Gen.Trojan.Heur.UmKffzcY91bO_4ad48b62c3

by malwarelabrobot on July 5th, 2017 in Malware Descriptions.

Gen:Trojan.Heur.UmKffzcY91bO (B) (Emsisoft), Gen:Trojan.Heur.UmKffzcY91bO (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4ad48b62c3b0beb8b0fd1e52df69e657
SHA1: e2a51095a59224a59653ef73a815003605891c3c
SHA256: e63b3af7feac9d961dbe4f31b454c7073c5ba33ccc8205a941a9241656c7a325
SSDeep: 12288:lOUOZqwEXOtG3enBJYX35wz9n25vxTOdpwuonDlG0F0dGbMJC8Ee9mV0Vko//qeQ:lrOZREXOpnPR25Brw2bMA81960aIyeUJ
Size: 758784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-25 04:11:09
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1796

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4C3F.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar365C.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab365B.tmp (51 bytes)
C:\Windows\System32\MSWINSCK.OCX (108 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab367C.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar367D.tmp (2712 bytes)
C:\Windows\System32\drivers\etc\hosts (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (668 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (665 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4C40.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C928KE51.txt (159 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4C40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab365B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4C3F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar367D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar365C.tmp (0 bytes)
C:\Windows\System32\drivers\etc\hosts (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab367C.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASMANCS]
"MaxFileSize" = "1048576"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASAPI32]
"EnableFileTracing" = "0"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASAPI32]
"MaxFileSize" = "1048576"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.ocx"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 5D 82 AD B9"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.ocx, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\4ad48b62c3b0beb8b0fd1e52df69e657_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

Dropped PE files

MD5 File path
90a39346e9b67f132ef133725c487ff6 c:\Windows\System32\MSINET.OCX
9484c04258830aa3c2f2a70eb041414c c:\Windows\System32\MSWINSCK.OCX

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 2864 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net
127.0.0.1 www.rezpektor-key.net


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: http://rhm-files.blogspot.com
Product Name: Resource Injector
Product Version: 1.00.0189
Legal Copyright: Copyright (c) Rhm-Files 2017 - All Right Reserved
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 1.00.0189
File Description: Cheat Lost Saga Indonesia
Comments: Resource Injector Created By Markus Tunggul Wulung Aji
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1490944 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1495040 475136 474112 5.47615 7698fd3c850ec2033a0bf0261a92ace4
.rsrc 1970176 286720 283648 5.21083 07c4e264641bbf913f91ddaf902b4e18

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 50.63.243.230
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 50.63.243.230
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98=
hxxp://www3.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCP+TtEpBPnR
hxxp://www3.l.google.com/GIAG2.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 50.63.243.230
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 62.140.236.169
hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 50.63.243.230
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 62.140.236.171
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCP+TtEpBPnR 172.217.16.110
hxxp://pki.google.com/GIAG2.crl 172.217.16.110
hxxp://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= 23.46.123.27
hxxp://crl.geotrust.com/crls/secureca.crl 23.46.117.163
sites.google.com 172.217.16.110
dns.msftncsi.com 131.107.255.255
teredo.ipv6.microsoft.com 157.56.106.189
cloudup.com 192.0.123.245


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /GIAG2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.google.com


