts

so that svchost.exe runs every time Windows starts

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]

Auto = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tbsolute]

values = 2A 3D F7 67 64 67 67 67 63 67 67 67 98 98 67 67 DF 67 67 67 67 67 67 67 27 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 66 67 67 69 78 DD 69 67 D3 6E AA 46 DF 66 2B AA 46 33 0F 0E 14 47 1

[HKEY_LOCAL_MACHINE\SOFTWARE\mdlwe42dgd]

mdlwe42dgdpath = "%AppData%\"

[HKEY_LOCAL_MACHINE\SOFTWARE\tgs90gv74r]

tgs90gv74rexepath = "%AppData%\osjk8s.exe"
tgs90gv74rpath = "%AppData%\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "NWCWorkstation"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MouseDriver]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\MouseDriver.bat"
DisplayName = "MouseDriver"
ObjectName = "LocalSystem"
Description = "Enables a computer to use mouse from USB port. Stopping or disabling this service will result in system instability."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mshost Manager]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\Plug.bat"
DisplayName = "Mshost Manager"
ObjectName = "LocalSystem"
Description = "Provides network host signaling and local traffic control setup functionality for network programs and control applets."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Enum]

0 = "Root\LEGACY_NWCWORKSTATION\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "NWCWorkstation"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000]

Service = "NWCWorkstation"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Client Service for NetWare"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\MouseDriver.bat"
DisplayName = "MouseDriver"
ObjectName = "LocalSystem"
Description = "Enables a computer to use mouse from USB port. Stopping or disabling this service will result in system instability."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mshost Manager\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mshost Manager]

Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%AppData%\Plug.bat"
DisplayName = "Mshost Manager"
ObjectName = "LocalSystem"
Description = "Provides network host signaling and local traffic control setup functionality for network programs and control applets."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Enum]

0 = "Root\LEGACY_NWCWORKSTATION\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Parameters]

ServiceDll = "%System%\nwcwks.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation]

Type = 0x00000020
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\svchost.exe -k netsvcs"
DisplayName = "Client Service for NetWare"
ObjectName = "LocalSystem"
Description = "Provides access to file and print resources on NetWare networks."

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"
DisableScriptDebuggerIE = "yes"
Error Dlg Displayed On Every Error = "no"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]

UpdateHost = FF F0 53 85 77 C5

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

Hidden = 0x00000002
ShowSuperHidden = 0x00000000
SuperHidden = 0x00000001

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000
WarnonBadCertRecving = 0x00000000
CertificateRevocation = 0x00000000
WarnonZoneCrossing = 0x00000000
WarnOnPostRedirect = 0x00000000

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]

win = "%AppData%\svchost.exe"
init = "%AppData%\svchost.exe"

so that svchost.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

Use FormSuggest = "yes"
DisableScriptDebuggerIE = "yes"
Error Dlg Displayed On Every Error = "no"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

WarnonBadCertRecving = 0x00000000
CertificateRevocation = 0x00000000
WarnonZoneCrossing = 0x00000000
WarnOnPostRedirect = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

dso32 = "%Temp%\dsoqq.exe"

so that dsoqq.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

win = "%AppData%\svchost.exe"
init = "%AppData%\svchost.exe"

so that svchost.exe runs every time Windows starts

The following Registry Values were deleted:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

RegPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
Text = "@shell32.dll,-30500"
Type = "radio"
CheckedValue = 0x00000001
ValueName = "Hidden"
DefaultValue = 0x00000002
HKeyRoot = 0x80000001
HelpID = "shell.hlp#51105"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]

RegPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
Text = "@shell32.dll,-30501"
Type = "radio"
CheckedValue = 0x00000002
ValueName = "Hidden"
DefaultValue = 0x00000002
HKeyRoot = 0x80000001
HelpID = "shell.hlp#51104"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]

Text = "@shell32.dll,-30499"
Type = "group"
Bitmap = "%System%\SHELL32.dll,4"
HelpID = "shell.hlp#51131"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]

Auto = "1"

The following Registry Values were modified:

[HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]

(Default) =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]

AppData =
Cookies =
Desktop =
Personal =
Local AppData =
Cache =
History =

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1601 =

[HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current]

(Default) =

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

1601 =

Other details

Analysis of the file resources indicate the following possible country of origin:

China

The following ports were open in the system:

