Gen.Trojan.Heur.3mKffLLdIahO_3c689f04c0

by malwarelabrobot on June 29th, 2017 in Malware Descriptions.

Gen:Trojan.Heur.3mKffLLdIahO (B) (Emsisoft), Gen:Trojan.Heur.3mKffLLdIahO (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3c689f04c0573c4672de2b124216b1fb
SHA1: ab9b10747222078aab33edbf9096c782e33d4e6a
SHA256: bb72d94a12e31440461ee387fc73a35237a938e6a2f2284bcee6d8a937cae630
SSDeep: 24576:rF8VZcKZXM ODTnhyPIk9Vy0aSHBSYB81960aEye9MMT:rFCZtpM 2TnhyT9VBa0SS81Q0aK9MMT
Size: 907776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CompanyName
Created at: 2017-06-14 10:09:36
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2748

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7703.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Windows\System32\MSWINSCK.OCX (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7704.tmp (2712 bytes)
C:\Windows\System32\drivers\etc\hosts (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (624 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (668 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7703.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7704.tmp (0 bytes)
C:\Windows\System32\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASAPI32]
"EnableFileTracing" = "0"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASMANCS]
"MaxFileSize" = "1048576"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.ocx, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\3c689f04c0573c4672de2b124216b1fb_RASAPI32]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

Dropped PE files

MD5 File path
90a39346e9b67f132ef133725c487ff6 c:\Windows\System32\MSINET.OCX
9484c04258830aa3c2f2a70eb041414c c:\Windows\System32\MSWINSCK.OCX

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1128 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.tenchi-files.ga
::1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.dubeta.id
127.0.0.1 www.vazdancer.net
127.0.0.1 www.hikarahikaru.com
127.0.0.1 vista-tigabelas.blogspot.com
127.0.0.1 www.tenchi-files.ga


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: http://rhm-files.blogspot.com
Product Name: Resource Injector
Product Version: 1.00.0155
Legal Copyright: Copyright (c) Rhm-Files 2017 - All Right Reserved
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 1.00.0155
File Description: Cheat Crossfire Indonesia
Comments: Resource Injector Created By Markus Tunggul Wulung Aji
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1204224 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1208320 626688 623104 5.46052 7b824d7514d411f00acd8477e7c0403f
.rsrc 1835008 286720 283648 5.21112 5f691b3f3ee7fae699a00f03adc12720

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98=
hxxp://www3.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCP+TtEpBPnR
hxxp://www3.l.google.com/GIAG2.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= 23.46.123.27
hxxp://crl.geotrust.com/crls/secureca.crl 23.46.117.163
hxxp://pki.google.com/GIAG2.crl 172.217.16.110
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCP+TtEpBPnR 172.217.16.110
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 62.140.236.147
sites.google.com 172.217.16.110
dns.msftncsi.com 131.107.255.255
teredo.ipv6.microsoft.com 157.56.106.189