HTTP/1.1 200 OK
Accept-Ranges: none
Vary: Accept-Encoding
Content-Type: application/pkix-crl
Date: Tue, 04 Jul 2017 17:20:57 GMT
Expires: Tue, 04 Jul 2017 18:20:57 GMT
Last-Modified: Tue, 04 Jul 2017 02:15:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=3600
Age: 3207
Transfer-Encoding: chunked
299..0...0..}...0...*.H........0I1.0...U....US1.0...U....Google Inc1%0
#..U....Google Internet Authority G2..170704010003Z..170714010003Z0..0
'..vK....Q...170113141858Z0.0...U.......0'..Am..&.....170701001054Z0.0
...U.......0'..;w._......170510105507Z0.0...U.......0'...T...y.K..1704
12085317Z0.0...U.......0'..1.3..*....160915202213Z0.0...U........00.0.
..U.#..0...J......h.v....b..Z./0...U.......*0...*.H...................
^.Ft....s...?....b..g.....br..Rj.FLO...Vy.......>. N.Z..#|.......c.
0X..ZgK...goe.........m.t.T%qR.....;.?,...%?...X.D......| .....s..1...
w./ .a.Z\..n\...R.U.vnj..UW&{j....Q..&..Do .{Q.I~.<...[..b.;5...OAS
....._.h...7P..kQ-...aF4..~dI...s.v.X....z.c....0..HTTP/1.1 200 OK..Ac
cept-Ranges: none..Vary: Accept-Encoding..Content-Type: application/pk
ix-crl..Date: Tue, 04 Jul 2017 17:20:57 GMT..Expires: Tue, 04 Jul 2017
 18:20:57 GMT..Last-Modified: Tue, 04 Jul 2017 02:15:00 GMT..X-Content
-Type-Options: nosniff..Server: sffe..X-XSS-Protection: 1; mode=block.
.Cache-Control: public, max-age=3600..Age: 3207..Transfer-Encoding: ch
unked..299..0...0..}...0...*.H........0I1.0...U....US1.0...U....Google
 Inc1%0#..U....Google Internet Authority G2..170704010003Z..1707140100
03Z0..0'..vK....Q...170113141858Z0.0...U.......0'..Am..&.....170701001
054Z0.0...U.......0'..;w._......170510105507Z0.0...U.......0'...T...y.
K..170412085317Z0.0...U.......0'..1.3..*....160915202213Z0.0...U......
..00.0...U.#..0...J......h.v....b..Z./0...U.......*0...*.H............
.......^.Ft....s...?....b..g.....br..Rj.FLO...Vy.......>. N.Z..
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1390
content-transfer-encoding: binary
Cache-Control: max-age=532493, public, no-transform, must-revalidate
Last-Modified: Mon, 3 Jul 2017 22:08:50 GMT
Expires: Mon, 10 Jul 2017 22:08:50 GMT
Date: Tue, 04 Jul 2017 18:14:14 GMT
Connection: keep-alive
0..j......c0.._.. .....0.....P0..L0......V.T'S...q..."...zr.*..2017070
3220850Z0s0q0I0... ..........9.....yP..`...<.......*.A.....>U...
.... ....!%...Y.w..{f'.....20170703220850Z....20170710220850Z0...*.H..
...........>j....t%]=..5.......H...~../....S[%.Z~.4.....V.l..Z...P.
>.7..7..%4J....0.....p..\&[...m.z......<.I.Z...TD.!<O.v......
.x....:L........V..... ....z?......`..7.sV.._.Q.='......3:?.....1.4F..
.p.y.....~.$x..*(.9..,.9i.....`.....Lh....O].4#,...f..UL.Kt..[.H......
...0...0...0..s............ ...y..^..g0...*.H........0B1.0...U....US1.
0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..
171214112535Z02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0
...*.H.............0...............S....!....,.t.?....d...M@.._.=.S..,
."......Gdv._c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....
{{.zI9.Y....../.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H
*..]yi.....3.......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....
'.Ym........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U
.%..0... .......0...U...........0...U.......0.0"..U....0...0.1.0...U..
..TGV-OFF-570...*.H..............md.....yV{......y:5..@l#..5.......o..
X....,r}......i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.
......a.....G..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.
....b..K...PO47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z.
.7.\_..'.]q.f._.WN....
<<< skipped >>>


GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCP+TtEpBPnR HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Mon, 03 Jul 2017 21:17:06 GMT
Expires: Fri, 07 Jul 2017 21:17:06 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 75434
0..........0..... .....0......0...0......J......h.v....b..Z./..2017070
3132828Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.#.N.).......20170703132828Z....20170710132828Z0...*.H..............jT
<..Gl.....R..l......[.O.....N#Z.WY.0/&.{.^............wV*..q.$7....
...k.U.....8c..]].ee,B).`.W-..J..W\...&W..........0..H{Z....DX.5vd..i.
E.z.z.@..W...k.D/...i....BDR.Q.kY....J!.D.KW.1L7....6%Y.MD.C.l~.....d.
...l....P.......r..zO.y..2....;.U....J....R...HTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Mon, 03 Jul 2017 21:17:06 GMT.
.Expires: Fri, 07 Jul 2017 21:17:06 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Cache-Control: public, max-age=345600..Age: 75434..0..........
0..... .....0......0...0......J......h.v....b..Z./..20170703132828Z0k0
i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..#.N.).....
..20170703132828Z....20170710132828Z0...*.H..............jT<..Gl...
..R..l......[.O.....N#Z.WY.0/&.{.^............wV*..q.$7.......k.U.....
8c..]].ee,B).`.W-..J..W\...&W..........0..H{Z....DX.5vd..i.E.z.z.@..W.
..k.D/...i....BDR.Q.kY....J!.D.KW.1L7....6%Y.MD.C.l~.....d....l....P..
.....r..zO.y..2....;.U....J....R.....



GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Tue, 04 Jul 2017 18:15:37 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=122251, public, no-transform, must-revalidate
Last-Modified: Tue, 04 Jul 2017 18:00:23 GMT
Expires: Thu, 06 Jul 2017 06:00:23 GMT
ETag: "7f5280525871171b7cc38f74959799e54862e1a6"
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Content-Length: 1730
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Ari
zona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Dad
dy Root Validation Authority - G2..20170704180023Z0d0b0:0... .........
#o..K......#..... ...:....g(.....An ............20170704180023Z....201
70706060023Z0...*.H.............k._....aos...G.3...D..1.S..E.v@..e0..B
.........D.f....=...[.X.........a(..>.m..L.j#....zZ.;.\.S......`F=Y
?.H,....J..B..gI.p.K ...{..-..Z..........8....4..S..-Z..n%.>.o....J
&]l......|.....s,J .u;s.......G"..T...y......y....1..\p..r>....2..=
d.B.E..ZSt...20I.....0...0..~0..f........T|....70...*.H........0..1.0.
..U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com
, Inc.110/..U...(Go Daddy Root Certificate Authority - G20...161213070
000Z..171213070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scotts
dale1.0...U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Au
thority - G20.."0...*.H.............0.............}...@.H..........j.b
.2.c....'eSA.....6""2.hf.m.m9........_N."gV..{.J"{..0f.W$.Xr....|U.F.!
.K.0 .(p......9.I......c.c\.9.xt.v.UN...%....,R....ZJ......rz.Z..p...r
u.6.....0..t....*...T.W.....?...X...( ..z.[. .A... z.[>-.y>...nv
U...g.wU........ Fh.6F...}.........0..0...U.......0.0...U...........0.
..U.%..0... .......0...U........J!~...}....^].....0... .....0......0@.
.U...90705.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U. 
.C0A0?..`.H...m....000... ........"hXXp://crl.godaddy.com/repository/0
...*.H.............=......|Q.y.kI$...T@.ff.m...1......\...10..T...
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT
If-None-Match: "b8b5df1d64d4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Length: 554
Content-Type: application/pkix-crl
Last-Modified: Thu, 15 Jun 2017 00:43:48 GMT
ETag: 0x8D4B38795FC4CDC
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: f9b1299d-0001-000e-1678-e5ab7b000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Tue, 04 Jul 2017 18:14:38 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..170512163339Z..170811045339Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......d0... .....7......170810164339Z0.
..*.H................."*....N...........D...........A..v.@?.H5...O{D".
-.B.......gO.{..O}.._.....M....A.mI.u.;sPS.....?jj.=.~]z.A.fJ...M*|..!
<......>....|.&...j.Z.T[/s...K0<.;...".2.)..X9.....$..O...Ot:
V.:..9.W...|...C.A.....,dy..].bg.&I.../U..B........rr.....*......P.t.^
..FHTTP/1.1 200 OK..Content-Length: 554..Content-Type: application/pki
x-crl..Last-Modified: Thu, 15 Jun 2017 00:43:48 GMT..ETag: 0x8D4B38795
FC4CDC..Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0..x-ms-req
uest-id: f9b1299d-0001-000e-1678-e5ab7b000000..x-ms-version: 2009-09-1
9..x-ms-lease-status: unlocked..x-ms-blob-type: BlockBlob..Date: Tue, 
04 Jul 2017 18:14:38 GMT..Connection: keep-alive..0..&0......0...*.H..
......0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U...
.Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..170512163
339Z..170811045339Z.a0_0...U.#..0..........X..7.3...L...0... .....7...
......0...U......d0... .....7......170810164339Z0...*.H...............
.."*....N...........D...........A..v.@?.H5...O{D".-.B.......gO.{..O}..
_.....M....A.mI.u.;sPS.....?jj.=.~]z.A.fJ...M*|..!<......>....|.
&...j.Z.T[/s...K0<.;...".2.)..X9.....$..O...Ot:V.:..9.W...|...C.A..
...,dy..].bg.&I.../U..B........rr.....*......P.t.^..F..
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT
If-None-Match: "8017f9a85f10d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Tue, 13 Jun 2017 19:04:53 GMT
Accept-Ranges: bytes
ETag: "80f83df077e4d21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 52967
Date: Tue, 04 Jul 2017 18:13:51 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
MSCF............,...................I..................J.` .authroot.s
tl.^R.Y.6..CK...8...........].y.Q..!Jv..%k.....!..DH...B.KBWE.(.f.RQ*.
..f...}'.....x.:.{f...|.s.q..CF.......0....{%i......P.F.yNz:A..L..1..3
...........IG.....4=....~."|..s.|.xuT..._.*.....e.h,....ozs..*.!TmS..A
q... |,.....V..xV....^....FE(.x...N..h...b....y...j.!....7..h. ..@.(V.
.....8..`-..#=.jq'.e...|..X...@...{..rj.d.....?n3.L.......S.......:.O.
.."k.!o......`.l.B 1.....#].....k6.........B.......!P$.A..<..?zk...
.~..P)A0tu....x..-X..E..,a.7,xN..eed.3..L..XT......IG.w_.Y....E....~k.
.X...T.V.g7d.....#.&~.f.O....Dh...x0..J...0..u.dF..P.!..d...%x<!...
....@,...0..3..-.....q.....X.e....A...z.'..2.<.m.f...I.9.z..a.6vo..
 ...P..U7...-.0.Q..<zd!V....=.'.....2H;..5.7.%5PsD.#.....ht%......f
..s.Dp..Lklx%[.!c...I.<...f.<..e.k`......^.......X..?Z...?......
?..I}..5V.v .q.c.9j..Y..J..0U.t./%..Jd @.W.u......U.".)C(........T.4.y
..J.57*^HlY....O|..~\.J]..]e...?..x2c..6.....i.=?x.....N..-X..f"^@'...
.-v..v...7j.Y1.5._v.....*S9.."........%E<E...;p.}........0..P....g.
.@.]E.3........K....K.4V..Q.-,.../.........:.A....Ng,.........BFef.[..
. ..."*...^...L._#:,7..6:.z..!a............E.r>......A....#..c.....
rS.......7.D..JdR.`6.|...>.0....Wf..n..^..8x.4..........-.3y,3.C.(.
...9f...iNK....q....sUq....c...c.....*K.8"..D...<..0............*x,
$x....a....]..p..t.M....6F..u.....p.r.kf...Z......h~.B3...[.....Hc...K
.....I.....%F..:.....N....U..eU........ e. k....3(S..h....1..r..Z.Y...
.....A.i..Z....[%J.....=2"v].....L.P..!........PC*.........j 8.~.)
<<< skipped >>>


GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "91906658429717ef404211abd7c7180e:1499191224"
Last-Modified: Tue, 04 Jul 2017 18:00:24 GMT
Date: Tue, 04 Jul 2017 18:14:09 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170704174300Z..170714174300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H............/.....@...n.n
9H.!.h.b...D...."L........[.\......[<.;,._.N.9......\......wz....r.
_L.]..F......N....q.5..r..\..!1.R8N.Vk{....`.Lu.HTTP/1.1 200 OK..Serve
r: Apache..ETag: "91906658429717ef404211abd7c7180e:1499191224"..Last-M
odified: Tue, 04 Jul 2017 18:00:24 GMT..Date: Tue, 04 Jul 2017 18:14:0
9 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: appl
ication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equi
fax1-0 ..U...$Equifax Secure Certificate Authority..170704174300Z..170
714174300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H.......
...../.....@...n.n9H.!.h.b...D...."L........[.\......[<.;,._.N.9...
...\......wz....r._L.]..F......N....q.5..r..\..!1.R8N.Vk{....`.Lu...



GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Tue, 04 Jul 2017 18:15:31 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=121451, public, no-transform, must-revalidate
Last-Modified: Tue, 04 Jul 2017 17:46:15 GMT
Expires: Thu, 06 Jul 2017 05:46:15 GMT
ETag: "e66d357e9c18ef4017d5f76c89011e08c99d2c0f"
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Content-Length: 1697
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Da
ddy Root Validation Authority - G1..20170704174615Z0f0d0<0... .....
.... ......]..J^.y_..F<........L.q.a.=....j...........2017070417461
5Z....20170706054615Z0...*.H.............O...(.g.w....L.a.)A.zl.!.wy.0
0......wx..<.e.=2N..Y..asgE.w..i[...eUBm..H...J..........@f.o3.,./.
M...1....u..6......O.T.....g3...;......5...P ..\.....D8N......S.<.u
Z...|X`..ddFt...OO.i.....t..6....._yL.6..z........[i....]hb. .wdr..X..
U......,.....J..e.........b0..^0..Z0..B.......1g....r.0...*.H........0
c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Daddy C
lass 2 Certification Authority0...161213070000Z..211213070000Z0..1.0..
.U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com,
 Inc.100...U...'Go Daddy Root Validation Authority - G10.."0...*.H....
.........0.............}...@.H..........j.b.2.c....'eSA.....6""2.hf.m.
m9........_N."gV..{.J"{..0f.W$.Xr....|U.F.!.K.0 .(p......9.I......c.c\
.9.xt.v.UN...%....,R....ZJ......rz.Z..p...ru.6.....0..t....*...T.W....
.?...X...( ..z.[. .A... z.[>-.y>...nvU...g.wU........ Fh.6F...}.
........0..0...U.......0.0...U...........0...U.%..0... .......0...U...
.....J!~...}....^].....0... .....0......0=..U...60402.0...,hXXp://crl.
godaddy.com/repository/gdroot.crl0J..U. .C0A0?..`.H...m....000... ....
...."hXXp://crl.godaddy.com/repository/0...*.H...............f...gb.dI
..F.72.$.......?/.....5.9-F.=...c....c..Wg.U......j0....A..[O.A>
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1796:

`.rsrc
RhmFiles.ProgressBar
RhmFiles.OnSystray
MSINET.ocx
InetCtlsObjects.Inet
mswinsck.ocx
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
FC:\Windows\system32\stdole2.tlb
VBA6.DLL
shell32.dll
ShellExecuteA
C:\Windows\system32\mswinsck.oca
PSAPI.DLL
user32.dll
GetAsyncKeyState
nC:\Windows\System32\MSINET.oca
olepro32.dll
KeyDown
KeyPress
KeyUp
C:\Windows\system32\MSVBVM60.DLL\3
./012345667689
"#$%&'()*  ,,-
GGGGF.GGGGK
y-e.uF|
f.qqp
msgf
p.sC8l
r9.Yy
(4..Xh
o9Sf1%U?
_~-fW}
2017-03-04
n%S,h
I^M%x ]
00/00/0000
Waiting lostsaga.exe...
00:00:00
strURL
KeyCode
KeyAscii
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 VVV.rezpektor-key.net
.text
`.data
.rsrc
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
GetWindowsDirectoryA
GetKeyState
CreateDialogIndirectParamA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
Internet Control URL Property Page
INET98.CHM
FTp/L#
rL#.OL#
MSINET.OCX
hXXp://
PTF://
hXXps://
Microsoft URL Control - 6.01.9782
SSShp&M#
WININET.dll
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
FtpFindFirstFileA
FtpRemoveDirectoryA
FtpGetCurrentDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpPutFileA
FtpGetFileA
FtpDeleteFileA
MsgWaitForMultipleObjects
OL#%s%s.DLL
0?NicFTPWWW
icHTTPWW
icHTTPSW,
icUrlOpenFailedW
icBadUrl
0NSicNoExecuteW
`icFtpCommandFailedWW
qicUnsupportedTypeWWW
icUnsupportedCommand
0-gicInvalidOperationWW
icExecutingW
0jHicInvalidForFtpW
hicInvalidURL
icIncorrectPasswordW
icLoginFailureWW
icInetInvalidOperationWW
[icOperationCancelled
00XicSecCertDateInvalid
0.(icSecCertCnInvalidWW
0WwicHttpToHttpsOnRedir
icHttpsToHttpOnRedir
.icPostIsNonSecureWWW
BicClientAuthCertNeededWW
icHttpsHttpSubmitRedirWW
icFtpTransferInProgressW
icFtpDropped
icFtpNoPassiveModeWW
ficHttpHeaderNotFound
icHttpDownlevelServerWWW
icHttpInvalidServerResponseW
icHttpInvalidHeaderW
icHttpInvalidQueryRequestWWW
icHttpHeaderAlreadyExistsWWW
0`>icHttpRedirectFailed
0~ icHttpCookieNeedsConfirmationWWW
7icHttpCookieDeclined
0DSicHttpRedirectNeedsConfirmationW
icSecInvalidCert
icSecCertRevoked
}|RemotePortWW
StillExecutingWW
URLW
Password
OpenURLW
yOperationWWW
~_URLX
MSINet.Ocx
FTPWWW
HTTPWW
Secure HTTPWWW
Unable to open URL
URL is malformedWW&
Protocol not supported for this method
You must execute an operation before retrieving dataWW
FTP command failed
Not a valid or supported commandWW
Invalid operation argument
Still executing last requestWW,
This call is not valid for an FTP connectionWW
Invalid URLWWW
Incorrect password
Login failureW
Invalid operationW
Operation cancelledWWW
Security certificate date invalidW#
Security certificate number invalidWWW
HTTP to HTTPS on redirectW
HTTPS to HTTP on redirectW
Client authorization certificate neededWWW
HTTPS HTTP submit redirWWW
FTP - Transfer in progress
FTP - Connection droppedWW
FTP - no passive modeW
HTTP - Header not foundWWW
HTTP - Downlevel serverWWW
HTTP - Invalid server response
HTTP - Invalid HeaderW
HTTP - Invalid query requestWW
HTTP - Header already existsWW
HTTP - Redirect failed
HTTP - cookie needs confirmationWW
