Gen.Variant.Strictor.64236_b8bcf9ff2f

by malwarelabrobot on June 23rd, 2017 in Malware Descriptions.

Gen:Variant.Strictor.64236 (B) (Emsisoft), Gen:Variant.Strictor.64236 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b8bcf9ff2fcc0ee207890bb290310d31
SHA1: 230607d8ce22374ba1eb7fe840c7b8e868eb0059
SHA256: 5993ced7d34dcc8ad668df13a26ad9549b057c80f0ab0329709baf03bf203413
SSDeep: 24576:dbz WZbE MpHkJBK0yrQKJ4qVBc3Ettcjm:dbCobbMpE6Lr7J4qA3m8
Size: 1123304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-13 00:58:55
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nnnn.exe:888
%original file name%.exe:1692
%original file name%.exe:2728
Pony.exe:3860
Pony.exe:948
vyle.exe:2428
bot.exe:3876
soft.exe:1672
WinMail.exe:3372
WinMail.exe:1988

The Trojan injects its code into the following process(es):

%original file name%.exe:3408
%original file name%.exe:820
conhost.exe:2124
taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
conhost.exe:1648
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nnnn.exe:888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\des_date.txt (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Java\JavaUpdtr.exe (673 bytes)

The process %original file name%.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F42.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F64.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F43.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar34FB.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F75.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F65.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab34FA.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F76.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\z50 (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F42.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F64.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F43.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar34FB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F75.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F65.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab34FA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F76.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\z50 (0 bytes)

The process %original file name%.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Pony.exe (70 bytes)
C:\Windows\System32\bot.exe (168 bytes)
C:\Windows\System32\nnnn.exe (192 bytes)
C:\Windows\System32\soft.exe (226 bytes)

The process %original file name%.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Pony.exe (70 bytes)
C:\Windows\System32\soft.exe (226 bytes)

The process %original file name%.exe:2728 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\401437.bat (98 bytes)

The process Pony.exe:3860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\405306.bat (98 bytes)

The process Pony.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\354855.bat (98 bytes)

The process vyle.exe:2428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp0451a881.bat (376 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uwfil\xepeo.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zearu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zearu\efons.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uwfil\xepeo.cyy (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Uwfil (0 bytes)

The process bot.exe:3876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp8cd72384.bat (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Yktip\vyle.exe (340 bytes)

The process soft.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp0000376a.bat (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zearu\efons.exe (455 bytes)

The process WinMail.exe:3372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (41384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3372_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB1B1.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1A183C82-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (22088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1A183C82-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB1B2.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3372_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB1B1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3372_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB1B2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

The process WinMail.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_1988_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3072.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3073.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (11848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (8160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_1988_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3072.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3073.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_1988_2.ui (0 bytes)

Registry activity

The process nnnn.exe:888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Java\JavaUpdtr.exe"

The process %original file name%.exe:3408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Vaida]
"Loaqehuvu" = "4F 74 22 06 51 67 44 93 EC 27 4D 49 20 94 6E AD"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnonBadCertRecving" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Vaida]
"Ipafri" = "DF 7A 02 39 76 40 63 B4 CB 00 6A 6E 07 B3 49 8A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"EnableSPDY3_0" = "0"

[HKCU\Software\Microsoft\Biyq]
"Ahqeby" = "E0 B2 B2 63 EB 08 29 73 B2 C4 ED 82 A9 48 A2 9B"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

The process %original file name%.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Biyq]
"Ahqeby" = "E0 B2 B2 63 EB 08 29 73 B2 C4 ED 82 A9 48 A2 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:2728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process Pony.exe:3860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process Pony.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\WinRAR]
"HWID" = "7B 36 37 36 38 39 41 43 33 2D 36 37 37 46 2D 34"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process vyle.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Vaida]
"Ipafri" = "DB 7A 02 39 76 40 63 B4 CB 00 6A 6E 07 B3 49 8A"

[HKCU]
"(Default)" = "62 50 37 30 46 0A 98 0C 6A 2A 6D B1 60 B4 B1 A7"

[HKCU\Software\Microsoft\Biyq]
"Ahqeby" = "E0 B2 B2 63 EB 08 29 73 B2 C4 ED 82 A9 48 A2 9B"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Biyq]

