Sample_a83d1c1812

by malwarelabrobot on April 12th, 2018 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a83d1c1812b8564b04e3a7b265776f08
SHA1: be5195b34ac7c3550463dbc69c5a6531a9980aff
SHA256: 54898db5f579d58494320abddbb78baf5345587a006c89a632818d7a7f829754
SSDeep: 49152: I0cHp4gl3Q07HrsT aoPGNQ9xaLdgN/lHYNwxOhBr5ztZR0JRxx7ANF1lrZfYam:ZoC3Q07HrsUPrYAxN 1FyfGY6Z
Size: 4018720 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Yonyou Network Co., Ltd
Created at: 2016-12-26 10:27:41
Analyzed on: Windows7 SP1 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:4000

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:4000 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\887c79c2.png (12284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\temp\UClient_1.1.0-build 201802060905.exe (553380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\procid (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\5416ff4d.png (46228 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE52899963CDE_18137DFDB67BCED2F0AFBCB9940D780B (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9C20.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\69ab628f.png (15548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\UClient.db-journal (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\卸载UClient.lnk (651 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\banners.json (573 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4344B8AF97AF3A423D9EE52899963CDE_18137DFDB67BCED2F0AFBCB9940D780B (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\log\main.log (970 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\UClient.lnk (649 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\share\.l (393 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\UClient.db (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9C21.tmp (2712 bytes)

The Malware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9C20.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UClient\UClient.db-journal (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9C21.tmp (0 bytes)

Registry activity

The process %original file name%.exe:4000 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Yonyou\UClient]
"pathname" = "c:\A83D1C~1.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\.esc\DefaultIcon]
"(Default)" = "c:/A83D1C~1.EXE"

[HKCU\Software\Classes\uclient\shell\open\command]
"(Default)" = "c:\A83D1C~1.EXE %1"

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\uclient\DefaultIcon]
"(Default)" = "c:\A83D1C~1.EXE"

[HKCU\Software\Classes\.esc\shell\open\command]
"(Default)" = "c:/A83D1C~1.EXE %1"

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "48"

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\.escr\DefaultIcon]
"(Default)" = "c:/A83D1C~1.EXE"

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASMANCS]
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\.escr\shell\open\command]
"(Default)" = "c:/A83D1C~1.EXE %1"

[HKCU\Software\Classes\.escr]
"(Default)" = "uclient"

[HKCU\Software\Classes\uclient]
"(Default)" = "URL:uclient protocol handler"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\.esc]
"(Default)" = "uclient"

[HKLM\SOFTWARE\Microsoft\Tracing\a83d1c1812b8564b04e3a7b265776f08_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\uclient]
"URL Protocol" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"UClient" = "c:\A83D1C~1.EXE /s"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
557335dad5973d566e14a0b1ca4bfa5f c:\Users\"%CurrentUserName%"\AppData\Local\UClient\temp\UClient_1.1.0-build 201802060905.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Yonyou Network Co., Ltd
Product Name: UClient
Product Version: 1.1.0-build 201612261610
Legal Copyright: Copyright (C) 2015 Yonyou Network Co., Ltd
Legal Trademarks:
Original Filename: UClient.exe
Internal Name: UClient.exe
File Version: 1.1.0-build 201612261610
File Description: Yonyou UClient Application
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2611489 2611712 4.53069 c07a402e43e9ca19bd54812aabcc516e
.rdata 2617344 495684 496128 3.46651 5428395e6ea80db19c55fecdcc897572
.data 3117056 125324 107008 3.38021 948500471ffed8c66428847d81941657
.gfids 3244032 4564 4608 2.86432 0f149d6f95340e80399e9f2b5b8b7b7b
.tls 3252224 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 3256320 635088 635392 5.5245 e8d40c6e014ad7dba218ec2f94df20bd
.reloc 3895296 156868 157184 4.55143 da59b9997d84806f84ce8a3870a31247

