Gen.Variant.Symmi.4413_2a70ad395a

by malwarelabrobot on July 3rd, 2017 in Malware Descriptions.

Gen:Variant.Symmi.4413 (B) (Emsisoft), Gen:Variant.Symmi.4413 (AdAware), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2a70ad395a99a28706307fdfa4fef24b
SHA1: 52687deef4acf82b98985a80a3bd67be1c8a3d74
SHA256: bc880cd7a4e58e69f9c7eb08b953cae5ad9b42cb1a749e2dc95b174385878c37
SSDeep: 98304:gdQIGbI0bfZlibAwLDL8FEw4G4ktrXbEtbF5/15x:g6bLzgDLsEwZNLEtbx5x
Size: 3767247 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 1972-12-25 08:33:23
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2748

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\i_phone_blue[1].png (579 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\chat-popup[1].png (7436 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3CA7.tmp (2712 bytes)
C:\dat (885 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\warning[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_4514C5DDAF11F496BDCCD6622E9EF365 (660 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EHSAQ1GI.txt (305 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2H12DV8R.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VJR9040K.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\v3[1].css (9411 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Q0RAIKHH.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6H5NYYFT.txt (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar26B3.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\678B9F95B126F50368710CA85CB2F3DA_AB8D94F29896452B4806732E3EB7F2B7 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\b_buyNow_187[1].png (10372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\U4T2EBWJ.txt (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\common[1].js (4656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\reallydopost[1].js (859 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LK7UQ8A6.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3CA6.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\krnln.fnr (422 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\common_v3[1].js (1081 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\styles-new[1].css (11743 bytes)
C:\update.edb (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2AREPTB0.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\X1WMZ7GH.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\counter[1].js (17760 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JJOYYN7Y.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EHRJ80N2.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KL5ZUWDU.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\xplib.fne (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\eAPI.fne (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CIPSUJIG.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UWZKZMN3.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stars_5[1].png (570 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QMY6R97N.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\hr_882x7[1].png (1152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O1JL2O23.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2U031IEQ.txt (329 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CH8OFS0H.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\domain_profile[1].htm (1192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\www.hugedomains[1].xml (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_C7B398B93BFA7397A840C520A0E096A2 (1454 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\dots_8x1[1].gif (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\HtmlView.fne (434 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\error[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg[1].gif (670 bytes)
C:\update.exe (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\common[1].css (20667 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (2674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery-1.5.1.min[1].js (60926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\youtubeLocationMatters[1].jpg (12254 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (942 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\footer_logo_cc[1].png (832 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A0SXX9WM.txt (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WDX9E0U1.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\footer_logo_escrow[1].png (832 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_4514C5DDAF11F496BDCCD6622E9EF365 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CJU696IX.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3A0GLDOA.txt (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\53HPTWYG.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\internet.fne (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg2[1].jpg (17097 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab26B2.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N85GLBE4.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\crown[1].jpg (2191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KHMA776.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\chat-popup-close[1].png (858 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\iext2.fne (942 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pages_v3b[1].css (11735 bytes)
C:\csyt2.exe (899 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab26E2.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\chat-popup-start[1].png (2191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\footer_logo_guaranteed[1].png (732 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\921FA3X0.txt (841 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\edition121114[1].css (3378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\i_i_blue[1].png (457 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\error[1] (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_C7B398B93BFA7397A840C520A0E096A2 (2702 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HLS3GAQ8.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VZY7D90T.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logo_top[1].png (5518 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B3HCHRUN.txt (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\styles_hd[1].css (15415 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t[1].gif (49 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (665 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\678B9F95B126F50368710CA85CB2F3DA_AB8D94F29896452B4806732E3EB7F2B7 (1448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9KD81I68.txt (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar26E3.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\b_x[1].png (755 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\footer_logo_GT[1].png (2139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9LANWZCJ.txt (123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\profileVideo[1].gif (43 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KHMA776.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KL5ZUWDU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3CA7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6H5NYYFT.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CIPSUJIG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QMY6R97N.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UWZKZMN3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VJR9040K.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Q0RAIKHH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\U4T2EBWJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EHSAQ1GI.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar26B3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3CA6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A0SXX9WM.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WDX9E0U1.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CH8OFS0H.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CJU696IX.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O1JL2O23.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LK7UQ8A6.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3A0GLDOA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\53HPTWYG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VZY7D90T.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2H12DV8R.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B3HCHRUN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab26B2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2AREPTB0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\X1WMZ7GH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab26E2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JJOYYN7Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N85GLBE4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9KD81I68.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar26E3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EHRJ80N2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9LANWZCJ.txt (0 bytes)

Registry activity

The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "94109603"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\323C118E1BF7B8B65254E2E2100DD6029037F096]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 6C 04 85 E5"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 5D 82 AD B9"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\2a70ad395a99a28706307fdfa4fef24b_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"323C118E1BF7B8B65254E2E2100DD6029037F096"
"2796BAE63F1801E277261BA0D77770028F20EEE4"

Dropped PE files

MD5 File path
4c9e8f81bf741a61915d0d4fc49d595e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\HtmlView.fne
cbd788f4c71b9776660d6e8473ae0e09 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\eAPI.fne
6eb20bb6cafd6d31e871ed3abd65a59c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\iext2.fne
5f7615924643b28efe76f73c525c8d85 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\internet.fne
a9113c8263834546df16fd690483b291 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\krnln.fnr
091be7e5cd318ec2a43148046307fe95 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\xplib.fne
c650212049eecc55c0597e24ef8d2597 c:\csyt2.exe
629779caa5ff62675f44edad69914088 c:\update.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ????
Product Version: 1.0.0.0
Legal Copyright: ?? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????????!
Comments: ?????????!
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 19916 20480 4.52066 2e50996cc73c4c2fb7ea8f79cf982b26
.rdata 24576 2634 4096 2.46749 e5615fe4c75b4f7ba6eaedb684bf431c
.data 28672 8024 8192 1.98389 65f79c130923371bceab73bb68dbb967
.data 36864 2715648 2715648 5.51814 1ab6ab7f2609efd1668adce658b075b6
.rsrc 2752512 8296 12288 2.91404 4fb8b459a604e4667e0f6dd62fb5795f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://HDRedirect-LB3-890977680.us-east-1.elb.amazonaws.com/new.htm
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR6EHhJ4XUaQA4N26wwyKpLEnXRrAQULNVQQZcVi/CPNmFbSvtr2ZnJM5ICEG6KkOvP8ESKcg0IBdCCpUQ=
hxxp://HDRedirect-LB3-890977680.us-east-1.elb.amazonaws.com/update.edb
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= 178.255.83.1
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE= 178.255.83.1
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://ocsp.godaddy.com.akadns.net//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 50.63.243.230
hxxp://ocsp.godaddy.com.akadns.net//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 50.63.243.230
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98=
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDTS8DvN7pMs
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/
hxxp://clients.l.google.com/GIAG2.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGZimYWX7CS+
hxxp://crl.geotrust.com/crls/secureca.crl 23.46.117.163
hxxp://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== 50.63.243.230
hxxp://www.csyt2.com/update.edb 54.172.131.220
hxxp://ocsp.godaddy.com//MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= 50.63.243.230
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGZimYWX7CS+ 172.217.16.110
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 62.140.236.163
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 62.140.236.147
hxxp://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= 23.46.123.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDTS8DvN7pMs 172.217.16.110
hxxp://g2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR6EHhJ4XUaQA4N26wwyKpLEnXRrAQULNVQQZcVi/CPNmFbSvtr2ZnJM5ICEG6KkOvP8ESKcg0IBdCCpUQ= 23.46.123.27
hxxp://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE= 178.255.83.1
hxxp://vassg142.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ 2.21.89.35
hxxp://www.csyt2.com/new.htm 54.172.131.220
hxxp://pki.google.com/GIAG2.crl 172.217.16.110
www.hugedomains.com 216.150.210.199
secure.statcounter.com 104.20.2.47
ssl.google-analytics.com 216.58.209.200
static.hugedomains.com 104.25.38.108
c.statcounter.com 104.20.3.47