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Opvesoemq"

The process bot.exe:3876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU]
"(Default)" = "B5 D3 70 DA AC E0 72 E6 80 C0 87 5B 8A 5E 5B 4D"

[HKCU\Software\Microsoft\Biyq]
"Ahqeby" = "E0 B2 B2 63 EB 08 29 73 B2 C4 ED 82 A9 48 A2 9B"

The process soft.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Biyq]
"Ahqeby" = "E0 B2 B2 63 EB 08 29 73 B2 C4 ED 82 A9 48 A2 9B"

The process WinMail.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Identities\{C692FCB0-9162-422E-94A4-4CD072B19CA9}]
"Identity Ordinal" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E1 07 06 00 04 00 16 00 0C 00 2C 00 11 00 9B 03"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"
"Default LDAP Account" = "account{5F33D8D7-3326-4E0C-969F-F201824EF068}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "40 B5 E9 46 55 EB D2 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

The process WinMail.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "3"
"Settings Upgraded" = "10"
"Running" = "1"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Default_CodePage" = "28591"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail]
"StoreMigratedV5" = "1"
"lastrun" = "F8 EE 4E 5D 55 EB D2 01"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

The Trojan deletes the following value(s) in system registry:

[HKCU\Identities]
"Changing"
"IncomingID"
"OutgoingID"

Dropped PE files

MD5	File path
f57479b66d3b472d6bebff5502f24bb9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpG801.tmp
f57479b66d3b472d6bebff5502f24bb9	c:\Users\"%CurrentUserName%"\AppData\Roaming\Java\JavaUpdtr.exe
f6e9c54ac4bdd798180e8315cb448848	c:\Users\"%CurrentUserName%"\AppData\Roaming\Zearu\efons.exe
e571c570f230970d6274d381a31afe17	c:\Windows\System32\bot.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestA
HttpSendRequestW
HttpOpenRequestW
InternetConnectW
HttpOpenRequestA
InternetConnectA
InternetWriteFile
HttpSendRequestExW
InternetReadFileExA
InternetReadFileExW
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSARecv
send
recv
WSASend
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwCreateUserProcess

Propagation

VersionInfo

Company Name: QckDjFy Inc
Product Name: QckDjFy
Product Version: 3.3.2.3
Legal Copyright: Copyright @ 2017
Legal Trademarks:
Original Filename: AsxShwpo.exe
Internal Name: AsxShwpo.exe
File Version: 3.3.2.3
File Description: QckDjFy
Comments: xmfFyZMPMJrgxmpPZagh
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	942868	943104	5.49501	a2eba295b074d2402c8292f00ad311d4
.sdata	958464	488	512	4.59711	8580a4253ef7a672543a91a90f89ff2c
.rsrc	966656	172156	172544	2.65303	3d4d7386eb9bd1edf3e20e7c3881ee42
.reloc	1146880	12	512	0.070639	ce5a7f2236750397d9e8cd6646801885

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a1363.dscg.akamai.net/pki/crl/products/CodeSignPCA.crl
hxxp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl	62.140.236.147
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	62.140.236.163
starmonth.net

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86396

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Wed, 19 Apr 2017 22:43:31 GMT

Accept-Ranges: bytes

ETag: "80ab755e5eb9d21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 52608