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://uclient.yonyou.com/api/message/myreceivemessages.rest 59.110.150.75
hxxp://uclient.yonyou.com/api/message/memberenterprisenews.rest 59.110.150.75
hxxp://uclient.yonyou.com/update.xml?type=windows&prefer=&sessionid= 59.110.150.75
hxxp://uclient.yonyou.com/api/uclient/uclientcustomize.rest?version=1.1.0-build+201612261610 59.110.150.75
hxxp://iuap-tenat-market.oss-cn-beijing.aliyuncs.com/pro/uclient/uclients/1.1.0-build_201802060905_Windows/UClient.exe 59.110.190.173
hxxp://awatstgefsfrjomeopvznhyr2ixq0ax7.yundunwaf.com//userdata/image/upload/1518061325421Uclient banner 1125×265.jpg
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG/hgj9+GUHaOfzhTEYXM=
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW+2sabjf17QQUkFj/sJx1qFFUd7Ht8qNDFjiebMUCEAftrbDXWeCGqrX3vmkN2N0=
hxxp://awatstgefsfrjomeopvznhyr2ixq0ax7.yundunwaf.com//userdata/image/upload/1522032584398友工程宣传图.png
hxxp://awatstgefsfrjomeopvznhyr2ixq0ax7.yundunwaf.com//userdata/image/upload/1520323309984短信平台banner.jpg
ocsp.digicert.com 93.184.220.29
status.geotrust.com 93.184.220.29
uclient.yonyoucloud.com 59.110.247.93


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD //userdata/image/upload/1518061325421Uclient banner 1125×265.jpg HTTP/1.1
Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyoucloud.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Date: Wed, 11 Apr 2018 02:56:03 GMT
Content-Type: text/html
Content-Length: 191
Connection: keep-alive
Set-Cookie: acw_tc=AQAAAH ablNRcA4A4mDywgGPyooImWm3; Path=/; HttpOnly
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1518061325421Uclient banner 1125×265.jpg
HTTP/1.1 301 Moved Permanently..Date: Wed, 11 Apr 2018 02:56:03 GMT..C
ontent-Type: text/html..Content-Length: 191..Connection: keep-alive..S
et-Cookie: acw_tc=AQAAAH ablNRcA4A4mDywgGPyooImWm3; Path=/; HttpOnly..
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/151806
1325421Uclient banner 1125×265.jpg......


GET //userdata/image/upload/1518061325421Uclient banner 1125×265.jpg HTTP/1.1


Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyoucloud.com
Cookie: acw_tc=AQAAAH ablNRcA4A4mDywgGPyooImWm3


HTTP/1.1 301 Moved Permanently
Date: Wed, 11 Apr 2018 02:56:16 GMT
Content-Type: text/html
Content-Length: 191
Connection: keep-alive
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1518061325421Uclient banner 1125×265.jpg
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>openresty/1.11.2.1</center>..</body>..</html>.
.HTTP/1.1 301 Moved Permanently..Date: Wed, 11 Apr 2018 02:56:16 GMT..
Content-Type: text/html..Content-Length: 191..Connection: keep-alive..
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/151806
1325421Uclient banner 1125×265.jpg..<html>..<head>
;<title>301 Moved Permanently</title></head>..<bo
dy bgcolor="white">..<center><h1>301 Moved Permanently&
lt;/h1></center>..<hr><center>openresty/1.11.2.1&
lt;/center>..</body>..</html>......


HEAD //userdata/image/upload/1522032584398友工程宣传图.png HTTP/1.1


Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyoucloud.com
Content-Length: 0
Cache-Control: no-cache
Cookie: acw_tc=AQAAAH ablNRcA4A4mDywgGPyooImWm3


HTTP/1.1 301 Moved Permanently
Date: Wed, 11 Apr 2018 02:56:20 GMT
Content-Type: text/html
Content-Length: 191
Connection: keep-alive
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1522032584398友工程宣传图.png
HTTP/1.1 301 Moved Permanently..Date: Wed, 11 Apr 2018 02:56:20 GMT..C
ontent-Type: text/html..Content-Length: 191..Connection: keep-alive..L
ocation: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1522032
584398友工程宣传图.png..nt>....