Port	Protocol	Process
1057	UDP	osjk8s.exe (%AppData%\osjk8s.exe)
1073	UDP	svchost.exe (%AppData%\svchost.exe)
1127	TCP	svchost.exe (%AppData%\svchost.exe)
1131	TCP	svchost.exe (%AppData%\svchost.exe)
1134	TCP	svchost.exe (%AppData%\svchost.exe)
1136	TCP	svchost.exe (%AppData%\svchost.exe)
1151	TCP	svchost.exe (%AppData%\svchost.exe)
1153	TCP	svchost.exe (%AppData%\svchost.exe)
1154	TCP	svchost.exe (%AppData%\svchost.exe)
1155	TCP	svchost.exe (%AppData%\svchost.exe)
1156	TCP	svchost.exe (%AppData%\svchost.exe)
1157	TCP	svchost.exe (%AppData%\svchost.exe)
1161	TCP	svchost.exe (%AppData%\svchost.exe)
1162	TCP	svchost.exe (%AppData%\svchost.exe)
1167	TCP	svchost.exe (%AppData%\svchost.exe)
1170	TCP	svchost.exe (%AppData%\svchost.exe)
1177	TCP	svchost.exe (%AppData%\svchost.exe)
1179	TCP	svchost.exe (%AppData%\svchost.exe)
1182	TCP	svchost.exe (%AppData%\svchost.exe)
1184	TCP	svchost.exe (%AppData%\svchost.exe)
1185	TCP	svchost.exe (%AppData%\svchost.exe)
1192	TCP	svchost.exe (%AppData%\svchost.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
122.224.18.20	88
210.83.81.173	88
174.36.69.5	80
209.59.195.20	80
23.2.17.144	80
23.2.17.153	80
23.2.17.154	80
58.150.174.222	80
64.38.232.180	80
66.114.51.87	80
68.178.232.99	80
74.125.228.13	80
210.83.81.173	888
74.125.228.14	443
74.125.228.16	443
83.133.119.197	65520

The data identified by the following URLs was then requested from the remote web server:

http://122.224.18.20:88/ttbb.txt?t=0.5513727
http://122.224.18.20:88/a8.txt?t=0.3292047
http://www.zzxml.com/p6.asp?MAC=00-0C-29-7C-9D-7C&Publicer=tr2
http://advancetip.com/
http://advancetip.com/js.php?id=1123
http://advancetip.com/css.php?id=1123
http://advancetip.com/logo.php?d=advancetip.com
http://210.83.81.173:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2F69C0DCE5CA9F5FF3F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5C74322&v=2&t=0.7044489
http://210.83.81.173:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2F69C0DCE5CA9F5FF3F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5C74322&v=2&t=0.3566553
http://210.83.81.173:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2F69C0DCE5CA9F5FF3F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5C74322&v=2&t=0.731167
http://210.83.81.173:88/nmb.exe
http://ak.imgaft.com/script/jquery-1.3.1.min.js
http://as.casalemedia.com/sd?s=95308&f=1
http://as.casalemedia.com/sd?s=95308&f=1&C=1
http://as.casalemedia.com/sd?s=98198&f=1
http://as.casalemedia.com/sd?s=98198&f=1&C=1
http://i.casalemedia.com/imp.gif?c=85105&cr=275335
http://cdn.optmd.com/V2/85105/275335/index.html?g=Af////8=&r=bestfashionmodel.com/
http://cdn.optmd.com/V2/85105/275335/72sp_1Hm2.gif
http://58.150.174.222/mstrz.jpg?t=5.527896E-02
http://bestfashionmodel.com/
http://bestfashionmodel.com/redirectExitTrack.php?d=bestfashionmodel.com&r=27&u=http%3A%2F%2Fas.casalemedia.com%2Fsd%3Fs%3D98198%26f%3D1
http://bestfashionmodel.com/vtrack.php?qry=baec8d99b314c40d822e65479f7bd3a492d16b35c05435d093dfb71d0725851df4d69a325c99c3559cfc76745032e75fd1527d142845927c
http://bestfashionmodel.com/vtrack.php?qry=bd0cd0c0c8dc0c867620e434e2f8ff59692385bbc1de641ddee4cda4cd314f767a7abcdb8b46c5b7c409a482644ffd65bce2aa5f4e6cc993c67d9130ee22851d973578babba65868f7cebf5815c218c3
http://images.ddc.com/nicheImages/270x26a/default.jpg
http://images.ddc.com/nicheImages/60x22/default.jpg
http://images.ddc.com/nicheImages/778x91b/default.jpg
http://images.ddc.com/nicheImages/270x26b/default.jpg
http://images.ddc.com/nicheImages/498x257/54.jpg
http://images.ddc.com/images/1601-spacer2.jpg
http://images.ddc.com/nicheImages/155x124/54.jpg
http://images.ddc.com/nicheImages/155x124b/54.jpg
http://images.ddc.com/nicheImages/155x124c/54.jpg
http://images.ddc.com/nicheImages/778x69/default.jpg
http://images.ddc.com/nicheImages/11x11/default.jpg
http://images.ddc.com/nicheImages/270x26c/default.jpg
http://images.ddc.com/nicheImages/270x96/default.jpg
http://sale-loan.com/
http://sale-loan.com/?6544f240
http://sale-loan.com/default.aspx?js=1&vid=js-test
http://googleads.g.doubleclick.net/apps/domainpark/domainpark.cgi?callback=_google_json_callback&output=js&client=ca-dp-godaddy1_xml&domain_name=sale-loan.com&hl=en&channel=js-test&s=sale-loan.com&num_radlinks=0&dt=1336471789477&u_tz=-420&u_his=0&u_h=480&u_w=640&frm=1
http://google.com/adsense/domains/caf.js
http://www.google.com/ads/search/module/ads/1.0/b19fefe460a08235d9adedfef79b55aa04f5c807/n/domains.js
http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js
http://www.baidulop.com/1mg/am1.rar