Date: Thu, 22 Jun 2017 12:43:51 GMT

Connection: keep-alive

X-CCC: UA

X-CID: 2
MSCF............,...................I.......f..........Je} .authroot.s
tl..Q...6..CK...8...........].y.Q..!Jv..%k.....!..DH.....^..*.E)7k..Rq
...Lu..........[.y..s...~.4.~....4.0a..f.;.~7'M...a<.... .IO'....Z.
.E..F.XuV.....L..@..Y.L......GW.{fd<.8...*~...*...@.e...Xx).{....3T
.C....'..v..A.X......l....3.=..w....P...s#..;...C.(./.. .C.tC...gnI..j
W89.JQ...y..gq.3.Z&.Gz...NV.t...(J.../..%9..W..>.h;$.@..f..La.k....
..s ......`..G..C......@.....@b.....G...x...l".s.c.0......X...C.H.....
.....T.....}.R.`..../...1Z......X..oX...;....f.......LG[....~;.}mw.'. 
..v......`.7ZR..-.........8.....>.:(..........keX.. r......B...Z.ax
C....... 0.#....\.8.....$t:$(.Q....kQ........s.}3b.e.xb....7...r:.<
..>m..:.V.u....kn.3.Y.ar.,.y..b.....{.OO?c/;m.v..k.o.Kj...0G.m.....
j*.U....... ..~.....Z.dS.J..S.y.c...y.......{..Co...i.U....7.i]......W
...T...Y..X..........e.b.`*Uk.T..a....*...M^m..Jvk..g........<d:l..
Sq.H...*y...x1.e....<..V.q..u."v.};G.Px.......{....Y.........5..`..
..x..b_.....W.Mn...5d.,.0|.9".g..L..R.....g..............."  z(.F.$.@.
@......}r..O8P.W.Tr./}\.....X..f=..d`,.X..'.r.8....q.Or:..<v.zFW.Y.
.....nk.:..G.K...GxQ._2!.....t?..(.q...e.&F.............2JG.....b...~.
./....M.6.~.b<...).(.Iy..P..$n. ....._..#.aBz....)..[.2............
..........Ew..9-.2;...2.g.5.-..G.o....K.J..,...(...bd.$..0..r..Z....*.
....._.B.)b<.w}t....]..t....=....b.?...u..A..Z.....6........n12j.0"
.U..,..fd_$A."....... .G.c.u...k.....l....$.@.`A.>,....L}.O......X.
.....rL.GM..p..H;....O@..Q2..T........]..e.G...9.W..06~..R..@V|...<<< skipped >>>

GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Length: 558

Content-Type: application/pkix-crl

Last-Modified: Thu, 15 Jun 2017 00:43:44 GMT

ETag: 0x8D4B38793BAF333

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: 957643c2-0001-0047-2678-e5981b000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Thu, 22 Jun 2017 12:44:23 GMT

Connection: keep-alive

0..*0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Copyright (c) 20
00 Microsoft Corp.1#0!..U....Microsoft Code Signing PCA..111110211944Z
..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0... .....7.......
..0...*.H...............&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..
6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud);.?....J_...Fu...
.<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#.
..T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . ....G..#....T..G;.....
.HTTP/1.1 200 OK..Content-Length: 558..Content-Type: application/pkix-
crl..Last-Modified: Thu, 15 Jun 2017 00:43:44 GMT..ETag: 0x8D4B38793BA
F333..Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0..x-ms-reque
st-id: 957643c2-0001-0047-2678-e5981b000000..x-ms-version: 2009-09-19.
.x-ms-lease-status: unlocked..x-ms-blob-type: BlockBlob..Date: Thu, 22
 Jun 2017 12:44:23 GMT..Connection: keep-alive..0..*0......0...*.H....
....0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....
Microsoft Corporation1 0)..U..."Copyright (c) 2000 Microsoft Corp.1#0!
..U....Microsoft Code Signing PCA..111110211944Z..420416234935Z.7050..
.U.#..0...%. K].rT....*.....S.0... .....7.........0...*.H.............
..&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..6.......i.6.xva....oX.
^f'....s...!......O...h.1a..Ud);.?....J_...Fu....<v.zx..t..h.0JU%.n
k;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#...T.4Ct.......,...c..}
F..U....:..7J...%.#..D6 . ....G..#....T..G;........

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3408_rwx_03F00000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv

ypov.ahy

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

conhost.exe_2124:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

%original file name%.exe_3408_rwx_03F60000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

%original file name%.exe_3408_rwx_03FA0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

conhost.exe_2124_rwx_002E0000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

conhost.exe_2124_rwx_00370000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe8

SSShye8

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

:\Users\"%CurrentUserName%"\AppData\Roaming\Uxmi\ipage.kuq

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uxmi

ipage.kuq

%original file name%.exe_820:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

E.HWE72

.ly1NTs\,R5l_

&.xb$

.iJmv

C.eK=

0%x)\Z

.KvoH

M-9}~

h&d%c

.vTCt

gB{%s

.zHjD'

.Oa58

q.DX\

`F/

S7@O.lG.

%U >;1

_C%Ug

s;h%f;

3!q_.Nq

q.hdO

ftpD

r.BDZx\:

.QL>l

.kgN=9

G.PU]

J".MH

'.bq!