GET //userdata/image/upload/1522032584398友工程宣传图.png HTTP/1.1


Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyoucloud.com
Cookie: acw_tc=AQAAAH ablNRcA4A4mDywgGPyooImWm3


HTTP/1.1 301 Moved Permanently
Date: Wed, 11 Apr 2018 02:56:20 GMT
Content-Type: text/html
Content-Length: 191
Connection: keep-alive
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1522032584398友工程宣传图.png
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>openresty/1.11.2.1</center>..</body>..</html>.
.HTTP/1.1 301 Moved Permanently..Date: Wed, 11 Apr 2018 02:56:20 GMT..
Content-Type: text/html..Content-Length: 191..Connection: keep-alive..
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/152203
2584398友工程宣传图.png..<
;html>..<head><title>301 Moved Permanently</title>
;</head>..<body bgcolor="white">..<center><h1>
301 Moved Permanently</h1></center>..<hr><center&
gt;openresty/1.11.2.1</center>..</body>..</html>..font>....


HEAD //userdata/image/upload/1520323309984短信平台banner.jpg HTTP/1.1


Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyoucloud.com
Content-Length: 0
Cache-Control: no-cache
Cookie: acw_tc=AQAAAH ablNRcA4A4mDywgGPyooImWm3


HTTP/1.1 301 Moved Permanently
Date: Wed, 11 Apr 2018 02:56:21 GMT
Content-Type: text/html
Content-Length: 191
Connection: keep-alive
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1520323309984短信平台banner.jpg
HTTP/1.1 301 Moved Permanently..Date: Wed, 11 Apr 2018 02:56:21 GMT..C
ontent-Type: text/html..Content-Length: 191..Connection: keep-alive..L
ocation: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1520323
309984短信平台banner.jpg......


GET //userdata/image/upload/1520323309984短信平台banner.jpg HTTP/1.1


Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyoucloud.com
Cookie: acw_tc=AQAAAH ablNRcA4A4mDywgGPyooImWm3


HTTP/1.1 301 Moved Permanently
Date: Wed, 11 Apr 2018 02:56:22 GMT
Content-Type: text/html
Content-Length: 191
Connection: keep-alive
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/1520323309984短信平台banner.jpg
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>openresty/1.11.2.1</center>..</body>..</html>.
.HTTP/1.1 301 Moved Permanently..Date: Wed, 11 Apr 2018 02:56:22 GMT..
Content-Type: text/html..Content-Length: 191..Connection: keep-alive..
Location: hXXps://uclient.yonyoucloud.com/userdata/image/upload/152032
3309984短信平台banner.jpg..<html>..&
lt;head><title>301 Moved Permanently</title></head&g
t;..<body bgcolor="white">..<center><h1>301 Moved Pe
rmanently</h1></center>..<hr><center>openresty
/1.11.2.1</center>..</body>..</html>....



POST /api/message/myreceivemessages.rest HTTP/1.1
Accept:  */*
Content-Type: application/json;charset=UTF-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyou.com
Content-Length: 16
Cache-Control: no-cache

{"sessionid":""}
HTTP/1.1 200 OK
Date: Wed, 11 Apr 2018 02:56:02 GMT
Transfer-Encoding: chunked
Connection: keep-alive
26..{"flag":true,"errCode":0,"extinfo":[]}..0......


GET /update.xml?type=windows&prefer=&sessionid= HTTP/1.1


Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyou.com


HTTP/1.1 200 OK
Date: Wed, 11 Apr 2018 02:56:02 GMT
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
291..<?xml version="1.0" encoding="UTF-8"?>.<update><re
lease family="Windows"><version>1.1.0-build 201802060905</
version><resource href="hXXp://iuap-tenat-market.oss-cn-beijing.
aliyuncs.com/pro/uclient/uclients/1.1.0-build_201802060905_Windows/UCl
ient.exe"/><description>........................</descript
ion><enDescription>Fix some bugs</enDescription><fea
ture>1..........XP.........................2.......................
...............3..........U8Cloud.....................................
..</feature><enFeature>1.Fix path bug under XP system.2.Fi
x the application distinguishing error.3.Correct the U8Cloud compatibi
lity view</enFeature></release></update>..0..HTTP/1.
1 200 OK..Date: Wed, 11 Apr 2018 02:56:02 GMT..Content-Type: text/xml;
charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Var
y: Accept-Encoding..291..<?xml version="1.0" encoding="UTF-8"?>.
<update><release family="Windows"><version>1.1.0-bui
ld 201802060905</version><resource href="hXXp://iuap-tenat-ma
rket.oss-cn-beijing.aliyuncs.com/pro/uclient/uclients/1.1.0-build_2018
02060905_Windows/UClient.exe"/><description>.................
.......</description><enDescription>Fix some bugs</enDe
scription><feature>1..........XP.........................2...
...................................3..........U8Cloud.................
......................</feature><enFeature>1.Fix path 
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW+2sabjf17QQUkFj/sJx1qFFUd7Ht8qNDFjiebMUCEAftrbDXWeCGqrX3vmkN2N0= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: status.geotrust.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=161515
Content-Type: application/ocsp-response
Date: Wed, 11 Apr 2018 02:56:15 GMT
Etag: "5acc0c95-1d7"
Expires: Thu, 12 Apr 2018 23:48:10 GMT
Last-Modified: Tue, 10 Apr 2018 01:00:05 GMT
Server: ECS (waw/17B8)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0.......X...u.QTw....C.8.l...2018041
0001219Z0s0q0I0... ........wz{.w..... !..k.n7.....X...u.QTw....C.8.l..
......Y......i.......20180410001219Z....20180416232719Z0...*.H........
......Q.;x..l...;hd...e` r.Op.d....$g.....ffP..?8..E..v..o.B,/.!f4..7.
.B^.....8*....P.H;w.L..a..^Su.I>.-.l.<w.`CM..3....$tx?H.<e4j.
sn[......T....K...e.;.lE..g...u....*@T.t0*...O..(z.."....@.e/.2..P..".
..R.9.....[.WD.. ....mm.m.....$....>.J...,....KM.@.o...V.LD.HTTP/1.
1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=161515..Content
-Type: application/ocsp-response..Date: Wed, 11 Apr 2018 02:56:15 GMT.
.Etag: "5acc0c95-1d7"..Expires: Thu, 12 Apr 2018 23:48:10 GMT..Last-Mo
dified: Tue, 10 Apr 2018 01:00:05 GMT..Server: ECS (waw/17B8)..X-Cache
: HIT..Content-Length: 471..0..........0..... .....0......0...0.......
X...u.QTw....C.8.l...20180410001219Z0s0q0I0... ........wz{.w..... !..k
.n7.....X...u.QTw....C.8.l........Y......i.......20180410001219Z....20
180416232719Z0...*.H..............Q.;x..l...;hd...e` r.Op.d....$g.....
ffP..?8..E..v..o.B,/.!f4..7..B^.....8*....P.H;w.L..a..^Su.I>.-.l.&l
t;w.`CM..3....$tx?H.<e4j.sn[......T....K...e.;.lE..g...u....*@T.t0*
...O..(z.."....@.e/.2..P.."...R.9.....[.WD.. ....mm.m.....$....>.J.
..,....KM.@.o...V.LD...
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG/hgj9+GUHaOfzhTEYXM= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=160052
Content-Type: application/ocsp-response
Date: Wed, 11 Apr 2018 02:56:10 GMT
Etag: "5acd212c-1d7"
Expires: Thu, 12 Apr 2018 23:23:22 GMT
Last-Modified: Tue, 10 Apr 2018 20:40:12 GMT
Server: ECS (waw/17C5)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0........P5V.L.f........=.U..2017110
6122345Z0s0q0I0... .........Q..2...}Q......b.U.....P5V.L.f........=.U.
..F..#.........as....20171106122345Z....20180505122345Z0...*.H........
......._....a..J=B.aW.E..h........\...0`*....._......3...w. [YK...X.V.
pT..j\&.|8..rm.Q.kd..{.x.N.....rF.d_.r.o..J\i.......[..v3.G /)...u.e..
.P.9h..D........4.....'......x...;..*.....N..nT.k= ...$.}........eA..N
.q{&.I WU.bX...f..G..5./.I...8......n..0...]>^....6HTTP/1.1 200 OK.
.Accept-Ranges: bytes..Cache-Control: max-age=160052..Content-Type: ap
plication/ocsp-response..Date: Wed, 11 Apr 2018 02:56:10 GMT..Etag: "5
acd212c-1d7"..Expires: Thu, 12 Apr 2018 23:23:22 GMT..Last-Modified: T
ue, 10 Apr 2018 20:40:12 GMT..Server: ECS (waw/17C5)..X-Cache: HIT..Co
ntent-Length: 471..0..........0..... .....0......0...0........P5V.L.f.
.......=.U..20171106122345Z0s0q0I0... .........Q..2...}Q......b.U.....
P5V.L.f........=.U...F..#.........as....20171106122345Z....20180505122
345Z0...*.H..............._....a..J=B.aW.E..h........\...0`*....._....
..3...w. [YK...X.V.pT..j\&.|8..rm.Q.kd..{.x.N.....rF.d_.r.o..J\i......
.[..v3.G /)...u.e...P.9h..D........4.....'......x...;..*.....N..nT.k= 
...$.}........eA..N.q{&.I WU.bX...f..G..5./.I...8......n..0...]>^..
..6..
<<< skipped >>>


POST /api/message/memberenterprisenews.rest HTTP/1.1
Accept:  */*
Content-Type: application/json;charset=UTF-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyou.com
Content-Length: 16
Cache-Control: no-cache

{"sessionid":""}
HTTP/1.1 200 OK
Date: Wed, 11 Apr 2018 02:56:02 GMT
Transfer-Encoding: chunked
Connection: keep-alive
26..{"flag":true,"errCode":0,"extinfo":[]}..0......


POST /api/uclient/uclientcustomize.rest?version=1.1.0-build+201612261610 HTTP/1.1


Accept:  */*
Content-Type: application/json;charset=UTF-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: uclient.yonyou.com
Content-Length: 28
Cache-Control: no-cache

{"sessionid":"","userid":""}
HTTP/1.1 200 OK
Date: Wed, 11 Apr 2018 02:56:02 GMT
Transfer-Encoding: chunked
Connection: keep-alive
481..{"flag":true,"errCode":0,"extinfo":[{"id":"ce894f57-669f-415b-8bf
f-eb7d70d002c5","uclientid":"4724f1c7-78b7-4831-885c-d8d4206b1f81","uc
lientversion":"1.1.0-build 201703210921","bannerpath":"hXXp://uclient.
yonyoucloud.com//userdata/image/upload/1518061325421Uclient banner 112
5..265.jpg","bannerurl":"hXXps://VVV.yyfax.com/activity/activityDeploy
/activity.html?id\u003d153\u0026code\u003dyjsuc","maintitle":"","subti
tle":"","time":"2017-07-19 17:44:43"},{"id":"8b38e23b-c56e-401c-8bfd-4
bd2b455f485","uclientid":"7aaedcc5-fd92-492d-9ae0-3465bfa88d2e","uclie
ntversion":"1.1.0-build 201710261917","bannerpath":"hXXp://uclient.yon
youcloud.com//userdata/image/upload/1522032584398...................pn
g","bannerurl":"hXXps://pmcloud.yonyoucloud.com/","maintitle":"","subt
itle":"","time":"2017-11-01 15:48:07"},{"id":"6f0965c1-ead9-47e0-a5f2-
8e0aa62156ff","uclientid":"05b51880-cbae-4b9b-852a-46ee6658b809","ucli
entversion":"1.1.0-build 201802060905","bannerpath":"hXXp://uclient.yo
nyoucloud.com//userdata/image/upload/1520323309984............banner.j
pg","bannerurl":"hXXp://cn.mikecrm.com/lXVHVNn","maintitle":"","subtit
le":"","time":"2018-03-02 10:42:06"}]}..0..HTTP/1.1 200 OK..Date: Wed,
 11 Apr 2018 02:56:02 GMT..Transfer-Encoding: chunked..Connection: kee
p-alive..481..{"flag":true,"errCode":0,"extinfo":[{"id":"ce894f57-669f
-415b-8bff-eb7d70d002c5","uclientid":"4724f1c7-78b7-4831-885c-d8d4206b
1f81","uclientversion":"1.1.0-build 201703210921","bannerpath":"http:/
/uclient.yonyoucloud.com//userdata/image/upload/1518061325421Uclie
<<< skipped >>>