HTTP - cookie declined"
HTTP - redirect needs confirmation
Invalid certWW
Cert revokedWW
Protocol to use for this URLWW
Returns/Sets the internet port to be used on the remote computerWW5
Returns/Sets the URL used by this controlW*
Password to use for authentication;
Open a URL&
Method used to cancel the request currently being executed
2 2>2`2~2
ocx\msinet.dbg
Thawte Certification1
hXXp://ocsp.verisign.com0
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
"hXXp://crl.verisign.com/tss-ca.crl0
9hXXp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
hXXp://msdn.microsoft.com/vbasic0
KERNEL32.DLL
MSVBVM60.DLL
U*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\LSID\Injector Auto Update LSID Rhm-Files\Project1.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Dll Injected...Creating Thread.....
kernel32.dll
Can't find LoadLibrary API from kernel32.dll
hXXps://cloudup.com/files/iWz-bmsBbqv/download
hXXps://sites.google.com/site/dataconstantinefilesb99794977/LSID.txt?attredirects=0&d=1
hXXps://cloudup.com/files/imR9VmFgQQP/download
\Windows\Fonts\Rhm-Files_LSID.dll
@*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\LSID\Injector Auto Update LSID Rhm-Files\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Pass&word
6.01.9782
Returns/Sets the remote computer@Returns/Sets the internet port to be used on the remote computer
5Returns information received from the remote computer9Returns a response code received from the remote computer6Returns the low-level internet handle for this control.Returns whether this control is currently busy)Returns/Sets the URL used by this control5Returns/Sets the Document to be retrieved from server
>Returns/Sets the proxy behavior for this control's connections7Event interface for Microsoft Internet Transfer Control#Microsoft Internet Transfer Control&Issue a request to the remote computer:Method used to cancel the request currently being executed
Secure HTTP
Protocol to use for this URL#User name to use for authentication"Password to use for authentication
Open a URL
URL is malformed&Protocol not supported for this method Unable to connect to remote host
Unable to complete request4You must execute an operation before retrieving data
Request timed out Not a valid or supported command
Still executing last request,This call is not valid for an FTP connection
Invalid URL
Login failure
Invalid operation
Operation cancelled
Handle exists!Security certificate date invalid#Security certificate number invalid
HTTP to HTTPS on redirect
HTTPS to HTTP on redirect
Post is non-secure'Client authorization certificate needed
FTP - Connection dropped
HTTP - Header not found
HTTP - Downlevel server
HTTP - Invalid Header
HTTP - Invalid query request
HTTP - Header already exists
HTTP - Redirect failed
HTTPS HTTP submit redir
FTP - no passive mode HTTP - cookie needs confirmation
HTTP - cookie declined"HTTP - redirect needs confirmation
Invalid cert
Cert revoked
URL'URL properties for the internet control
hXXp://rhm-files.blogspot.com
1.00.0189
_LSID.exe