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 88:

00000000 | 4845 4144 202F 7474 6262 2E74 7874 3F74 | HEAD /ttbb.txt?t
00000010 | 3D30 2E31 3431 3333 3234 2048 5454 502F | =0.1413324 HTTP/
00000020 | 312E 300D 0A41 6363 6570 743A 202A 2F2A | 1.0..Accept: */*
00000030 | 0D0A 5573 6572 2D41 6765 6E74 3A20 4D6F | ..User-Agent: Mo
00000040 | 7A69 6C6C 612F 342E 3020 2863 6F6D 7061 | zilla/4.0 (compa
00000050 | 7469 626C 653B 204D 5349 4520 362E 303B | tible; MSIE 6.0;
00000060 | 2057 696E 646F 7773 204E 5420 352E 313B |  Windows NT 5.1;
00000070 | 2053 5631 3B20 2E4E 4554 2043 4C52 2032 |  SV1; .NET CLR 2
00000080 | 2E30 2E35 3037 3237 290D 0A48 6F73 743A | .0.50727)..Host:
00000090 | 2031 3232 2E32 3234 2E31 382E 3230 3A38 |  122.224.18.20:8
000000A0 | 380D 0A43 6F6E 7465 6E74 2D4C 656E 6774 | 8..Content-Lengt
000000B0 | 683A 2030 0D0A 436F 6E6E 6563 7469 6F6E | h: 0..Connection
000000C0 | 3A20 4B65 6570 2D41 6C69 7665 0D0A 5072 | : Keep-Alive..Pr
000000D0 | 6167 6D61 3A20 6E6F 2D63 6163 6865 0D0A | agma: no-cache..
000000E0 | 0D0A 4845 4144 202F 6138 2E74 7874 3F74 | ..HEAD /a8.txt?t
000000F0 | 3D30 2E38 3935 3632 3839 2048 5454 502F | =0.8956289 HTTP/
00000100 | 312E 300D 0A41 6363 6570 743A 202A 2F2A | 1.0..Accept: */*
00000110 | 0D0A 5573 6572 2D41 6765 6E74 3A20 4D6F | ..User-Agent: Mo
00000120 | 7A69 6C6C 612F 342E 3020 2863 6F6D 7061 | zilla/4.0 (compa
00000130 | 7469 626C 653B 204D 5349 4520 362E 303B | tible; MSIE 6.0;
00000140 | 2057 696E 646F 7773 204E 5420 352E 313B |  Windows NT 5.1;
00000150 | 2053 5631 3B20 2E4E 4554 2043 4C52 2032 |  SV1; .NET CLR 2
00000160 | 2E30 2E35 3037 3237 290D 0A48 6F73 743A | .0.50727)..Host:
00000170 | 2031 3232 2E32 3234 2E31 382E 3230 3A38 |  122.224.18.20:8
00000180 | 380D 0A43 6F6E 7465 6E74 2D4C 656E 6774 | 8..Content-Lengt
00000190 | 683A 2030 0D0A 436F 6E6E 6563 7469 6F6E | h: 0..Connection
000001A0 | 3A20 4B65 6570 2D41 6C69 7665 0D0A 5072 | : Keep-Alive..Pr
000001B0 | 6167 6D61 3A20 6E6F 2D63 6163 6865 0D0A | agma: no-cache..
000001C0 | 0D0A                                    | ..

There was an outbound traffic produced on port 80:

There was an outbound traffic produced on port 443:

00000000 | 804C 0103 0000 3300 0000 1000 0004 0000 | .L....3.........
00000010 | 0500 000A 0100 8007 00C0 0300 8000 0009 | ................
00000020 | 0600 4000 0064 0000 6200 0003 0000 0602 | ..@..d..b.......
00000030 | 0080 0400 8000 0013 0000 1200 0063 2FFA | .............c/.
00000040 | BFB1 3893 51E1 C1B7 0A19 1FFF 530F 1603 | ..8.Q.......S...
00000050 | 0000 8410 0000 803C 257F E565 A8CE 8446 | .......<%..e...F
00000060 | 5C89 0502 3159 BB38 A0E7 BC7A 829D 6DED | \...1Y.8...z..m.
00000070 | AF64 FC8E 65E2 B7C3 0DA2 AF81 DF27 857D | .d..e........'.}
00000080 | 842C 68EA 5004 8A26 62EF 9D8E 0029 E57E | .,h.P..&b....).~
00000090 | B04F 8BA4 4422 8C1B 968A E485 0FB8 FF20 | .O..D".........
000000A0 | 6FFA D707 9CAD 7FEF 8D64 C35B FD1C 15A1 | o........d.[....
000000B0 | 1FD8 9541 83B1 5424 F0B8 B0A0 E765 9AE5 | ...A..T$.....e..
000000C0 | F328 2362 7B3D 8D47 AC7F 9698 F739 0BB6 | .(#b{=.G.....9..
000000D0 | 4D1D B927 2EF8 AA14 0300 0001 0116 0300 | M..'............
000000E0 | 003C 31E0 2CB0 D9C3 0300 3FC7 9457 B610 | .<1.,.....?..W..
000000F0 | AEDE 6F01 E57B 8C93 0A12 ED7C 9E72 AAF3 | ..o..{.....|.r..
00000100 | 7DDE 21C5 FA14 618C EABF B9B0 B479 4BA4 | }.!...a......yK.
00000110 | AC23 3B5E 9556 5415 D0E5 61E4 158E 1703 | .#;^.VT...a.....
00000120 | 0000 EC16 F9B7 87D5 5628 DC11 2ABA 34C5 | ........V(..*.4.
00000130 | 3199 23B1 BC19 426A F367 6886 4C44 BDDC | 1.#...Bj.gh.LD..
00000140 | 3AE2 2625 0E34 81A7 F2A3 AC53 EE75 909D | :.&%.4.....S.u..
00000150 | D324 69A5 7317 862F D11C EFDA D97D CA84 | .$i.s../.....}..
00000160 | 0DC6 B768 F51B 4042 7A16 175A C557 02F2 | ...h..@Bz..Z.W..
00000170 | 60E7 65E9 8F30 0998 67F5 862F 1859 8EE0 | `.e..0..g../.Y..
00000180 | 57D2 AF73 1AAC 0885 2373 82CA 5071 7E31 | W..s....#s..Pq~1
00000190 | B059 1CA6 DEB8 D8A8 86B1 A1ED B910 A109 | .Y..............
000001A0 | EBA9 932B C97D 9785 57B9 9598 695E 9A48 | ...+.}..W...i^.H
000001B0 | 3AA0 834B 7EF2 4492 276E A37F 3FA9 25CA | :..K~.D.'n..?.%.
000001C0 | 2CDF 3DAD 944E 65D5 91DB 55CE CAAD 8BAB | ,.=..Ne...U.....
000001D0 | CB0E 6B50 5467 D9E5 A0A7 619A D78F D1C9 | ..kPTg....a.....
000001E0 | 88F8 D430 8E43 3A8D E20E 7403 49BC 1993 | ...0.C:...t.I...
000001F0 | AC21 2C1B FB6C 9033 4188 31D0 A423 05C7 | .!,..l.3A.1..#..
00000200 | 197A 2EB6 6840 A340 48DB 1B76 ABC2 5B   | .z..h@.@H..v..[
00000030 | 0080 0400 8000 0013 0000 1200 0063 FFC6 | .............c..
00000040 | 919F 04FA E252 9903 C9F9 34A0 AC39 1603 | .....R....4..9..
00000050 | 0000 8410 0000 80BC C8F4 2562 1F68 7DCD | ..........%b.h}.
00000060 | E3BB BF32 9360 B4C8 2144 876E 0808 4E8C | ...2.`..!D.n..N.
00000070 | 152B 8582 93F8 42D8 064D 37D1 FDD7 4C95 | .+....B..M7...L.
00000080 | 2C9D DA9B 8E02 D324 3399 D992 DF8A 9411 | ,......$3.......
00000090 | 3A77 FFA0 E3A4 45E8 A4F2 DC72 C32C 597E | :w....E....r.,Y~
000000A0 | 4957 AEA1 3030 E2EE 37A6 8112 9E85 2B13 | IW..00..7.....+.
000000B0 | 72A8 1B8F 65EA A288 3DAB EE78 0FA3 ADAB | r...e...=..x....
000000C0 | BFED A98D 075E 58E1 5672 6F8D F074 4FE4 | .....^X.Vro..tO.
000000D0 | F775 8093 C1F3 1F14 0300 0001 0116 0300 | .u..............
000000E0 | 003C 58B4 E472 908C A02E 5E48 C8C7 3DBB | .<X..r....^H..=.
000000F0 | A65E 41C8 C64D 607D 6FF8 F818 6CC6 5F50 | .^A..M`}o...l._P
00000100 | 1D36 0D2A 50DD FBC5 F4C0 C4E4 E848 AA07 | .6.*P........H..
00000110 | 2825 0FAA 57FB 15AE A4C4 CD1F 5197 1703 | (%..W.......Q...
00000120 | 0001 6716 B135 B760 7A59 1F5D 4210 E1F8 | ..g..5.`zY.]B...
00000130 | BB54 70AF BB8D 52E5 CCF8 7BE8 5193 DA57 | .Tp...R...{.Q..W
00000140 | 57EB 16D5 85B2 60A2 678D 13AD 1A59 A106 | W.....`.g....Y..
00000150 | 3C7A B802 EC7D 8E79 BB28 BD20 CEDF 88D5 | <z...}.y.(. ....
00000160 | A17B DB90 3B7C 4510 0451 1DA1 27F0 EFE1 | .{..;|E..Q..'...
00000170 | 64AD 7AA7 79D3 9B23 326E B928 152B 49FE | d.z.y..#2n.(.+I.
00000180 | 7D83 5DA6 C97C D2A4 345D 444B BC98 C516 | }.]..|..4]DK....
00000190 | 105D 4BDF 667F 594B 4226 5ED8 7239 2B05 | .]K.f.YKB&^.r9+.
000001A0 | 27AF B7AE 50C9 F9D8 D41E 49A8 E276 4E7E | '...P.....I..vN~
000001B0 | 880A 38D0 A69B 783F 0EA5 8136 3179 D577 | ..8...x?...61y.w
000001C0 | E51C 9D3E 03C1 2326 748F 5281 7DF8 EB77 | ...>..#&t.R.}..w
000001D0 | 00D7 A578 75EF 8EFD E820 750D 867F B9C8 | ...xu.... u.....
000001E0 | 382C F3DB BE57 36D8 491C 81B0 0F35 9697 | 8,...W6.I....5..
000001F0 | F6DC 1FE2 9121 C544 91AA 6217 BE66 3690 | .....!.D..b..f6.
00000200 | 5714 D3D4 7405 253E 4666 29F3 1930 B884 | W...t.%>Ff)..0..
00000210 | 93A7 BC3B 8B9C 6C56 6219 79B7 74BD 4ED3 | ...;..lVb.y.t.N.
00000220 | E7CA A9C4 E1B9 CA42 5481 8F4D 6742 2E75 | .......BT..MgB.u
00000230 | 3B5A 1DC9 8F3C 0B0E A636 552C EAA3 2FC5 | ;Z...<...6U,../.
00000240 | A471 E04D 8B6E 5692 7941 E387 C52E 84DB | .q.M.nV.yA......
00000250 | 15FE 940F CB2A ED48 29E6 605F 9AF4 C72D | .....*.H).`_...-
00000260 | 1331 4F7C A0CC D566 2A23 C84C 4C4D DE86 | .1O|...f*#.LLM..
00000270 | 935C 9AC0 DA56 5779 9AC3 BB61 7D2C FA5F | .\...VWy...a},._
00000280 | 977C DB8A EDB0 1F8D BBB2                | .|........

There was an outbound traffic produced on port 65520:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.