$%R .huw

c.Fo,

rÊv

Co.YK

r.Ja]

w: %xe

õR

;%UJO

.Fpp(

sx=%S

B:\O9

.jqOZ

'.HSb

:yt%F;s:

.Jr @J

,).yp

L|.xc1

I.ndo

5_%uA

'&webM$

udP~Ul-

evy%X

*..NN

v2.0.50727

Microsoft.VisualBasic

System.Windows.Forms

vUUpqJYUd1PT0qGTYQJtiIt7ZTM.resources

System.Resources

System.Collections.Generic

System.Security.Cryptography

System.Reflection

System.Threading

.ctor

Microsoft.VisualBasic.CompilerServices

System.Runtime.CompilerServices

System.Security

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

_CorExeMain

mscoree.dll

EMN2iykmsgqt

MsgEmzUv1SvWXF2w

SQlcMqZfhBKibodw

cUUJ5YSshDSzmGf

gVmasshW0LBqwA

0.0.0.0

pony.exe

taskhost.exe_872_rwx_00580000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXeY

SSShyeY

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

r.mrn

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv

ypov.ahy

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uwfil\xepeo.cyy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uwfil

xepeo.cyy

%original file name%.exe_820_rwx_003A0000_0000A000:

l.dli

%original file name%.exe_820_rwx_00400000_000D2000:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

E.HWE72

.ly1NTs\,R5l_

&.xb$

.iJmv

C.eK=

0%x)\Z

.KvoH

M-9}~

h&d%c

.vTCt

gB{%s

.zHjD'

.Oa58

q.DX\

`F/

S7@O.lG.

%U >;1

_C%Ug

s;h%f;

3!q_.Nq

q.hdO

ftpD

r.BDZx\:

.QL>l

.kgN=9

G.PU]

J".MH

'.bq!

$%R .huw

c.Fo,

rÊv

Co.YK

r.Ja]

w: %xe

õR

;%UJO

.Fpp(

sx=%S

B:\O9

.jqOZ

'.HSb

:yt%F;s:

.Jr @J

,).yp

L|.xc1

I.ndo

5_%uA

'&webM$

udP~Ul-

evy%X

*..NN

v2.0.50727

Microsoft.VisualBasic

System.Windows.Forms

vUUpqJYUd1PT0qGTYQJtiIt7ZTM.resources

System.Resources

System.Collections.Generic

System.Security.Cryptography

System.Reflection

System.Threading

.ctor

Microsoft.VisualBasic.CompilerServices

System.Runtime.CompilerServices

System.Security

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

_CorExeMain

mscoree.dll

EMN2iykmsgqt

MsgEmzUv1SvWXF2w

SQlcMqZfhBKibodw

cUUJ5YSshDSzmGf

gVmasshW0LBqwA

0.0.0.0

pony.exe

%original file name%.exe_820_rwx_03D30000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

%original file name%.exe_820_rwx_060E0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

:\Users\"%CurrentUserName%"\AppData\Roaming\Uxmi\ipage.kuq

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uxmi

ipage.kuq

taskhost.exe_872_rwx_00640000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

kEYl8/*

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ubyk\hikic.coi

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ubyk

hikic.coi

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

taskhost.exe_872_rwx_00680000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXei

SSShyei

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uxmi\ipage.kuq

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uxmi

ipage.kuq

Dwm.exe_1376_rwx_00110000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv

ypov.ahy

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

:\Users\"%CurrentUserName%"\AppData\Roaming\Uwfil\xepeo.cyy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Uwfil

xepeo.cyy

Dwm.exe_1376_rwx_00620000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

A.Uu x

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

Dwm.exe_1376_rwx_00860000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

Explorer.EXE_1440_rwx_01EA0000_00001000:

sW.uhK

Explorer.EXE_1440_rwx_020D0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv

ypov.ahy

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

Explorer.EXE_1440_rwx_02D80000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

Explorer.EXE_1440_rwx_03AE0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

conhost.exe_1648_rwx_00210000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe"

SSShye"

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv

ypov.ahy

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

conhost.exe_1648_rwx_01160000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

conhost.exe_1648_rwx_014A0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXeK

SSShyeK

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

TPAutoConnect.exe_2160_rwx_00390000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe:

SSShye:

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv

ypov.ahy

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

TPAutoConnect.exe_2160_rwx_012E0000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

TPAutoConnect.exe_2160_rwx_01A70000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe

SSShye

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

conhost.exe_2168_rwx_002D0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXe.