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /new.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.csyt2.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 02 Jul 2017 13:08:42 GMT
Location: hXXps://VVV.hugedomains.com/domain_profile.cfm?d=csyt2&e=com
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 181
Connection: keep-alive
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXps://VVV.
hugedomains.com/domain_profile.cfm?d=csyt2&e=com">here</a>
;.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-C
ontrol: private..Content-Type: text/html; charset=utf-8..Date: Sun, 02
 Jul 2017 13:08:42 GMT..Location: hXXps://VVV.hugedomains.com/domain_p
rofile.cfm?d=csyt2&e=com..Server: Microsoft-IIS/8.5..X-Powered-By: ASP
.NET..Content-Length: 181..Connection: keep-alive..<html><hea
d><title>Object moved</title></head><body>.
.<h2>Object moved to <a href="hXXps://VVV.hugedomains.com/dom
ain_profile.cfm?d=csyt2&e=com">here</a>.</h2>..<
/body></html>......


GET /update.edb HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.csyt2.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 02 Jul 2017 13:09:03 GMT
Location: hXXps://VVV.hugedomains.com/domain_profile.cfm?d=csyt2&e=com
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 181
Connection: keep-alive
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXps://VVV.
hugedomains.com/domain_profile.cfm?d=csyt2&e=com">here</a>
;.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-C
ontrol: private..Content-Type: text/html; charset=utf-8..Date: Sun, 02
 Jul 2017 13:09:03 GMT..Location: hXXps://VVV.hugedomains.com/domain_p
rofile.cfm?d=csyt2&e=com..Server: Microsoft-IIS/8.5..X-Powered-By: ASP
.NET..Content-Length: 181..Connection: keep-alive..<html><hea
d><title>Object moved</title></head><body>.
.<h2>Object moved to <a href="hXXps://VVV.hugedomains.com/dom
ain_profile.cfm?d=csyt2&e=com">here</a>.</h2>..<
/body></html>....



GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCGZimYWX7CS+ HTTP/1.1
Cache-Control: max-age = 345600
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 29 Jun 2017 18:23:28 GMT
Expires: Mon, 03 Jul 2017 18:23:28 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 240408
0..........0..... .....0......0...0......J......h.v....b..Z./..2017062
9130744Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.fb....$.....20170629130744Z....20170706130744Z0...*.H..............&l
t;I.......j..9E.-Z]-8..^.....cmi...}i_..N9-`......N........D...MDf....
.."..\..Y.F]N^.[. }..Q8_.:. <..}.I....... ..MX.@d.?K\"XmU...7M`....
.q.%.O....k...GU..q.#..5a.D.../e...(J..,!.M.....".......t...!.....w...
.O.z..hz=..{M.LOx..,..| ..Oog~..CO....<.Vn..h.F.zHTTP/1.1 200 OK..C
ontent-Type: application/ocsp-response..Date: Thu, 29 Jun 2017 18:23:2
8 GMT..Expires: Mon, 03 Jul 2017 18:23:28 GMT..Server: ocsp_responder.
.Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options
: SAMEORIGIN..Cache-Control: public, max-age=345600..Age: 240408..0...
.......0..... .....0......0...0......J......h.v....b..Z./..20170629130
744Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..fb.
...$.....20170629130744Z....20170706130744Z0...*.H..............<I.
......j..9E.-Z]-8..^.....cmi...}i_..N9-`......N........D...MDf......".
.\..Y.F]N^.[. }..Q8_.:. <..}.I....... ..MX.@d.?K\"XmU...7M`.....q.%
.O....k...GU..q.#..5a.D.../e...(J..,!.M.....".......t...!.....w....O.z
..hz=..{M.LOx..,..| ..Oog~..CO....<.Vn..h.F.z..



GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86392
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT
If-None-Match: "8017f9a85f10d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Tue, 13 Jun 2017 19:04:53 GMT
Accept-Ranges: bytes
ETag: "80f83df077e4d21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 52967
Date: Sun, 02 Jul 2017 13:09:24 GMT
Connection: keep-alive
X-CCC: UA
X-CID: 2
MSCF............,...................I..................J.` .authroot.s
tl.^R.Y.6..CK...8...........].y.Q..!Jv..%k.....!..DH...B.KBWE.(.f.RQ*.
..f...}'.....x.:.{f...|.s.q..CF.......0....{%i......P.F.yNz:A..L..1..3
...........IG.....4=....~."|..s.|.xuT..._.*.....e.h,....ozs..*.!TmS..A
q... |,.....V..xV....^....FE(.x...N..h...b....y...j.!....7..h. ..@.(V.
.....8..`-..#=.jq'.e...|..X...@...{..rj.d.....?n3.L.......S.......:.O.
.."k.!o......`.l.B 1.....#].....k6.........B.......!P$.A..<..?zk...
.~..P)A0tu....x..-X..E..,a.7,xN..eed.3..L..XT......IG.w_.Y....E....~k.
.X...T.V.g7d.....#.&~.f.O....Dh...x0..J...0..u.dF..P.!..d...%x<!...
....@,...0..3..-.....q.....X.e....A...z.'..2.<.m.f...I.9.z..a.6vo..
 ...P..U7...-.0.Q..<zd!V....=.'.....2H;..5.7.%5PsD.#.....ht%......f
..s.Dp..Lklx%[.!c...I.<...f.<..e.k`......^.......X..?Z...?......
?..I}..5V.v .q.c.9j..Y..J..0U.t./%..Jd @.W.u......U.".)C(........T.4.y
..J.57*^HlY....O|..~\.J]..]e...?..x2c..6.....i.=?x.....N..-X..f"^@'...
.-v..v...7j.Y1.5._v.....*S9.."........%E<E...;p.}........0..P....g.
.@.]E.3........K....K.4V..Q.-,.../.........:.A....Ng,.........BFef.[..
. ..."*...^...L._#:,7..6:.z..!a............E.r>......A....#..c.....
rS.......7.D..JdR.`6.|...>.0....Wf..n..^..8x.4..........-.3y,3.C.(.
...9f...iNK....q....sUq....c...c.....*K.8"..D...<..0............*x,
$x....a....]..p..t.M....6F..u.....p.r.kf...Z......h~.B3...[.....Hc...K
.....I.....%F..:.....N....U..eU........ e. k....3(S..h....1..r..Z.Y...
.....A.i..Z....[%J.....=2"v].....L.P..!........PC*.........j 8.~.)
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1390
content-transfer-encoding: binary
Cache-Control: max-age=421494, public, no-transform, must-revalidate
Last-Modified: Fri, 30 Jun 2017 10:12:57 GMT
Expires: Fri, 7 Jul 2017 10:12:57 GMT
Date: Sun, 02 Jul 2017 13:10:04 GMT
Connection: keep-alive
0..j......c0.._.. .....0.....P0..L0......V.T'S...q..."...zr.*..2017063
0101257Z0s0q0I0... ..........9.....yP..`...<.......*.A.....>U...
.... ....!%...Y.w..{f'.....20170630101257Z....20170707101257Z0...*.H..
...............-.SZ-u.k..aukm..\..].%Z..<.}........$C....T...8YT.`&
lt;.`...#..#,1f....G...$^=.......p;MmlW|........2......B.U.~.%.wK.....
.~...1v..x..ui..r.X...~...,..C..N....z*..h.. =.EJ....a4P......ft.hIb..
P.;.Az..!.C.<hZ.....[4C......l2.p...e..T>....k......'.mk.ir..b..
...0...0...0..s............ ...y..^..g0...*.H........0B1.0...U....US1.
0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...161208112535Z..
171214112535Z02100...U...'GeoTrust Global CA TGV OCSP Responder 50.."0
...*.H.............0...............S....!....,.t.?....d...M@.._.=.S..,
."......Gdv._c..D1..N'E.:.....a2.......{/rD. .c.2..P...!.....Xn..}....
{{.zI9.Y....../.....;.......fu..,...B._o..B..g....o........?Y\.?...y.H
*..]yi.....3.......F.6.....Q.........{B..19..Kz...\z...P..._...-!.....
'.Ym........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U
.%..0... .......0...U...........0...U.......0.0"..U....0...0.1.0...U..
..TGV-OFF-570...*.H..............md.....yV{......y:5..@l#..5.......o..
X....,r}......i..3..o.e...e5..@..H/Q..;.vd..?.j.m....../hv..A.......g.
......a.....G..\.'*.b..>.....L.Y.To<.@>...&1..9.w.....N*Au.e.
....b..K...PO47.J.....{.C\....G..0/.a.Eo.`z.<;IA...  #.''.CG..K@7z.
.7.\_..'.]q.f._.WN....
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca4.com


HTTP/1.1 200 OK
Date: Sun, 02 Jul 2017 13:09:50 GMT
Server: Apache
Last-Modified: Sun, 02 Jul 2017 03:09:48 GMT
Expires: Sun, 09 Jul 2017 03:09:48 GMT
ETag: 1705D63FE529D656F5F8656F9DD9B4401C33112F
Cache-Control: max-age=568197,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp22
Content-Length: 727
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2017
0702030948Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22.........wv..e.z.%A....20170702030948Z....20170709030948Z0...*.H..
............E.e....Z......{..{:N....2.yJ..7M......^...h..p.S...I.....R
~...o..@............|2c...?.......X./.i.....2........0.L}W...m....q..}
.........S.em..&......?y..-...T?U.... .I.3?....6...7.x(..4..L..[H.d.;d
[;..z.~..4/i...2g.5..n..o........A..t-.^.E'VR...A!..u.D....~.....m!O..
.EJ}.ax...i..{.{.m.VD.R#..A3J......H..E%O...`.(.l,EFQ..hI.pc.s....9?..
..%....../!j:.......8.%.^...c[.k|......0.".4.T..../[.-.F.$..S.._p..w"&
....*...4.U)Tdr.R.h_<@ .......@v...b...n.&.....i...<Qb)c5c.h.8"O
...E":Z...G)1LL....n.]U.......9...y/?m...



GET /GIAG2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: pki.google.com


HTTP/1.1 200 OK
Accept-Ranges: none
Vary: Accept-Encoding
Content-Type: application/pkix-crl
Date: Sun, 02 Jul 2017 12:20:49 GMT
Expires: Sun, 02 Jul 2017 13:20:49 GMT
Last-Modified: Sun, 02 Jul 2017 02:15:00 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=3600
Age: 2964
Transfer-Encoding: chunked
299..0...0..}...0...*.H........0I1.0...U....US1.0...U....Google Inc1%0
#..U....Google Internet Authority G2..170702010003Z..170712010003Z0..0
'..vK....Q...170113141858Z0.0...U.......0'..Am..&.....170701001054Z0.0
...U.......0'..;w._......170510105507Z0.0...U.......0'...T...y.K..1704
12085317Z0.0...U.......0'..1.3..*....160915202213Z0.0...U........00.0.
..U.#..0...J......h.v....b..Z./0...U.......(0...*.H...................
. 6....L..."..k..0.>8..r.m....j..DI2.......u.g;J G..h%..n2.n...E3..
.v I.....,..2Ju.......x3..6j.C}%.i.!.../..#?..J.*V...f...T....<XCn.
.Av.-R..f.`K.q..\w;..p.J.O..OW........H...vm%....E......nT....s.......
 L.v,1.8....E?..A.4B...W......n.5.p.......Gpo<..0..HTTP/1.1 200 OK.
.Accept-Ranges: none..Vary: Accept-Encoding..Content-Type: application
/pkix-crl..Date: Sun, 02 Jul 2017 12:20:49 GMT..Expires: Sun, 02 Jul 2
017 13:20:49 GMT..Last-Modified: Sun, 02 Jul 2017 02:15:00 GMT..X-Cont
ent-Type-Options: nosniff..Server: sffe..X-XSS-Protection: 1; mode=blo
ck..Cache-Control: public, max-age=3600..Age: 2964..Transfer-Encoding:
 chunked..299..0...0..}...0...*.H........0I1.0...U....US1.0...U....Goo
gle Inc1%0#..U....Google Internet Authority G2..170702010003Z..1707120
10003Z0..0'..vK....Q...170113141858Z0.0...U.......0'..Am..&.....170701
001054Z0.0...U.......0'..;w._......170510105507Z0.0...U.......0'...T..
.y.K..170412085317Z0.0...U.......0'..1.3..*....160915202213Z0.0...U...
.....00.0...U.#..0...J......h.v....b..Z./0...U.......(0...*.H.........
........... 6....L..."..k..0.>8..r.m....j..DI2.......u.g;J G..h
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Sun, 02 Jul 2017 13:09:45 GMT
Server: Apache
Last-Modified: Sun, 02 Jul 2017 03:09:48 GMT
Expires: Sun, 09 Jul 2017 03:09:48 GMT
ETag: CDDC764C534B754D5798ED69990AE74C5C0C4C02
Cache-Control: max-age=568202,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp22
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2017070
2030948Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20170702030948Z....20170709030948Z0...*.H........
......!/....#...?......(.i..i.[._h.ei.xK.L...._..ja1..w.M9......[.....
!.8.2. "`....m..3,...W..D..]..:..;g...U..w.......D. .&......{.?..|.vm.
..}.....P..;..$.n..."W.......*.,...i..I'.(.RR..R..n...'.....2.\.......
>..5...g......S;.R.b;i..2../.....z..}....{..2.....k..



GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ HTTP/1.1
Cache-Control: max-age = 339923
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:41:21 GMT
If-None-Match: "c06e9a4e33eec9dd813b8faff15397229f914d2a"
User-Agent: Microsoft-CryptoAPI/6.1
Host: vassg142.ocsp.omniroot.com


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 1746
Last-Modified: Sat, 01 Jul 2017 18:54:32 GMT
ETag: "de69e4ddf81f9ae319e0bb9809ee3f24a425ae5d"
Cache-Control: public, no-transform, must-revalidate, max-age=274802
Expires: Wed, 05 Jul 2017 17:30:12 GMT
Date: Sun, 02 Jul 2017 13:10:10 GMT
Connection: keep-alive
0..........0..... .....0......0...0.......d._t.a...(..fx..r....2017070
1185432Z0w0u0M0... .........-R...P:.B...9...0Q.......sw....KM...3..r..
.C...X.<1ya..w.2..^.?....20170701185432Z....20170705185432Z0...*.H.
.............<.8.%...f#`.L<K..!..Yz......j.4......I.1.Z.Eia8.R..
.Z.J^.. ....{.....r.Ib....1.1..KC l.....'.WnL....{?.u..h/../}.3'|.}]..
.....)}..].@.]N.H*4....y....o...A$.....X.......L...V'.....w.Og.].e...8
....%3\...@n....I;~.!......I@%7......S.....U*....9$...v.5...<."....
.0...0...0..........&.L..J..T...vP..yV..0...*.H........0..1.0...U....N
L1.0...U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U...
.Cybertrust1.0,..U...%Verizon Akamai SureServer CA G14-SHA20...1703102
13626Z..180309213625Z0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Ve
rizon Enterprise Solutions1.0...U....Cybertrust1%0#..U....vassg142 OCS
P Responder 20170.."0...*.H.............0..........\..K.......:..K&!..
.!`D#'2~mL...<..E`.:Y.I..w.....P..)..o..><^-7.h.zL......3..".
...T...-s.g........zUY5q....u...D........(....C.XmF=.r...8h....I.....[
...P. ...;..c...0.'x..F..h...&<Q.vO.b2.pm.y..J.P"...H....A....T....
..._.dc.F-..W....Z...).=.Y..n2...N..E........H0..D0... .....0......0L.
.U. .E0C0A.. .....>..0402.. ........&hXXps://secure.omniroot.com/re
pository0~.. ........r0p06.. .....0..*hXXps://cacert.a.omniroot.com/va
ssg142.crt06.. .....0..*hXXps://cacert.a.omniroot.com/vassg142.der0...
U...........0...U.%..0... .......0...U.#..0.......sw....KM...3..r.0...
U.......d._t.a...(..fx..r..0...*.H..................6..dez....$...
<<< skipped >>>


GET //MEIwQDA+MDwwOjAJBgUrDgMCGgUABBQdI2+OBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Sun, 02 Jul 2017 13:11:02 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=120498, public, no-transform, must-revalidate
Last-Modified: Sun, 02 Jul 2017 12:25:02 GMT
Expires: Tue, 04 Jul 2017 00:25:02 GMT
ETag: "79e06e91bb616ecca6f327d7d88b40fc72515a29"
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Content-Length: 1730
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.....0..1.0...U....US1.0...U....Ari
zona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Dad
dy Root Validation Authority - G2..20170702122502Z0d0b0:0... .........
#o..K......#..... ...:....g(.....An ............20170702122502Z....201
70704002502Z0...*.H.............1F.0O.=........q..b..@....jB.....Mt:.2
.Z..Q.T4#.".E ...'%..W....]...I.e...;..z...N..6..]....[V..............
.... ..Iq"..zM........$.^.....C..R.u5c...../.....D..X......:Zw...l....
.H.c.m....e...R.|..A.'K...uV.:......_-.R.......}..4....N)....w...Ne...
.Y.....g....0...0..~0..f........T|....70...*.H........0..1.0...U....US
1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.110
/..U...(Go Daddy Root Certificate Authority - G20...161213070000Z..171
213070000Z0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0..
.U....GoDaddy.com, Inc.100...U...'Go Daddy Root Validation Authority -
 G20.."0...*.H.............0.............}...@.H..........j.b.2.c....'
eSA.....6""2.hf.m.m9........_N."gV..{.J"{..0f.W$.Xr....|U.F.!.K.0 .(p.
.....9.I......c.c\.9.xt.v.UN...%....,R....ZJ......rz.Z..p...ru.6.....0
..t....*...T.W.....?...X...( ..z.[. .A... z.[>-.y>...nvU...g.wU.
....... Fh.6F...}.........0..0...U.......0.0...U...........0...U.%..0.
.. .......0...U........J!~...}....^].....0... .....0......0@..U...9070
5.3.1./hXXp://crl.godaddy.com/repository/gdroot-g2.crl0J..U. .C0A0?..`
.H...m....000... ........"hXXp://crl.godaddy.com/repository/0...*.H...
..........=......|Q.y.kI$...T@.ff.m...1......\...10..T....e...F...
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Sun, 02 Jul 2017 13:09:45 GMT
Server: Apache
Last-Modified: Sun, 02 Jul 2017 03:09:48 GMT
Expires: Sun, 09 Jul 2017 03:09:48 GMT
ETag: CDDC764C534B754D5798ED69990AE74C5C0C4C02
Cache-Control: max-age=568202,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp22
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2017070
2030948Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20170702030948Z....20170709030948Z0...*.H........
......!/....#...?......(.i..i.[._h.ei.xK.L...._..ja1..w.M9......[.....
!.8.2. "`....m..3,...W..D..]..:..;g...U..w.......D. .&......{.?..|.vm.
..}.....P..;..$.n..."W.......*.,...i..I'.(.RR..R..n...'.....2.\.......
>..5...g......S;.R.b;i..2../.....z..}....{..2.....k..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca4.com


HTTP/1.1 200 OK
Date: Sun, 02 Jul 2017 13:09:50 GMT
Server: Apache
Last-Modified: Sun, 02 Jul 2017 03:09:48 GMT
Expires: Sun, 09 Jul 2017 03:09:48 GMT
ETag: 1705D63FE529D656F5F8656F9DD9B4401C33112F
Cache-Control: max-age=568197,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp22
Content-Length: 727
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2017
0702030948Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22.........wv..e.z.%A....20170702030948Z....20170709030948Z0...*.H..
............E.e....Z......{..{:N....2.yJ..7M......^...h..p.S...I.....R
~...o..@............|2c...?.......X./.i.....2........0.L}W...m....q..}
.........S.em..&......?y..-...T?U.... .I.3?....6...7.x(..4..L..[H.d.;d
[;..z.~..4/i...2g.5..n..o........A..t-.^.E'VR...A!..u.D....~.....m!O..
.EJ}.ax...i..{.{.m.VD.R#..A3J......H..E%O...`.(.l,EFQ..hI.pc.s....9?..
..%....../!j:.......8.%.^...c[.k|......0.".4.T..../[.-.F.$..S.._p..w"&
....*...4.U)Tdr.R.h_<@ .......@v...b...n.&.....i...<Qb)c5c.h.8"O
...E":Z...G)1LL....n.]U.......9...y/?m...



GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDTS8DvN7pMs HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com


HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Fri, 30 Jun 2017 22:40:45 GMT
Expires: Tue, 04 Jul 2017 22:40:45 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Cache-Control: public, max-age=345600
Age: 138564
0..........0..... .....0......0...0......J......h.v....b..Z./..2017063
0132843Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./.
.4..;...,....20170630132843Z....20170707132843Z0...*.H..............L.
{...b.^8l ..k4......r/..8...l.....vD...T....|?4@ v.=.\[...z...I..pc.?&
lt;......|....(.]&..B.....b..\ .U).)..h.jMx._...n\z..Y....9..'Y....D,.
#..].....P.&..C...y_.q].... .. a..........R......9|...P....C.S....x^L 
.Q.XY........o.8....52...._.zA:ak..;..H......KHTTP/1.1 200 OK..Content
-Type: application/ocsp-response..Date: Fri, 30 Jun 2017 22:40:45 GMT.
.Expires: Tue, 04 Jul 2017 22:40:45 GMT..Server: ocsp_responder..Conte
nt-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAME
ORIGIN..Cache-Control: public, max-age=345600..Age: 138564..0.........
.0..... .....0......0...0......J......h.v....b..Z./..20170630132843Z0k
0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..4..;...,.
...20170630132843Z....20170707132843Z0...*.H..............L.{...b.^8l 
..k4......r/..8...l.....vD...T....|?4@ v.=.\[...z...I..pc.?<......|
....(.]&..B.....b..\ .U).)..h.jMx._...n\z..Y....9..'Y....D,.#..].....P
.&..C...y_.q].... .. a..........R......9|...P....C.S....x^L .Q.XY.....
...o.8....52...._.zA:ak..;..H......K..



GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH+3ahq1OMCAxvnFQ== HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com


HTTP/1.1 200 OK
Date: Sun, 02 Jul 2017 13:09:47 GMT
Server: Apache
Content-Transfer-Encoding: Binary
Cache-Control: max-age=121443, public, no-transform, must-revalidate
Last-Modified: Sun, 02 Jul 2017 12:40:22 GMT
Expires: Tue, 04 Jul 2017 00:40:22 GMT
ETag: "84b033ad3c6b0e6279edd47f4ee10c1f1c8c5b57"
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Content-Length: 1697
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......0..1.0...U....US1.0...U....Ar
izona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.100...U...'Go Da
ddy Root Validation Authority - G1..20170702124022Z0f0d0<0... .....
.... ......]..J^.y_..F<........L.q.a.=....j...........2017070212402
2Z....20170704004022Z0...*.H...............u.1d..&.1.j.v.....g.X@d8...
h: ..!.~y..../2..<...2:...C.).,5>.........7..&...'Ue6.'....Q...d
..7;.....U.1N`>oF`.....-.....}........8$j...(..=Zy.u.......Y..@....
...Y.=....{. ....1.U..${B9....y.).,.o.....8N4..z ..m.....m..P*y..../.:
........JV.*l.L.. ...].R4....b0..^0..Z0..B.......1g....r.0...*.H......
..0c1.0...U....US1!0...U....The Go Daddy Group, Inc.110/..U...(Go Dadd
y Class 2 Certification Authority0...161213070000Z..211213070000Z0..1.
0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.c
om, Inc.100...U...'Go Daddy Root Validation Authority - G10.."0...*.H.
............0.............}...@.H..........j.b.2.c....'eSA.....6""2.hf
.m.m9........_N."gV..{.J"{..0f.W$.Xr....|U.F.!.K.0 .(p......9.I......c
.c\.9.xt.v.UN...%....,R....ZJ......rz.Z..p...ru.6.....0..t....*...T.W.
....?...X...( ..z.[. .A... z.[>-.y>...nvU...g.wU........ Fh.6F..
.}.........0..0...U.......0.0...U...........0...U.%..0... .......0...U
........J!~...}....^].....0... .....0......0=..U...60402.0...,hXXp://c
rl.godaddy.com/repository/gdroot.crl0J..U. .C0A0?..`.H...m....000... .
......."hXXp://crl.godaddy.com/repository/0...*.H...............f...gb
.dI..F.72.$.......?/.....5.9-F.=...c....c..Wg.U......j0....A..[O.A
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR6EHhJ4XUaQA4N26wwyKpLEnXRrAQULNVQQZcVi/CPNmFbSvtr2ZnJM5ICEG6KkOvP8ESKcg0IBdCCpUQ= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: g2.symcb.com


HTTP/1.1 200 OK
Server: nginx/1.10.2
Content-Type: application/ocsp-response
Content-Length: 1427
content-transfer-encoding: binary
Cache-Control: max-age=507241, public, no-transform, must-revalidate
Last-Modified: Sat, 1 Jul 2017 10:02:23 GMT
Expires: Sat, 8 Jul 2017 10:02:23 GMT
Date: Sun, 02 Jul 2017 13:09:29 GMT
Connection: keep-alive
0..........0..... .....0.....u0..q0.........-b.Ce.....>...Q....2017
0701100223Z0s0q0I0... ........z.xI.u.@....0..K.u....,.PA.....6a[J.k...
3...n.....D.r......D....20170701100223Z....20170708100223Z0...*.H.....
........).....=| @....o3....q..jd4...K.:v..h.|.I...&.. . ......FK. ...
q[n&I..r...%...b.. r/..m......1..#.......2v)u........O...*.......h2...
...j}..N...RR.Q.JKY...V.&...h.M......SRt.0...B`X........NE.sA. .x.*h;.
.....6..../....f...i3.s...(,..E..%...[.U._.....Ze.Q8.2....0...0...0...
.......pP.3....I....m..0...*.H........0X1.0...U....US1.0...U....GeoTru
st Inc.110/..U...(GeoTrust Primary Certification Authority0...16112200
0000Z..171214235959Z0d1.0...U....US1.0...U....GeoTrust Inc.1=0;..U...4
GeoTrust Primary CA OCSP-TGV Responder Certificate 50.."0...*.H.......
......0.........9....o%uu!p26[......~..$.I...p....#.k..?.I_.-"...~ROB.
MFG......B...^.^ ...D......".d.U.......{#..K'..&..u.&...q..Y.(..%s..R.
.o..M../.exn.....V...?..>$........~<X.i\...,........6i.......l.E
..e...\....tW..;.`.o.. ...I..}......`...........x..3.,..S..fY.....o...
...j0h0...U.%..0... .......0... .....0......0...U.......0.0...U.......
....0"..U....0...0.1.0...U....TGV-OFF-520...*.H..............>H....
....1.N......#...E.......:..- ......o..l._aa...K`7.<YXi..'......y..
.O..{.....z.......L..ee...........W.a.;.2.de.....A.....S..LAzB.H...I..
.*.7...t..CQ.._ ....Y.F^a4..n.*...w...y..d04.DpQ.........E..k.2.I.[...
..D.G....[D.{c.....Rw.. ..... W.........-...
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT
If-None-Match: "b8b5df1d64d4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Length: 554
Content-Type: application/pkix-crl
Last-Modified: Thu, 15 Jun 2017 00:43:48 GMT
ETag: 0x8D4B38795FC4CDC
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 9576bca8-0001-0047-2479-e5981b000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 02 Jul 2017 13:10:05 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..170512163339Z..170811045339Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......d0... .....7......170810164339Z0.
..*.H................."*....N...........D...........A..v.@?.H5...O{D".
-.B.......gO.{..O}.._.....M....A.mI.u.;sPS.....?jj.=.~]z.A.fJ...M*|..!
<......>....|.&...j.Z.T[/s...K0<.;...".2.)..X9.....$..O...Ot:
V.:..9.W...|...C.A.....,dy..].bg.&I.../U..B........rr.....*......P.t.^
..FHTTP/1.1 200 OK..Content-Length: 554..Content-Type: application/pki
x-crl..Last-Modified: Thu, 15 Jun 2017 00:43:48 GMT..ETag: 0x8D4B38795
FC4CDC..Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0..x-ms-req
uest-id: 9576bca8-0001-0047-2479-e5981b000000..x-ms-version: 2009-09-1
9..x-ms-lease-status: unlocked..x-ms-blob-type: BlockBlob..Date: Sun, 
02 Jul 2017 13:10:05 GMT..Connection: keep-alive..0..&0......0...*.H..
......0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U...
.Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..170512163
339Z..170811045339Z.a0_0...U.#..0..........X..7.3...L...0... .....7...
......0...U......d0... .....7......170810164339Z0...*.H...............
.."*....N...........D...........A..v.@?.H5...O{D".-.B.......gO.{..O}..
_.....M....A.mI.u.;sPS.....?jj.=.~]z.A.fJ...M*|..!<......>....|.
&...j.Z.T[/s...K0<.;...".2.)..X9.....$..O...Ot:V.:..9.W...|...C.A..
...,dy..].bg.&I.../U..B........rr.....*......P.t.^..F..
<<< skipped >>>


GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com


HTTP/1.1 200 OK
Server: Apache
ETag: "e9fd373f14dd566d6f5940966dc33e99:1499000421"
Last-Modified: Sun, 02 Jul 2017 13:00:21 GMT
Date: Sun, 02 Jul 2017 13:09:58 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equi
fax Secure Certificate Authority..170702124300Z..170712124300Z0,0....%
...020514181157Z0.....3..020515130611Z0...*.H.............P|.i........
......\..i...........`.......W....k.l.........f.t....V......If......X=
..c...M.....u....>..!.C.....4B........?^.....HTTP/1.1 200 OK..Serve
r: Apache..ETag: "e9fd373f14dd566d6f5940966dc33e99:1499000421"..Last-M
odified: Sun, 02 Jul 2017 13:00:21 GMT..Date: Sun, 02 Jul 2017 13:09:5
8 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: appl
ication/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equi
fax1-0 ..U...$Equifax Secure Certificate Authority..170702124300Z..170
712124300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H.......
......P|.i..............\..i...........`.......W....k.l.........f.t...
.V......If......X=..c...M.....u....>..!.C.....4B........?^.......

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2748:

.text
`.rdata
@.data
.data
.rsrc
user32.dll
KERNEL32.dll
USER32.dll
GetCPInfo
krnln.fne
krnln.fnr
E_N%X
1.1.3
c:\%original file name%.exe
explorer hXXp://VVV.csyt2.com/changepsd.php
Config.exe
221.209.17.148
\update.exe
hXXp://VVV.csyt2.com/update.edb
\update.edb
)-.aaa
?.jsp
5       43"--
   !!    
    !   
.iaCZw
m%cNX
b.rj_O
\%u=e
cp%F;
.jO!H
k.zt(
o5Z.Gu
|:.ed
.ba*o
PURl
\mF^w%f<4X_
hx5(k.nC
\Xqi%xY
l=.Ne$
5e.hH
%X,Rd
t.nYlj
LpM.Ry
7"%c@
;T(%X
%C{%8
]c;.ZT
U.EX`9g
P.pQ5
x%s i
!H.Dit<s
RfTPS
&%f^|}h
qJ%fT}
B .jA
=.qb]
wmi.cy
L%F(;?"
.UW#YB.S2_
UEfMY.XA
Bbv%f&p
%UrlS
=%d%'
q9%0uN
(h)sJq%s{4
.wTic
p%S~'
m.sR$mZf
ÀX[
`@m%f
}|=
.kRFcd
OÞe5
we%x^D
.FC b@
r.JT3
.jI#rG
`t.WQ
T6.wT
4S%Fr U:^
Í%o{
7t.Io
.pL:(
INb@%dm
.GX#H*
%Xp[!
.PFuJ
FtPd
]wEbF
p%-ovM}^~
a<ø
.ed0(
update.exe
G.gz3
KEy-$F
45.sY
}Vv.vf
M/.GaR*
.zfjS
b".Lc
.qV|-,
ny.ka
%u#Zu
.XO_Z
97*$%D
2pD[z.Tt
I%Fg{
k%1sf%
]u\.dIN
q.omR
0Ai%F
@^2.RY
.we<W
.ucWJ
.uWJeB
9T.ol
F8`j%U
T1.AO
d}.KI`
.sI5\
(1%c@
nZ.bGY
D.%s`
.wrQ.i
.yhN*@
y.zDD
%Sn{1`
3T.eW
D$Q0%u
R;.xk(
3.flY
26.kG
ts%c;
0;%s<
qvP%s&
vz.ze
'U.QR
Q.eq<
%7U\h
48.cR=
yS%0s
%cJwvk(M
.fpMxf
z15B.WS
.BaT&
.eBk_
v.fQ,1
PT.PL/
%x]Nec
EU\.JvGX
M[L%U
|J=%x
-.a%x2
{!.gz
.bxcw
x^4%DSF
lUƒc
.XR<p
pi*%f
.om 37t
6 ?n.WTk
s5|%f
:/%SN
u1.HZ.O
.OQyu"
.mXfP:
z.FUw"
bm.Nd
}[%Cm
w9.So
.CmWe
.EXG=q
.Vfkr"
Cc.yK
 oK]%dH
Jfj.rU
.cP)NN
Y .Az
.dQkg
`,XA%f
"M.LT
}`-qq%X
O;%f[
[#jE-Jy}
\csyt2.exe
0?'..KQ
.iBQ8f
7oF%D
<Í7
(%XZ5h]
.sM:I
$%C;5K
AW.dv
.pd_~JW/L
7iRDB%f
.lF1|
85.Zg
N7.yT
zsÏ^
uT5DnP.Tc
4G)MË
Nu.byC
ro.wT
q.jCa
v%^%SAC
.id9J
n.Ft5
/.xm_X
.CJdkCg
|n.GnSm
DEj.jh
;VÞ
7%X"Ad
@%cLar|
YNR%u
8 .Wn
1p.PW
tyLh%d
b1.dk*
-O}@^F
%S<&0
T9xc%d
LP%s7V
[%s3 &
'*.qW
~".HR
]).ZK
0Z!.cA
!.rE&
l%xgxBG
.nfNb
<.vwl#
6%Xe,
.yUm]
]4.xA
_Zf.TzM
.MCz&J
#.Dr\/l
Y.kw C4%
.es:j
:m$^.eP
0.UsHFy
P'#-.Bxn
KERNEL32.DLL
advapi32.dll
d3d8.dll
devil.dll
dinput8.dll
gdi32.dll
granny2.dll
imagehlp.dll
imm32.dll
mss32.dll
ole32.dll
oleaut32.dll
python22.dll
shell32.dll
speedtreert.dll
version.dll
winmm.dll
ws2_32.dll
RegOpenKeyA
.rdata
20050518
>.KKC
`c;Þ
kernel32.dll
Y%xTA
csyt2.exe
update.edb
MLSJ.exe
HookSrv.exe
GearNT.exe
Gear9x.exe
XP.exe
explorer hXXp://VVV.csyt2.com
explorer hXXp://VVV.csyt2.com/register.php
csyt2.exe 1 3
csyt2.exe 0 3
SetWindowsHookExA
UnhookWindowsHookEx
Adobe Photoshop CS4 Windows
2010:01:05 23:37:41
uL.qcI$
urlTEXT
MsgeTEXT
ZhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-01-05T22:59:03 08:00" xmp:ModifyDate="2010-01-05T23:37:41 08:00" xmp:MetadataDate="2010-01-05T23:37:41 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:5BFF472410FADE11B2F4DAB3213FF165" xmpMM:DocumentID="xmp.did:5AFF472410FADE11B2F4DAB3213FF165" xmpMM:OriginalDocumentID="xmp.did:5AFF472410FADE11B2F4DAB3213FF165" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;F87FC3708FB9314AC468B0F4AAACC645" exif:PixelXDimension="122" exif:PixelYDimension="34" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;02F6AFAB3E360ED061206666B6940851"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:5AFF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:37:41 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/bmp to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:5BFF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:37:41 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
hXXp://VVV.csyt2.com/new.htm
2010:01:05 23:37:26
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-01-05T22:59:03 08:00" xmp:ModifyDate="2010-01-05T23:37:26 08:00" xmp:MetadataDate="2010-01-05T23:37:26 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:59FF472410FADE11B2F4DAB3213FF165" xmpMM:DocumentID="xmp.did:58FF472410FADE11B2F4DAB3213FF165" xmpMM:OriginalDocumentID="xmp.did:58FF472410FADE11B2F4DAB3213FF165" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;5791939AA48C2FB21232AB3DB7EC5313" exif:PixelXDimension="122" exif:PixelYDimension="34" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;02F6AFAB3E360ED061206666B6940851"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:58FF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:37:26 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/bmp to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:59FF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:37:26 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2010:01:05 23:37:08
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-01-05T22:59:03 08:00" xmp:ModifyDate="2010-01-05T23:37:08 08:00" xmp:MetadataDate="2010-01-05T23:37:08 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:57FF472410FADE11B2F4DAB3213FF165" xmpMM:DocumentID="xmp.did:56FF472410FADE11B2F4DAB3213FF165" xmpMM:OriginalDocumentID="xmp.did:56FF472410FADE11B2F4DAB3213FF165" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;1168ED794542D48A293565F921111FF0" exif:PixelXDimension="122" exif:PixelYDimension="34" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;02F6AFAB3E360ED061206666B6940851"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:56FF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:37:08 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/bmp to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:57FF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:37:08 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2010:01:05 23:36:50
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-01-05T22:59:03 08:00" xmp:ModifyDate="2010-01-05T23:36:50 08:00" xmp:MetadataDate="2010-01-05T23:36:50 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:55FF472410FADE11B2F4DAB3213FF165" xmpMM:DocumentID="xmp.did:54FF472410FADE11B2F4DAB3213FF165" xmpMM:OriginalDocumentID="xmp.did:54FF472410FADE11B2F4DAB3213FF165" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;73440005550D287D1CB0EA1D97F4E664" exif:PixelXDimension="122" exif:PixelYDimension="34" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;02F6AFAB3E360ED061206666B6940851"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:54FF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:36:50 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/bmp to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:55FF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:36:50 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2010:01:05 23:36:31
-GcuW}fv
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-01-05T22:59:03 08:00" xmp:ModifyDate="2010-01-05T23:36:31 08:00" xmp:MetadataDate="2010-01-05T23:36:31 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:AA1A87650FFADE11B2F4DAB3213FF165" xmpMM:DocumentID="xmp.did:A91A87650FFADE11B2F4DAB3213FF165" xmpMM:OriginalDocumentID="xmp.did:A91A87650FFADE11B2F4DAB3213FF165" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;1616C2D5F16C7B0D4D729E784612A4BF" exif:PixelXDimension="122" exif:PixelYDimension="34" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;02F6AFAB3E360ED061206666B6940851"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:A91A87650FFADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:36:31 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/bmp to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:AA1A87650FFADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:36:31 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2010:01:05 23:54:28
YhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-01-05T22:59:03 08:00" xmp:ModifyDate="2010-01-05T23:54:28 08:00" xmp:MetadataDate="2010-01-05T23:54:28 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:DE4BD59A12FADE11B2F4DAB3213FF165" xmpMM:DocumentID="xmp.did:5EFF472410FADE11B2F4DAB3213FF165" xmpMM:OriginalDocumentID="xmp.did:5EFF472410FADE11B2F4DAB3213FF165" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;B3F3040730C153FE7068D67BF335790F" exif:PixelXDimension="43" exif:PixelYDimension="24" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;8EE81005013BB2DFD8C1E49EEEEF38C5"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:5EFF472410FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:54:28 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/bmp to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:DE4BD59A12FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T23:54:28 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
2010:01:05 22:44:14
T%xPcb
BhXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2010-01-05T22:41:19 08:00" xmp:ModifyDate="2010-01-05T22:44:14 08:00" xmp:MetadataDate="2010-01-05T22:44:14 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" xmpMM:InstanceID="xmp.iid:73228FCB08FADE11B2F4DAB3213FF165" xmpMM:DocumentID="xmp.did:73228FCB08FADE11B2F4DAB3213FF165" xmpMM:OriginalDocumentID="xmp.did:73228FCB08FADE11B2F4DAB3213FF165" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;C16CDA97C3C9BCD4682D18DD2A471371" exif:PixelXDimension="580" exif:PixelYDimension="400" exif:ColorSpace="65535" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;B47E975F83B6511393C618EE80EFE0B2"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:73228FCB08FADE11B2F4DAB3213FF165" stEvt:when="2010-01-05T22:44:14 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
LGÞ
~2Tß
1.0.0.0

%original file name%.exe_2748_rwx_02221000_0000E000:

user32.dll
msctls_hotkey32
hXXp://dywt.com.cn
service@dywt.com.cn
 86(0411)88995834
 86(0411)88995831
Windows 95
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
c:\%original file name%.exe
GetCPInfo
GetProcessHeap
EnumChildWindows
EnumThreadWindows
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.reloc

%original file name%.exe_2748_rwx_02F71000_00042000:

hu2.iu3;kuM iu
%*.*f
CNotSupportedException
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
le32.dll
OLEAUT32.dll
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s@%s:%d
.PAVCException@@
HTTP/1.0
0000HTTP
hXXp://dywt.com.cn
service@dywt.com.cn
 86(0411)88995834
 86(0411)88995831
SMTP
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
Windows
ListFtpDir
GetCurrentFtpDir
SetCurrentFtpDir
RemoveFtpDir
CreateFtpDir
RenameFtpFile
DeleteFtpFile
PutFtpFile
GetFtpFile
DisconnectFTPServer
ConnectFTPServer
GetHttpFile
DisconnectSmtpServer
ConnectSmtpServer
sale@dywt.com.cn
service@dywt.com.cn;sale@dywt.com.cn
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
HELO %s
AUTH LOGIN
LOGIN
AUTH=LOGIN
EHLO %s
Content-Type: application/octet-stream; name=%s
Content-Disposition: attachment; filename=%s
MAIL FROM:<%s>
RCPT TO:<%s>
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.PAVCArchiveException@@
.?AVCTestCmdUI@@
.PAVCFileException@@
zcÁ
c:\%original file name%.exe
GetCPInfo
GetProcessHeap
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
FtpFindFirstFileA
FtpGetFileA
FtpPutFileA
FtpGetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpRemoveDirectoryA
FtpCreateDirectoryA
FtpRenameFileA
FtpDeleteFileA
8B/..LLLXLV
.text
`.rdata
@.data
.rsrc
@.reloc
.Va[H
#v`.rtK

%original file name%.exe_2748_rwx_10001000_00125000:

|$D.tm
~%UVW
L$$SSh
t%SVh
t$(SSh
u$SShe
diu2.iu
1wK(.wE
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
user32.dll
.PAVCException@@
.PAVCFileException@@
.PAVCNotSupportedException@@
\\.\Scsi0:
\\.\PhysicalDrive0
?? / %d]
%d / %d]
1 - %d
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
%s.%s
(%d-%d):
Bogus message code %d
%ld%c
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
ExecuteSql
SerialPort
Windows
%s.fnr
%s.fne
hXXp://dywt.com.cn
%d.%d
ocx.run
com.run
kernel32.dll
%x.tmp
Output.prn
(*.prn)|*.prn|
;Driver={Microsoft Access Driver (*.mdb)};FIL=MS Access
~sqlsrv.dsn
;DRIVER=SQL Server;SERVER=
DRIVER=SQL Server
windows
1234567
BDGetColSQLType
%Y-%m-%d %H:%M:%S
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%d / %d
out.prn
%d.%d
%d/%d
(&07-034/)7 '
\\.\COM%d
%s:%d
icmp.dll
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCOleException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
GetCPInfo
WinExec
GetProcessHeap
RegOpenKeyExA
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
ShellExecuteA
CreateDialogIndirectParamA
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyState
#%H%X
< 3)20,6
..../..LLLXLLV
08(( ((0
.text
`.rdata
@.data
.rsrc
@.reloc
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\i_phone_blue[1].png (579 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\chat-popup[1].png (7436 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3CA7.tmp (2712 bytes)
    C:\dat (885 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\warning[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_4514C5DDAF11F496BDCCD6622E9EF365 (660 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EHSAQ1GI.txt (305 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2H12DV8R.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VJR9040K.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\v3[1].css (9411 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Q0RAIKHH.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\6H5NYYFT.txt (519 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar26B3.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\678B9F95B126F50368710CA85CB2F3DA_AB8D94F29896452B4806732E3EB7F2B7 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\b_buyNow_187[1].png (10372 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\U4T2EBWJ.txt (519 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\common[1].js (4656 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\reallydopost[1].js (859 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LK7UQ8A6.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3CA6.tmp (52 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\krnln.fnr (422 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\common_v3[1].js (1081 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\styles-new[1].css (11743 bytes)
    C:\update.edb (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1424 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2AREPTB0.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\X1WMZ7GH.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\counter[1].js (17760 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\JJOYYN7Y.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\EHRJ80N2.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KL5ZUWDU.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\xplib.fne (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\eAPI.fne (335 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CIPSUJIG.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UWZKZMN3.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (248 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stars_5[1].png (570 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QMY6R97N.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1688 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\hr_882x7[1].png (1152 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O1JL2O23.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2U031IEQ.txt (329 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CH8OFS0H.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\domain_profile[1].htm (1192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\DOMStore\WMZUWJRG\www.hugedomains[1].xml (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_C7B398B93BFA7397A840C520A0E096A2 (1454 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\dots_8x1[1].gif (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\HtmlView.fne (434 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\error[1] (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg[1].gif (670 bytes)
    C:\update.exe (797 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\common[1].css (20667 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (2674 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery-1.5.1.min[1].js (60926 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\youtubeLocationMatters[1].jpg (12254 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 (942 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\footer_logo_cc[1].png (832 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D (1720 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A0SXX9WM.txt (519 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WDX9E0U1.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\footer_logo_escrow[1].png (832 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_4514C5DDAF11F496BDCCD6622E9EF365 (463 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CJU696IX.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3A0GLDOA.txt (81 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\53HPTWYG.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\internet.fne (86 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\bg2[1].jpg (17097 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab26B2.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N85GLBE4.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\crown[1].jpg (2191 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KHMA776.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\chat-popup-close[1].png (858 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\E_N4\iext2.fne (942 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pages_v3b[1].css (11735 bytes)
    C:\csyt2.exe (899 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab26E2.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\chat-popup-start[1].png (2191 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\footer_logo_guaranteed[1].png (732 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\921FA3X0.txt (841 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\edition121114[1].css (3378 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\i_i_blue[1].png (457 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\error[1] (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_C7B398B93BFA7397A840C520A0E096A2 (2702 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HLS3GAQ8.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VZY7D90T.txt (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logo_top[1].png (5518 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\B3HCHRUN.txt (519 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\styles_hd[1].css (15415 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\t[1].gif (49 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (665 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\678B9F95B126F50368710CA85CB2F3DA_AB8D94F29896452B4806732E3EB7F2B7 (1448 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9KD81I68.txt (519 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar26E3.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\b_x[1].png (755 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\footer_logo_GT[1].png (2139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9LANWZCJ.txt (123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\profileVideo[1].gif (43 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now