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1390
content-transfer-encoding: binary
Cache-Control: max-age=440813, public, no-transform, must-revalidate
Last-Modified: Mon, 26 Jun 2017 22:48:05 GMT
Expires: Mon, 3 Jul 2017 22:48:05 GMT
Date: Wed, 28 Jun 2017 20:25:10 GMT
Connection: keep-alive
0..j......c0.._.. .....0.....P0..L0......V.T'S...q..."...zr.*..2017062
6224805Z0s0q0I0... ..........9.....yP..`...<.......*.A.....>U...
.... ....!%...Y.w..{f'.....20170626224805Z....20170703224805Z0...*.H..
..............H..c8v.....}.>T8....d....@.j....d...&.=...|.a..r..g..
......9.pV..%.......YHtv....C..ru....1=.j.....P.8.k..e....""I...;..O..
..........7..fd.f.t... ...[E1/.....L...F....:..6-..,.l...[..2..^..P%..
..LsR1.T[.......u....^..r..-.fy....._h5`.~..n.&..U\......_......0...0.
..0..s............ ...y..^..g0...*.H........0B1.0...U....US1.0...U....
GeoTrust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..171214112
535Z02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0...*.H...
..........0...............S....!....,.t.?....d...M@.._.=.S..,."......G
dv._c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....{{.zI9.Y.
...../.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H*..]yi...
..3.......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....'.Ym.....
...0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... 
.......0...U...........0...U.......0.0"..U....0...0.1.0...U....TGV-OFF
-570...*.H..............md.....yV{......y:5..@l#..5.......o..X....,r}.
.....i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.......a..
...G..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.....b..K.
..PO47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z..7.\_..'.
]q.f._.WN....
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT
If-None-Match: "b8b5df1d64d4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Length: 554
Content-Type: application/pkix-crl
Last-Modified: Thu, 15 Jun 2017 00:43:48 GMT
ETag: 0x8D4B38795FC4CDC
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 9576bca8-0001-0047-2479-e5981b000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Wed, 28 Jun 2017 20:25:52 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..170512163339Z..170811045339Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......d0... .....7......170810164339Z0.
..*.H................."*....N...........D...........A..v.@?.H5...O{D".
-.B.......gO.{..O}.._.....M....A.mI.u.;sPS.....?jj.=.~]z.A.fJ...M*|..!
<......>....|.&...j.Z.T[/s...K0<.;...".2.)..X9.....$..O...Ot:
V.:..9.W...|...C.A.....,dy..].bg.&I.../U..B........rr.....*......P.t.^
..FHTTP/1.1 200 OK..Content-Length: 554..Content-Type: application/pki
x-crl..Last-Modified: Thu, 15 Jun 2017 00:43:48 GMT..ETag: 0x8D4B38795
FC4CDC..Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0..x-ms-req
uest-id: 9576bca8-0001-0047-2479-e5981b000000..x-ms-version: 2009-09-1
9..x-ms-lease-status: unlocked..x-ms-blob-type: BlockBlob..Date: Wed, 
28 Jun 2017 20:25:52 GMT..Connection: keep-alive..0..&0......0...*.H..
......0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U...
.Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..170512163
339Z..170811045339Z.a0_0...U.#..0..........X..7.3...L...0... .....7...
......0...U......d0... .....7......170810164339Z0...*.H...............
.."*....N...........D...........A..v.@?.H5...O{D".-.B.......gO.{..O}..
_.....M....A.mI.u.;sPS.....?jj.=.~]z.A.fJ...M*|..!<......>....|.
&...j.Z.T[/s...K0<.;...".2.)..X9.....$..O...Ot:V.:..9.W...|...C.A..
...,dy..].bg.&I.../U..B........rr.....*......P.t.^..F..
<<< skipped >>>


GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "f3b1cc5d1422a5e3208fea321f7cc35e:1498680921"
Last-Modified: Wed, 28 Jun 2017 20:15:21 GMT
Date: Wed, 28 Jun 2017 20:25:04 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170628200300Z..170708200300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H.............M.Vs..n..3..
.........Gt'J'........*w........&S.........a(..i.8.........;.z.].|..MT
..9........Rw....F.F.-..:E.{..E.\PP.QQ.d..R{.HTTP/1.1 200 OK..Server: 
Apache..ETag: "f3b1cc5d1422a5e3208fea321f7cc35e:1498680921"..Last-Modi
fied: Wed, 28 Jun 2017 20:15:21 GMT..Date: Wed, 28 Jun 2017 20:25:04 G
MT..Content-Length: 325..Connection: keep-alive..Content-Type: applica
tion/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax
1-0 ..U...$Equifax Secure Certificate Authority..170628200300Z..170708
200300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H..........
...M.Vs..n..3...........Gt'J'........*w........&S.........a(..i.8.....
....;.z.].|..MT..9........Rw....F.F.-..:E.{..E.\PP.QQ.d..R{...



GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCP+TtEpBPnR HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Mon, 26 Jun 2017 21:02:24 GMT
Expires: Fri, 30 Jun 2017 21:02:24 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 170571
0..........0..... .....0......0...0......J......h.v....b..Z./..2017062
6132831Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.#.N.).......20170626132831Z....20170703132831Z0...*.H..............d.
..S.B.dB.V.D...k.w../.=.a..,."s>.....U..!o...F..f.O.....f.......H.2
K..d..2u..C.V.DP.x..8.$. ...,`..6Z.bsF.M(.#p."T....Jf;................
Si...MV...a..Z.f.I...|b..G...u..v.U...y\.....H.........W[._!_.,..$...D
]......x4...`."y~.~.4.E.O:.=.U...Cg......l....HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Mon, 26 Jun 2017 21:02:24 GMT.
.Expires: Fri, 30 Jun 2017 21:02:24 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Cache-Control: public, max-age=345600..Age: 170571..0.........
.0..... .....0......0...0......J......h.v....b..Z./..20170626132831Z0k
0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..#.N.)....
...20170626132831Z....20170703132831Z0...*.H..............d...S.B.dB.V
.D...k.w../.=.a..,."s>.....U..!o...F..f.O.....f.......H.2K..d..2u..
C.V.DP.x..8.$. ...,`..6Z.bsF.M(.#p."T....Jf;................Si...MV...
a..Z.f.I...|b..G...u..v.U...y\.....H.........W[._!_.,..$...D]......x4.
..`."y~.~.4.E.O:.=.U...Cg......l......



GET /GIAG2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.google.com


HTTP/1.1 200 OK
Accept-Ranges: none
Vary: Accept-Encoding
Content-Type: application/pkix-crl
Date: Wed, 28 Jun 2017 20:20:22 GMT
Expires: Wed, 28 Jun 2017 21:20:22 GMT
Last-Modified: Wed, 28 Jun 2017 02:15:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=3600
Age: 297
Transfer-Encoding: chunked
270..0..l0..T...0...*.H........0I1.0...U....US1.0...U....Google Inc1%0
#..U....Google Internet Authority G2..170628010002Z..170708010002Z0..0
'..vK....Q...170113141858Z0.0...U.......0'..;w._......170510105507Z0.0
...U.......0'...T...y.K..170412085317Z0.0...U.......0'..1.3..*....1609
15202213Z0.0...U........00.0...U.#..0...J......h.v....b..Z./0...U.....
.."0...*.H.................c.....#.B......7.R...j......O.5F..f......&g
t;/....K..Y...J..a..r.M.H....?.^....*..............x....{.).. ]V../...
.^N.Z*...D@-)0..QO.....c...*.........Y.m..(tE].;" ..9C.......5..*.}..m
..........v=.L.]A....8.[...`.J..H.lg`#d.{="._.~.3.9W_...|\un.../H..|h 
.3..0..HTTP/1.1 200 OK..Accept-Ranges: none..Vary: Accept-Encoding..Co
ntent-Type: application/pkix-crl..Date: Wed, 28 Jun 2017 20:20:22 GMT.
.Expires: Wed, 28 Jun 2017 21:20:22 GMT..Last-Modified: Wed, 28 Jun 20
17 02:15:00 GMT..X-Content-Type-Options: nosniff..Server: sffe..X-XSS-
Protection: 1; mode=block..Cache-Control: public, max-age=3600..Age: 2
97..Transfer-Encoding: chunked..270..0..l0..T...0...*.H........0I1.0..
.U....US1.0...U....Google Inc1%0#..U....Google Internet Authority G2..
170628010002Z..170708010002Z0..0'..vK....Q...170113141858Z0.0...U.....
..0'..;w._......170510105507Z0.0...U.......0'...T...y.K..170412085317Z
0.0...U.......0'..1.3..*....160915202213Z0.0...U........00.0...U.#..0.
..J......h.v....b..Z./0...U......."0...*.H.................c.....#.B..
....7.R...j......O.5F..f......>/....K..Y...J..a..r.M.H....?.^....*.
.............x....{.).. ]V../....^N.Z*...D@-)0..QO.....c...*......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2748:

`.rsrc
RhmFiles.ProgressBar
MSINET.ocx
InetCtlsObjects.Inet
mswinsck.ocx
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
FC:\Windows\system32\stdole2.tlb
VBA6.DLL
shell32.dll
ShellExecuteA
C:\Windows\system32\mswinsck.oca
user32.dll
GetAsyncKeyState
PSAPI.DLL
=4 vC:\Windows\System32\MSINET.oca
olepro32.dll
KeyDown
KeyPress
KeyUp
C:\Windows\system32\MSVBVM60.DLL\3
GGGGF.GGGGK
y-e.uF|
f.qqp
msgf
p.sC8l
r9.Yy
(4..Xh
o9Sf1%U?
_~-fW}
2017-03-04
w.wr9
<.Op6d~
I^M%x ]
00/00/0000
Waiting crossfire.exe...
00:00:00
KeyCode
KeyAscii
.text
`.rdata
@.data
.vmp0
.vmp1
.reloc
@.rsrc
d3d9.dll
DV%xZ
jt.IdS
MSVCP90.dll
_b%xb
KERNEL32.dll
.Mz&l
GDI32.dll
~)l%CZc
Lf%xi
USER32.dll
%x5/4"i
q2.tj
8F\XKey
lP.io
d%.Ap
%UppS
%S"t^
F#r%F
%Spvy
MSVCR90.dll
SHELL32.dll
WININET.dll
.lJ)*
\R.hk}9F2@
d:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Base D3D Menu Rhm-Files Crossfire\Release\Rhm-Files_CFID.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 VVV.tenchi-files.ga
::1 VVV.rezpektor-key.net
127.0.0.1 VVV.rezpektor-key.net
127.0.0.1 VVV.dubeta.id
127.0.0.1 VVV.vazdancer.net
127.0.0.1 VVV.hikarahikaru.com
127.0.0.1 vista-tigabelas.blogspot.com
Haloo Admin PKL saya tau anda jago crack tapi tolong jangan hapus credit link website kami :D
`.data
.rsrc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
"255.255.255.255
"6.00.8169
WSOCK32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GetProcessHeap
GetWindowsDirectoryA
GetKeyState
CreateDialogIndirectParamA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
Internet Control URL Property Page
INET98.CHM
FTp/L#
rL#.OL#
MSINET.OCX
hXXp://
PTF://
hXXps://
Microsoft URL Control - 6.01.9782
SSShp&M#
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
FtpFindFirstFileA
FtpRemoveDirectoryA
FtpGetCurrentDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpPutFileA
FtpGetFileA
FtpDeleteFileA
MsgWaitForMultipleObjects
OL#%s%s.DLL
0?NicFTPWWW
icHTTPWW
icHTTPSW,
icUrlOpenFailedW
icBadUrl
0NSicNoExecuteW
`icFtpCommandFailedWW
qicUnsupportedTypeWWW
icUnsupportedCommand
0-gicInvalidOperationWW
icExecutingW
0jHicInvalidForFtpW
hicInvalidURL
icIncorrectPasswordW
icLoginFailureWW
icInetInvalidOperationWW
[icOperationCancelled
00XicSecCertDateInvalid
0.(icSecCertCnInvalidWW
0WwicHttpToHttpsOnRedir
icHttpsToHttpOnRedir
.icPostIsNonSecureWWW
BicClientAuthCertNeededWW
icHttpsHttpSubmitRedirWW
icFtpTransferInProgressW
icFtpDropped
icFtpNoPassiveModeWW
ficHttpHeaderNotFound
icHttpDownlevelServerWWW
icHttpInvalidServerResponseW
icHttpInvalidHeaderW
icHttpInvalidQueryRequestWWW
icHttpHeaderAlreadyExistsWWW
0`>icHttpRedirectFailed
0~ icHttpCookieNeedsConfirmationWWW
7icHttpCookieDeclined
0DSicHttpRedirectNeedsConfirmationW
icSecInvalidCert
icSecCertRevoked
}|RemotePortWW
StillExecutingWW
URLW
Password
OpenURLW
yOperationWWW
~_URLX
MSINet.Ocx
FTPWWW
HTTPWW
Secure HTTPWWW
Unable to open URL
URL is malformedWW&
Protocol not supported for this method
You must execute an operation before retrieving dataWW
FTP command failed
Not a valid or supported commandWW
Invalid operation argument
Still executing last requestWW,
This call is not valid for an FTP connectionWW
Invalid URLWWW
Incorrect password
Login failureW
Invalid operationW
Operation cancelledWWW