SSShye.

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv\ypov.ahy

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ymaxv

ypov.ahy

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

conhost.exe_2168_rwx_01080000_0002E000:

.text

`.rdata

@.data

.reloc

l.dlf

PPSj@SSh='

HTTP/1.1

hXXp://

hXXps://

HTTP/1.

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_open16

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

If-None-Match: %s

cabinet.dll

%s: %s

httponly

https

%s://%s

%s://%S

tcfqq13.kba

=8705~8#9:

\zqu{{<i}3|~ws4yehie.lccdjgttfplUU

 6{0808$9r <:#;,i(.lqn~pql

7>2/5.39 ?)

%#<:')&/

‚!%2"4"9

-0:)-:*<*:

0: )4-* 4

#"2(  "

-&0,3.8

>4-=%?;3

GetProcessHeap

KERNEL32.dll

USER32.dll

%s %s

\cmd.exe

/c start "" "%s" -u

"%s" %s

/c "%s"

%sx.%s

%sx

Global\{EC2FA237-2CE3-E25A-80B2-D2085A25D12F}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{64AE5188-DF5C-6ADB-80B2-D2085A25D12F}

Global\{2428F210-7CC4-2A5D-80B2-D2085A25D12F}

{C6C4ADEA-233E-C8B1-80B2-D2085A25D12F}

conhost.exe_2168_rwx_014D0000_0003B000:

.text

`.data

.reloc

%s, u %s %u u:u:u GMT

HTTP/1.1

HTTP/1.0

hXXp://

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

update.exe

config.bin

PR_OpenTCPSocket

cit_ffcookie.module

cit_video.module

%ds~U;MM

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

6;:5;66"

,1;(,; = 1

<! 8< ;-;

'472%9,{

F@ICTQ}cRTWAunO}mmts}NX~csgzn~)[jzyemer\]ika

8/3.xae4LOa

6 !26!1'1!

hXXps://

HTTP/1.

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

_getFirefoxCookie

hXXp://VVV.google.com/webhp

SSShD

SSShXeN

SSShyeN

GetProcessHeap

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

SetKeyboardState

ExitWindowsEx

GetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegEnumKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

HttpSendRequestExW

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

HttpEndRequestA

HttpSendRequestA

HttpEndRequestW

InternetCrackUrlA

HttpAddRequestHeadersW

GetUrlCacheEntryInfoW

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

3$3*30383

6|7k7u7

9 :1:::@:

42>204:4

sXXXX

nspr4.dll

chrome.dll

\StringFileInfo\xx\%s

ntdll.dll

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\XXX

SysShadow

Chrome

Firefox

C:\Users\"%CurrentUserName%"\AppData\Roaming

{D0533C3D-9B29-7BBF-EA58-3B1738311F09}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot\xauqi.udb

C:\Users\"%CurrentUserName%"\AppData\Roaming\Ylqot

xauqi.udb

Global\{46288E18-290C-EDC4-EA58-3B1738311F09}

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

nnnn.exe:888
%original file name%.exe:1692
%original file name%.exe:2728
Pony.exe:3860
Pony.exe:948
vyle.exe:2428
bot.exe:3876
soft.exe:1672
WinMail.exe:3372
WinMail.exe:1988
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\des_date.txt (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Java\JavaUpdtr.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F42.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F64.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F43.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar34FB.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1F75.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F65.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab34FA.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1F76.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\z50 (1 bytes)
C:\ProgramData\Pony.exe (70 bytes)
C:\Windows\System32\bot.exe (168 bytes)
C:\Windows\System32\nnnn.exe (192 bytes)
C:\Windows\System32\soft.exe (226 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\401437.bat (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\405306.bat (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\354855.bat (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp0451a881.bat (376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp8cd72384.bat (155 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Yktip\vyle.exe (340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp0000376a.bat (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zearu\efons.exe (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (41384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3372_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabB1B1.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\1A183C82-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (22088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarB1B2.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_1988_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3072.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3073.tmp (2712 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Strictor.64236_b8bcf9ff2f

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet