Technical Information
Malicious functions:
Executes the following:
- '<SYSTEM32>\wbem\wmiadap.exe' /R /T
Searches for windows to
detect analytical utilities:
- ClassName: 'OLLYDBG' WindowName: 'OllyDbg - [CPU]'
- ClassName: 'OLLYDBG' WindowName: 'OllyDbg'
- ClassName: 'TIdaWindow' WindowName: 'The interactive disassembler'
- ClassName: '2836D440' WindowName: '<Auxiliary name>32 (C) 1998, 1999, 2000 G-RoM, Lorian & Stone'
- ClassName: 'FileMonClass' WindowName: 'File Monitor'
- ClassName: '#32770' WindowName: 'API-Log v1.2 by M.o.D. [F2F]'
- ClassName: '#32770' WindowName: 'TRW2000 for Windows 9x'
- ClassName: 'RegmonClass' WindowName: 'Registry Monitor'
Modifies file system :
Deletes the following files:
- <SYSTEM32>\PerfStringBackup.TMP
- <SYSTEM32>\wbem\Performance\WmiApRpl.ini
Miscellaneous:
Searches for the following windows:
- ClassName: 'DkToolClass' WindowName: 'Found Addresses'
- ClassName: 'DkToolClass' WindowName: 'Expression Evaluator'
- ClassName: 'TApplication' WindowName: 'Minimize Hack Tool v1.2'
- ClassName: 'LSpiroMHS' WindowName: 'L. Spiro Memory Hacking Software'
- ClassName: 'Afx:400000:8:10011:0:0' WindowName: 'Data Viewer'
- ClassName: 'calcClass' WindowName: 'Calculator'
- ClassName: 'convClass' WindowName: 'Base Converter'
- ClassName: 'TForm1' WindowName: 'Cheat '
- ClassName: 'TForm1' WindowName: 'Cheat \O Matic '
- ClassName: 'TMainForm' WindowName: 'PEBrowse Professional Interactive'
- ClassName: 'TApplication' WindowName: 'Cheat \O Matic'
- ClassName: 'TForm1' WindowName: 'Minimize Hack Tool v1.2 (SnipeR'
- ClassName: 'TForm1' WindowName: 'Minimize Hack Tool v1.2 (SnipeR\s Edition)'
- ClassName: 'TApplication' WindowName: 'Cheat '
- ClassName: 'HexWorksClass' WindowName: 'Hex Workshop'
- ClassName: '#32770' WindowName: 'DirectX Windower v1.88'
- ClassName: 'ThunderRT6FormDC' WindowName: 'FireFlash by:Lab'
- ClassName: 'ThunderRT6Main' WindowName: 'Project1'
- ClassName: '#32770' WindowName: 'Cheat32 - Demo Version'
- ClassName: 'MS_WINDOC' WindowName: 'Win32 Programmer\s Reference'
- ClassName: '#32770' WindowName: 'Mode selection'
- ClassName: '#32770' WindowName: 'First time installation'
- ClassName: 'GameWiz32 Help' WindowName: 'GameWiz32 Help'
- ClassName: '#32770' WindowName: 'GameWiz32 30-day-Testversion'
- ClassName: '#32770' WindowName: 'GameWiz32 - Testversion'
- ClassName: '#32770' WindowName: 'Game Trainer'
- ClassName: 'TApplication' WindowName: 'GameCap Detector'
- ClassName: 'TForm1' WindowName: 'GameCap Detector 1.0'
- ClassName: 'HH Parent' WindowName: 'Game Hacking Archive Revised Edition | Demented | August 30, 2006'
- ClassName: '#32770' WindowName: '[ yoda'
- ClassName: '#32770' WindowName: '[ yoda\s Crypter 1.3]'
- ClassName: '#32770' WindowName: '[ yoda\s Protector v1.0b ]'
- ClassName: '#32770' WindowName: 'TheMida loader (c) 2008 deroko of ARTeam'
- ClassName: 'ThunderRT6Main' WindowName: 'NanoView'
- ClassName: 'ThunderRT6FormDC' WindowName: 'Nanomite Table Viewer'
- ClassName: 'WindowsForms10.Window.8.app3' WindowName: 'BiNPDA SiGNSiS v0.1'
- ClassName: 'yPClass' WindowName: '[ yoda\s Protector v1.03.3 ]'
- ClassName: 'TApplication' WindowName: 'PE Explorer'
- ClassName: 'TMainForm' WindowName: 'PE Explorer'
- ClassName: 'yPClass' WindowName: '[ yoda\s Protector v1.03.2 ]'
- ClassName: '#32770' WindowName: '[ yoda\s Protector v1.01 ]'
- ClassName: '#32770' WindowName: '[ yoda\s Protector v1.02 ]'
- ClassName: 'yPClass' WindowName: '[ yoda'
- ClassName: '#32770' WindowName: 'ARMAGEDDON V1.3.3'
- ClassName: '#32770' WindowName: ' Winject'
- ClassName: 'Afx:400000:8:10011:0:2b02b0' WindowName: 'WPE PRO'
- ClassName: 'WispWindowClass' WindowName: 'Syser : Active Hotkey [Ctrl+F12]'
- ClassName: 'TForm1' WindowName: 'WinHack v2.00'
- ClassName: 'TApplication' WindowName: 'PEBrowse Professional Interactive'
- ClassName: 'TSnoopClass' WindowName: 'TSnoop'
- ClassName: 'TApplication' WindowName: 'WinHack v2.00'
- ClassName: '#32770' WindowName: 'Open ActiveMark protected file'
- ClassName: 'TApplication' WindowName: 'ActiveMARK Version Viewer 1.0 - ARTeam'
- ClassName: 'TForm1' WindowName: 'ActiveMARK Version Viewer 1.0 - ARTeam'
- ClassName: '#32770' WindowName: 'AMDUMPV62 - V2.1'
- ClassName: 'TApplication' WindowName: 'IDA'
- ClassName: 'TNewTemplateForm' WindowName: 'New disassembly database'
- ClassName: '#32770' WindowName: 'IDA'
- ClassName: 'MS_WINDOC' WindowName: 'Win32 Programmer'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.0 Client'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.0 Server'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.1'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.0'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 4.4'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 4.4 Client'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 4.4 Server'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.2 Server'
- ClassName: '#32770' WindowName: 'dbk32.sys unloaded'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.3'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.2 Client'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.1 Client'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.1 Server'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.2'
- ClassName: 'TSearch.ClientClass' WindowName: 'TSearch.Client'
- ClassName: 'OWL_Window' WindowName: 'URSoft W32Dasm Ver 8.93 Program Disassembler/Debugger'
- ClassName: 'TPEViewForm' WindowName: 'Cool Debugger for Win32'
- ClassName: 'TPEViewForm' WindowName: 'The Customiser Configuration Screen'
- ClassName: 'VxDMonClass' WindowName: 'VxD Monitor'
- ClassName: '41DAF790-16F5-4881-8754-59FD8CF3B8D2' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '' WindowName: 'TRAINER SPY'
- ClassName: 'CabinetWClass' WindowName: 'TSearch'
- ClassName: 'Afx:400000:8:10011:0:30201' WindowName: 'T-Shirt'
- ClassName: 'Afx:400000:0:0:0:1302f1' WindowName: 'Hakkeeen'
- ClassName: '#32770' WindowName: 'Hacked Spy '
- ClassName: 'OWL_Window' WindowName: 'The Customiser'
- ClassName: '#32770' WindowName: 'TrainerSpy XP + NT / 2000 / XP + Coded By BofeN'
- ClassName: '#32770' WindowName: 'TRAINER SPY'
- ClassName: '#32770' WindowName: 'Tsongkie\s Code Cave Tool'
- ClassName: 'TApplication' WindowName: 'ArtMoney'
- ClassName: 'TApplication' WindowName: 'CodeCaver'
- ClassName: '#32770' WindowName: 'Tsongkie'
- ClassName: '#32770' WindowName: 'T300 iNJECTOR(fix up 2)'
- ClassName: '#32770' WindowName: 'T300 Trainer Spy Kit'
- ClassName: 'Fake_class' WindowName: 'Fake game window'
- ClassName: '#32770' WindowName: '[Sheep]\s Array of Sunshine v1.0'
- ClassName: '#32770' WindowName: '[Sheep]\s Array of Sunshine v1.1'
- ClassName: '#32770' WindowName: '[Sheep]\s Array of Sunshine v1.3'
- ClassName: '#32770' WindowName: '[Sheep]'
- ClassName: 'TApplication' WindowName: 'Dev-C++'
- ClassName: 'ThunderRT6Main' WindowName: 'Game Trainer Studio (Epsilon)'
- ClassName: 'TApplication' WindowName: 'Resource Hacker'
- ClassName: 'T300_Class' WindowName: 'T300 (Trainer Spy Kit v3.0.0)'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.4 Server'
- ClassName: '#32770' WindowName: '[ LordPE Deluxe ] by yoda'
- ClassName: 'TApplication' WindowName: 'Dfhexeditor'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.4 Client'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.3 Client'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.3 Server'
- ClassName: 'TApplication' WindowName: 'Cheat Engine 5.4'
- ClassName: 'TApplication' WindowName: 'XVI32'
- ClassName: 'T200_injector' WindowName: 'Welcome!'
- ClassName: 'T200' WindowName: 'T200 (Trainer Spy Kit v2.0.0)'
- ClassName: 'TApplication' WindowName: 'WinHack'
- ClassName: 'ATL:0046AD28' WindowName: 'HHD Software Free Hex Editor'
- ClassName: 'TApplication' WindowName: 'Hex-Wizard'
- ClassName: 'TApplication' WindowName: 'NEXT-Soft Hex-Editor MX'