Security certificate date invalidW#
Security certificate number invalidWWW
HTTP to HTTPS on redirectW
HTTPS to HTTP on redirectW
Client authorization certificate neededWWW
HTTPS HTTP submit redirWWW
FTP - Transfer in progress
FTP - Connection droppedWW
FTP - no passive modeW
HTTP - Header not foundWWW
HTTP - Downlevel serverWWW
HTTP - Invalid server response
HTTP - Invalid HeaderW
HTTP - Invalid query requestWW
HTTP - Header already existsWW
HTTP - Redirect failed
HTTP - cookie needs confirmationWW
HTTP - cookie declined"
HTTP - redirect needs confirmation
Invalid certWW
Cert revokedWW
Protocol to use for this URLWW
Returns/Sets the internet port to be used on the remote computerWW5
Returns/Sets the URL used by this controlW*
Password to use for authentication;
Open a URL&
Method used to cancel the request currently being executed
2 2>2`2~2
ocx\msinet.dbg
Thawte Certification1
hXXp://ocsp.verisign.com0
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
"hXXp://crl.verisign.com/tss-ca.crl0
9hXXp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
hXXp://msdn.microsoft.com/vbasic0
]Eh.JS
KERNEL32.DLL
MSVBVM60.DLL
Q*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Dll Injected...Creating Thread.....
kernel32.dll
Can't find LoadLibrary API from kernel32.dll
hXXps://sites.google.com/site/dataconstantinefilesb99794977/15-06-2017.txt?attredirects=0&d=1
@*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Pass&word
6.01.9782
Returns/Sets the remote computer@Returns/Sets the internet port to be used on the remote computer
5Returns information received from the remote computer9Returns a response code received from the remote computer6Returns the low-level internet handle for this control.Returns whether this control is currently busy)Returns/Sets the URL used by this control5Returns/Sets the Document to be retrieved from server
>Returns/Sets the proxy behavior for this control's connections7Event interface for Microsoft Internet Transfer Control#Microsoft Internet Transfer Control&Issue a request to the remote computer:Method used to cancel the request currently being executed
Secure HTTP
Protocol to use for this URL#User name to use for authentication"Password to use for authentication
Open a URL
URL is malformed&Protocol not supported for this method Unable to connect to remote host
Unable to complete request4You must execute an operation before retrieving data
Request timed out Not a valid or supported command
Still executing last request,This call is not valid for an FTP connection
Invalid URL
Login failure
Invalid operation
Operation cancelled
Handle exists!Security certificate date invalid#Security certificate number invalid
HTTP to HTTPS on redirect
HTTPS to HTTP on redirect
Post is non-secure'Client authorization certificate needed
FTP - Connection dropped
HTTP - Header not found
HTTP - Downlevel server
HTTP - Invalid Header
HTTP - Invalid query request
HTTP - Header already exists
HTTP - Redirect failed
HTTPS HTTP submit redir
FTP - no passive mode HTTP - cookie needs confirmation
HTTP - cookie declined"HTTP - redirect needs confirmation
Invalid cert
Cert revoked
URL'URL properties for the internet control
hXXp://rhm-files.blogspot.com
1.00.0155
_CFID.exe