%original file name%.exe_1796_rwx_00401000_001DF000:

RhmFiles.ProgressBar
RhmFiles.OnSystray
MSINET.ocx
InetCtlsObjects.Inet
mswinsck.ocx
MSWinsockLib.Winsock
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
FC:\Windows\system32\stdole2.tlb
VBA6.DLL
shell32.dll
ShellExecuteA
C:\Windows\system32\mswinsck.oca
PSAPI.DLL
user32.dll
GetAsyncKeyState
nC:\Windows\System32\MSINET.oca
olepro32.dll
KeyDown
KeyPress
KeyUp
C:\Windows\system32\MSVBVM60.DLL\3
./012345667689
"#$%&'()*  ,,-
GGGGF.GGGGK
y-e.uF|
f.qqp
msgf
p.sC8l
r9.Yy
(4..Xh
o9Sf1%U?
_~-fW}
2017-03-04
n%S,h
I^M%x ]
00/00/0000
Waiting lostsaga.exe...
00:00:00
strURL
KeyCode
KeyAscii
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 VVV.rezpektor-key.net
.text
`.data
.rsrc
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
MSWINSCK.OCX
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
GetWindowsDirectoryA
GetKeyState
CreateDialogIndirectParamA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
Internet Control URL Property Page
INET98.CHM
FTp/L#
rL#.OL#
MSINET.OCX
hXXp://
PTF://
hXXps://
Microsoft URL Control - 6.01.9782
SSShp&M#
WININET.dll
InternetCreateUrlA
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
HttpQueryInfoA
FtpFindFirstFileA
FtpRemoveDirectoryA
FtpGetCurrentDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpPutFileA
FtpGetFileA
FtpDeleteFileA
MsgWaitForMultipleObjects
OL#%s%s.DLL
0?NicFTPWWW
icHTTPWW
icHTTPSW,
icUrlOpenFailedW
icBadUrl
0NSicNoExecuteW
`icFtpCommandFailedWW
qicUnsupportedTypeWWW
icUnsupportedCommand
0-gicInvalidOperationWW
icExecutingW
0jHicInvalidForFtpW
hicInvalidURL
icIncorrectPasswordW
icLoginFailureWW
icInetInvalidOperationWW
[icOperationCancelled
00XicSecCertDateInvalid
0.(icSecCertCnInvalidWW
0WwicHttpToHttpsOnRedir
icHttpsToHttpOnRedir
.icPostIsNonSecureWWW
BicClientAuthCertNeededWW
icHttpsHttpSubmitRedirWW
icFtpTransferInProgressW
icFtpDropped
icFtpNoPassiveModeWW
ficHttpHeaderNotFound
icHttpDownlevelServerWWW
icHttpInvalidServerResponseW
icHttpInvalidHeaderW
icHttpInvalidQueryRequestWWW
icHttpHeaderAlreadyExistsWWW
0`>icHttpRedirectFailed
0~ icHttpCookieNeedsConfirmationWWW
7icHttpCookieDeclined
0DSicHttpRedirectNeedsConfirmationW
icSecInvalidCert
icSecCertRevoked
}|RemotePortWW
StillExecutingWW
URLW
Password
OpenURLW
yOperationWWW
~_URLX
MSINet.Ocx
FTPWWW
HTTPWW
Secure HTTPWWW
Unable to open URL
URL is malformedWW&
Protocol not supported for this method
You must execute an operation before retrieving dataWW
FTP command failed
Not a valid or supported commandWW
Invalid operation argument
Still executing last requestWW,
This call is not valid for an FTP connectionWW
Invalid URLWWW
Incorrect password
Login failureW
Invalid operationW
Operation cancelledWWW
Security certificate date invalidW#
Security certificate number invalidWWW
HTTP to HTTPS on redirectW
HTTPS to HTTP on redirectW
Client authorization certificate neededWWW
HTTPS HTTP submit redirWWW
FTP - Transfer in progress
FTP - Connection droppedWW
FTP - no passive modeW
HTTP - Header not foundWWW
HTTP - Downlevel serverWWW
HTTP - Invalid server response
HTTP - Invalid HeaderW
HTTP - Invalid query requestWW
HTTP - Header already existsWW
HTTP - Redirect failed
HTTP - cookie needs confirmationWW
HTTP - cookie declined"
HTTP - redirect needs confirmation
Invalid certWW
Cert revokedWW
Protocol to use for this URLWW
Returns/Sets the internet port to be used on the remote computerWW5
Returns/Sets the URL used by this controlW*
Password to use for authentication;
Open a URL&
Method used to cancel the request currently being executed
2 2>2`2~2
ocx\msinet.dbg
Thawte Certification1
hXXp://ocsp.verisign.com0
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
"hXXp://crl.verisign.com/tss-ca.crl0
9hXXp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
hXXp://msdn.microsoft.com/vbasic0
U*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\LSID\Injector Auto Update LSID Rhm-Files\Project1.vbp
78E1BDD1-9941-11cf-9756-00AA00C00908
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
Dll Injected...Creating Thread.....
kernel32.dll
Can't find LoadLibrary API from kernel32.dll
hXXps://cloudup.com/files/iWz-bmsBbqv/download
hXXps://sites.google.com/site/dataconstantinefilesb99794977/LSID.txt?attredirects=0&d=1
hXXps://cloudup.com/files/imR9VmFgQQP/download
\Windows\Fonts\Rhm-Files_LSID.dll
@*\AD:\Data Wulung\Wulung Data\Peralatan Maker Wulung\Tools Cheat\Base LostSaga Indonesia\Rhm-Files\LSID\Injector Auto Update LSID Rhm-Files\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
Pass&word
6.01.9782
Returns/Sets the remote computer@Returns/Sets the internet port to be used on the remote computer
5Returns information received from the remote computer9Returns a response code received from the remote computer6Returns the low-level internet handle for this control.Returns whether this control is currently busy)Returns/Sets the URL used by this control5Returns/Sets the Document to be retrieved from server
>Returns/Sets the proxy behavior for this control's connections7Event interface for Microsoft Internet Transfer Control#Microsoft Internet Transfer Control&Issue a request to the remote computer:Method used to cancel the request currently being executed
Secure HTTP
Protocol to use for this URL#User name to use for authentication"Password to use for authentication
Open a URL
URL is malformed&Protocol not supported for this method Unable to connect to remote host
Unable to complete request4You must execute an operation before retrieving data
Request timed out Not a valid or supported command
Still executing last request,This call is not valid for an FTP connection
Invalid URL
Login failure
Invalid operation
Operation cancelled
Handle exists!Security certificate date invalid#Security certificate number invalid
HTTP to HTTPS on redirect
HTTPS to HTTP on redirect
Post is non-secure'Client authorization certificate needed
FTP - Connection dropped
HTTP - Header not found
HTTP - Downlevel server
HTTP - Invalid Header
HTTP - Invalid query request
HTTP - Header already exists
HTTP - Redirect failed
HTTPS HTTP submit redir
FTP - no passive mode HTTP - cookie needs confirmation
HTTP - cookie declined"HTTP - redirect needs confirmation
Invalid cert
Cert revoked
URL'URL properties for the internet control


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4C3F.tmp (52 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar365C.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
    C:\Windows\System32\MSINET.OCX (267 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab365B.tmp (51 bytes)
    C:\Windows\System32\MSWINSCK.OCX (108 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab367C.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar367D.tmp (2712 bytes)
    C:\Windows\System32\drivers\etc\hosts (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_71764FB7D5C5C8C82AC1C58D221DD0FF (668 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (665 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4C40.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C928KE51.txt (159 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now