%original file name%.exe_2748_rwx_00401000_001BD000:

RhmFiles.ProgressBar
MSINET.ocx
InetCtlsObjects.Inet
mswinsck.ocx
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
FC:\Windows\system32\stdole2.tlb
VBA6.DLL
shell32.dll
ShellExecuteA
C:\Windows\system32\mswinsck.oca
user32.dll
GetAsyncKeyState
PSAPI.DLL
=4 vC:\Windows\System32\MSINET.oca
olepro32.dll
KeyDown
KeyPress
KeyUp
C:\Windows\system32\MSVBVM60.DLL\3
GGGGF.GGGGK
y-e.uF|
f.qqp
msgf
p.sC8l
r9.Yy
(4..Xh
o9Sf1%U?
_~-fW}
2017-03-04
w.wr9
<.Op6d~
I^M%x ]
00/00/0000
Waiting crossfire.exe...
00:00:00
KeyCode
KeyAscii
.text
`.rdata
@.data
.vmp0
.vmp1
.reloc
@.rsrc
d3d9.dll
DV%xZ
jt.IdS
MSVCP90.dll
_b%xb
KERNEL32.dll
.Mz&l
GDI32.dll
~)l%CZc
Lf%xi
USER32.dll
%x5/4"i
q2.tj
8F\XKey
lP.io
d%.Ap
%UppS
%S"t^
F#r%F
%Spvy
MSVCR90.dll
SHELL32.dll
WININET.dll
.lJ)*
\R.hk}9F2@
d:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Base D3D Menu Rhm-Files Crossfire\Release\Rhm-Files_CFID.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 VVV.tenchi-files.ga
::1 VVV.rezpektor-key.net
127.0.0.1 VVV.rezpektor-key.net
127.0.0.1 VVV.dubeta.id
127.0.0.1 VVV.vazdancer.net
127.0.0.1 VVV.hikarahikaru.com
127.0.0.1 vista-tigabelas.blogspot.com
Haloo Admin PKL saya tau anda jago crack tapi tolong jangan hapus credit link website kami :D
`.data
.rsrc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
"255.255.255.255
"6.00.8169
WSOCK32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GetProcessHeap
GetWindowsDirectoryA
GetKeyState
CreateDialogIndirectParamA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
Internet Control URL Property Page
INET98.CHM
FTp/L#
rL#.OL#
MSINET.OCX
hXXp://
PTF://
hXXps://
Microsoft URL Control - 6.01.9782
SSShp&M#
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
FtpFindFirstFileA
FtpRemoveDirectoryA
FtpGetCurrentDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpPutFileA
FtpGetFileA
FtpDeleteFileA
MsgWaitForMultipleObjects
OL#%s%s.DLL
0?NicFTPWWW
icHTTPWW
icHTTPSW,
icUrlOpenFailedW
icBadUrl
0NSicNoExecuteW
`icFtpCommandFailedWW
qicUnsupportedTypeWWW
icUnsupportedCommand
0-gicInvalidOperationWW
icExecutingW
0jHicInvalidForFtpW
hicInvalidURL
icIncorrectPasswordW
icLoginFailureWW
icInetInvalidOperationWW
[icOperationCancelled
00XicSecCertDateInvalid
0.(icSecCertCnInvalidWW
0WwicHttpToHttpsOnRedir
icHttpsToHttpOnRedir
.icPostIsNonSecureWWW
BicClientAuthCertNeededWW
icHttpsHttpSubmitRedirWW
icFtpTransferInProgressW
icFtpDropped
icFtpNoPassiveModeWW
ficHttpHeaderNotFound
icHttpDownlevelServerWWW
icHttpInvalidServerResponseW
icHttpInvalidHeaderW
icHttpInvalidQueryRequestWWW
icHttpHeaderAlreadyExistsWWW
0`>icHttpRedirectFailed
0~ icHttpCookieNeedsConfirmationWWW
7icHttpCookieDeclined
0DSicHttpRedirectNeedsConfirmationW
icSecInvalidCert
icSecCertRevoked
}|RemotePortWW
StillExecutingWW
URLW
Password
OpenURLW
yOperationWWW
~_URLX
MSINet.Ocx
FTPWWW
HTTPWW
Secure HTTPWWW
Unable to open URL
URL is malformedWW&
Protocol not supported for this method
You must execute an operation before retrieving dataWW
FTP command failed
Not a valid or supported commandWW
Invalid operation argument
Still executing last requestWW,
This call is not valid for an FTP connectionWW
Invalid URLWWW
Incorrect password
Login failureW
Invalid operationW
Operation cancelledWWW
Security certificate date invalidW#
Security certificate number invalidWWW
HTTP to HTTPS on redirectW
HTTPS to HTTP on redirectW
Client authorization certificate neededWWW
HTTPS HTTP submit redirWWW
FTP - Transfer in progress
FTP - Connection droppedWW
FTP - no passive modeW
HTTP - Header not foundWWW
HTTP - Downlevel serverWWW
HTTP - Invalid server response
HTTP - Invalid HeaderW
HTTP - Invalid query requestWW
HTTP - Header already existsWW
HTTP - Redirect failed
HTTP - cookie needs confirmationWW
HTTP - cookie declined"
HTTP - redirect needs confirmation
Invalid certWW
Cert revokedWW
Protocol to use for this URLWW
Returns/Sets the internet port to be used on the remote computerWW5
Returns/Sets the URL used by this controlW*
Password to use for authentication;
Open a URL&
Method used to cancel the request currently being executed
2 2>2`2~2
ocx\msinet.dbg
Thawte Certification1
hXXp://ocsp.verisign.com0
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
"hXXp://crl.verisign.com/tss-ca.crl0
9hXXp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
hXXp://msdn.microsoft.com/vbasic0
]Eh.JS
Q*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Dll Injected...Creating Thread.....
kernel32.dll
Can't find LoadLibrary API from kernel32.dll
hXXps://sites.google.com/site/dataconstantinefilesb99794977/15-06-2017.txt?attredirects=0&d=1
@*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\CFID\Resource Injector CFID [ Rhm-Files ]\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Pass&word
6.01.9782
Returns/Sets the remote computer@Returns/Sets the internet port to be used on the remote computer
5Returns information received from the remote computer9Returns a response code received from the remote computer6Returns the low-level internet handle for this control.Returns whether this control is currently busy)Returns/Sets the URL used by this control5Returns/Sets the Document to be retrieved from server
>Returns/Sets the proxy behavior for this control's connections7Event interface for Microsoft Internet Transfer Control#Microsoft Internet Transfer Control&Issue a request to the remote computer:Method used to cancel the request currently being executed
Secure HTTP
Protocol to use for this URL#User name to use for authentication"Password to use for authentication
Open a URL
URL is malformed&Protocol not supported for this method Unable to connect to remote host
Unable to complete request4You must execute an operation before retrieving data
Request timed out Not a valid or supported command
Still executing last request,This call is not valid for an FTP connection
Invalid URL
Login failure
Invalid operation
Operation cancelled
Handle exists!Security certificate date invalid#Security certificate number invalid
HTTP to HTTPS on redirect
HTTPS to HTTP on redirect
Post is non-secure'Client authorization certificate needed
FTP - Connection dropped
HTTP - Header not found
HTTP - Downlevel server
HTTP - Invalid Header
HTTP - Invalid query request
HTTP - Header already exists
HTTP - Redirect failed
HTTPS HTTP submit redir
FTP - no passive mode HTTP - cookie needs confirmation
HTTP - cookie declined"HTTP - redirect needs confirmation
Invalid cert
Cert revoked
URL'URL properties for the internet control


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
    C:\Windows\System32\MSINET.OCX (267 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7703.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
    C:\Windows\System32\MSWINSCK.OCX (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7704.tmp (2712 bytes)
    C:\Windows\System32\drivers\etc\hosts (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (624 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (668 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now