GET /pro/uclient/uclients/1.1.0-build_201802060905_Windows/UClient.exe HTTP/1.1
Accept:  */*
Content-Type: application/x-www-form-urlencoded;charset=utf-8
User-Agent: UClient (Windows 7; x86; WOW32 )
Host: iuap-tenat-market.oss-cn-beijing.aliyuncs.com


HTTP/1.1 200 OK
Server: AliyunOSS
Date: Wed, 11 Apr 2018 02:56:03 GMT
Content-Type: application/x-msdownload
Content-Length: 4519968
Connection: keep-alive
x-oss-request-id: 5ACD794301F3FC29D81BFA71
Accept-Ranges: bytes
ETag: "557335DAD5973D566E14A0B1CA4BFA5F"
Last-Modified: Wed, 07 Feb 2018 11:54:22 GMT
x-oss-object-type: Normal
x-oss-hash-crc64ecma: 17878018265263733962
x-oss-storage-class: Standard
Content-MD5: VXM12tWXPVZuFKCxykv6Xw==
x-oss-server-time: 1
MZ......................@...................................0.........
..!..L.!This program cannot be run in DOS mode....$.......Q..a...2...2
...2..(2;..2..*2...2.. 20..2.1.2...2...3...2...3i..2...3<..2...3...
2..Z2...2...2...2..J24..2..]2...2...3...2..&2...2..N2...2...3...2Rich.
..2........................PE..L.....yZ..................(............
.......(...@...........................E.......E...@..................
................S3.,.....6.@.............D. .....B.<...@.,.p.......
..............,.......,.@.............(.|............................t
ext.....(.......(................. ..`.rdata........(.......(.........
....@..@.data...8.....3......r3.............@....gfids........6.......
6.............@..@.tls..........6......,6.............@....rsrc...@...
..6.......6.............@..@.reloc..<.....B.......A.............@..
B.....................................................................
......................................................................
.....................................................h..h..#...Y.h..h.
.....Y.h..h......Y.h!.h......Y.j...Gd..B...h..i...Jv...T..3..E...@...J
v..]..]..u..]........Jv.8nv.h..i...Jv..]...S... Kv..E.!.@..]..u..]..].
.....E...8Kv.h..i...0Kv...4Kv...S...`Kv..E..f@..]..u..]..]......E...xK
v.h..i...pKv...tKv..cS....Kv..E..g@..]..u..]..]......E....Kv.h..i....K
v....Kv..(S....Kv..E.Zg@..]..u..]..]......E....Kv.h..i....Kv....Kv...R
... Lv..E..k@..]..u..]..]......E...8Lv.h..i...0Lv...4Lv...R...`Lv..E.Y
n@..]..u..]..]......E...xLv.h..i...pLv...tLv..wR....Lv..E..o@..]..
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_4000:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
t.hT~6
FTPj
j.Yf;
_tcPVj@
.PjRW
operation not permitted
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%H : %M : %S
%d / %m / %y
0123456789-
MaxPolicyElementKey
pExecutionResource
operator
operator ""
Visual C   CRT: Not enough memory to complete call to strerror.
cmd.exe
Operation not permitted
Inappropriate I/O control operation
Broken pipe
?#%X.y
%S#[k
Export
OperationFail
ExportOK
ExportFail
Apps Package (*.upk)
cmdargs
chrome
PNG image files(*.png);JPG image files(*.jpg)
Import
App package(*.zip)
client.esc
export
SelectAppsToExport
export_Start
import
/import/
AppImportFail
SelectAppsToImport
import_Start
LastLoginUser
LoginString
autoLogin
Login
ForgetPassword
LoginFail
password
LoginPrompt
..\shared\MainController.cpp
.escr
UClientCmdHelp
ucUrl
ucExe
downloadUrl
newExe
login_OK
Lua Script(*.lua)
AppsExport
AppsImport
/downloads/banners/banners.json
NewScript.lua
uclient.nc.needCloseprompt
JoinUEIP
HttpProxyIP
HTTP=hXXp://
HTTPS=hXXps://
HttpProxyPort
HttpsProxyPort
HttpsProxyIP
HTTPS=hXXps://
UClientScriptExecutor
LuaExecutor
confirmPassword
TwoPasswordNotMatch
PasswordEmpty
PasswordStrengthNotMatch
()$^.* ?[]|\-{},:=!
3.15.1
!"#$%&'()
 ,-./012345
&'()* ,-./012345
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
nc.starter.test.JStarter
CmdArgs
Google Chrome
P_Exporting
%Y-%m-%d %H:%M:%S
/app.esc
Chrome
keydown
AppsExportView
AppsImportView
banner2.jpg
banner3.jpg
bannerurl
/banners.json
Password_c
LoginView
#password
AutoLogin
user_notlogin
UText#Login
UImage#Login
user_login
tb_open.png
tb_run.png
tb_save.png
JoinUserExperienceTip
JoinUserExperience
HTTP:
WebSite_c
HTTPS:
Port
#HttpProxyPort
#HttpProxyIP
#HttpsProxyPort
#HttpsProxyIP
setting.cfg
: 2016-01-01
ConfirmPassword_c
/setting.cfg
\\.\pipe\ufc_out
hXXp://
hXXps://
PTF://
https
BurlyWood
windows
FirefoxHTML\shell\open\command
ChromeHTML\shell\open\command
Applications\iexplore.exe\shell\open\command
cmd.exe /c start microsoft-edge:"%1"
firefox
chrome-win32
/chrome.exe
Software\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\
chrome-win64
, key=
configure warning: duplicate logger key:[
%d-d-d d:d:d.d %s %s
%d-d-d d:d:d.d %s %s %x %s (%s):%d
d_d/
%s_ddddd_%s_d.log
Windows Me
Windows 9X (unknown)
Windows NT
Windows 2000
Windows 3.1
Windows 95
Windows 98
Windows 7
Windows 8
Windows XP
Windows 2003
Windows NT (unknown)
Windows Vista
%d.%d
Windows 10
Windows Server 2008
Windows Server 2008 R2
Windows (unknown)
.lproj/
Localizable.strings
CertPath
Illegal to wait on a task in a Windows Runtime STA
\\.\Pipe\
impl\UJsonDocumentImpl.cpp
impl\win\HttpClient.cpp
http-equiv=content-type
theme/theme.json
win\UGroup.cpp
win\BaseUIImpl.cpp
PasswordMode
msgBox
waiting.gif
<app.*(<name>|<id>).*<exe
<app.*(<name>|<id>).*<url
/client.esc
/logo.png
/app.png
/update.xml
app.esc
AppManager.cpp
{"clientid":"{clientid}","operationType":%d,"ip":"{clientIP}","ts":"%lld"}
{"clientid":"{clientid}","id":"%s","appid":"%s","operationType":%d,"ip":"{clientIP}","ts":"%lld"}
/rest/uclientinfo/operateinfo/addbatch
/MANIFEST.xml
/export/
misc/g.jar
UClient.exe
UClient.app/Contents/MacOS/UClient
UClient.app
windows64
misc/Launcher.exe
/Launcher.exe
nc.ui.iufo.applet.uclient.Loader
iufoapp.jsp
App.cpp
hXXp://uclient.yonyou.com/fileget/commonresource/jre/jre-5u22-windows-x64.zip
1.5.0_22
hXXp://uclient.yonyou.com/fileget/commonresource/jre/jre-5u22-windows-i586.zip
javaw.exe
/bin/javaw.exe
hXXp://uclient.yonyou.com/fileget/commonresource/jre/jre-6u31-windows-x64.zip
1.6.0_31
hXXp://uclient.yonyou.com/fileget/commonresource/jre/jre-6u31-windows-i586.zip
hXXp://uclient.yonyou.com/fileget/commonresource/jre/jre-7u51-windows-x64.zip
1.7.0_51
hXXp://uclient.yonyou.com/fileget/commonresource/jre/jre-7u51-windows-i586.zip
remote_url
NC_Login_v
UAP_Login_v
login.jsp
/login.jsp
{port}
{jre_url}
{nc_login_url}
1.7.0_25
misc/uap_app_template.esc
-Duclient.nc.needCloseprompt=1
-Djava.net.useSystemProxies=true
{icon_url}
nc.ui.sm.login.AppletContainer.class
nc.sfbase.applet.NCApplet.class
/lib/deploy.jar
org.granite.launcher.Launcher
nc.uclient.starter.JStarterUClient5
nc.uclient.starter
-Djava.net.useUClientProxies=true
-Duclient.procLabel=
-Duclient=true -Djava.net.preferIPv4Stack=true
-Duclient.productVersion=
-Duclient.ultraSpeed=true
-Duclient.ultraSpeed=true -Duclient.startVisible=true
/lib/plugin.jar
ServerInvoker.cpp
hXXp://uclient.yonyou.com
/login.html?type=forgetpwd
user/logout.rest
user/register.rest
user/login.rest
errMsg
user/smscode.rest
uclient/customize.rest
app/apptype.rest
app/listappbytype.rest
app/search.rest
app/delete.rest
uclient/uclientlogo.rest
message/myreceivemessages.rest
app/updateappdata.rest
app/synchronizeapp.rest
uclient/uclientcustomize.rest?version=
message/reporttaskresult.rest
Nonexecute
report
message/batchchangemessagestatus.rest
msgid
message/messagedetail.rest
message/memberenterprisenews.rest
message/batchdeletemessage.rest
message/batchdeletenews.rest
app/register.rest?sessionid=%s&appid=%s&mac=%s&type=%s
browser="chrome"
Web app from:
. Web app from:
http-equiv=x-ua-compatible
{url}
/favicon.ico
https:
http:
misc/light_app_template.esc
1.5.0
1.6.0
1.7.0
MANIFEST.xml
chrome.app
Installer.cpp
bin/javaw.exe
chrome.exe
openby=chrome
/app.ico
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
URL Protocol
Launcher.exe
/lib/amd64/jvm.cfg
/jre/lib/amd64/jvm.cfg
/lib/i386/jvm.cfg
/jre/lib/i386/jvm.cfg
127.0.0.1
AppProcess.cpp
/UClient.db
UMessageDAO.cpp
id QString PRIMARY KEY, title QString, content QString, time datetime, senderID QString, senderName QString, type QString, exdata QString, action QString, hasRead int, msgtype int
select count(*) as msgcount from
msgcount
ux
function <%s:%d>
%s '%s'
function '%s'
%s expected, got %s
%s:%d:
%s: %s
stack overflow (%s)
invalid option '%s'
(...tail calls...)
bad argument #%d (%s)
calling '%s' on bad self (%s)
bad argument #%d to '%s' (%s)
cannot %s %s: %s
%s: %p
PANIC: unprotected error in call to Lua API (%s)
version mismatch: app. needs %f, Lua core provides %f
error in __gc metamethod (%s)
invalid key to 'next'
attempt to load a %s chunk (mode is '%s')
.xXnN
-0123456789
<\%d>
invalid option '%%%c' to 'lua_pushfstring'
(%s '%s')
attempt to %s a %s value%s
attempt to compare two %s values
number%s has no integer representation
%s:%d: %s
attempt to compare %s with %s
perform bitwise operation on
too many %s (limit is %d)
%s near %s
unfinished long %s (starting at line %d)
invalid value (%s) at index %d in table for 'concat'
luaopen_%s
no module '%s' in file '%s'
no field package.preload['%s']
module '%s' not found:%s
'package.searchers' must be a table
system error %d
no file '%s'
error loading module '%s' from file '%s':
'package.%s' must be a string
!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;!\..\share\lua\5.3\?.lua;!\..\share\lua\5.3\?\init.lua;.\?.lua;.\?\init.lua
!\?.dll;!\..\lib\lua\5.3\?.dll;!\loadall.dll;.\?.dll
field '%s' is out-of-bound
field '%s' missing in date table
invalid conversion specifier '%%%s'
field '%s' is not an integer
missing '[' after '%%f' in pattern
invalid use of '%c' in replacement string
^$* ?.([%-
invalid replacement value (a %s)
invalid capture index %%%d
invalid option '%%%c' to 'format'
integral size (%d) out of limits [1,%d]
\d
%d-byte integer does not fit into Lua Integer
invalid format option '%c'
cannot open file '%s' (%s)
standard %s file is closed
upvaluejoin
%s size mismatch in
%s: %s precompiled chunk
%s expected
too many %s (limit is %d) in %s
function at line %d
%s expected (to close %s at line %d)
label '%s' already defined on line %d
<goto %s> at line %d jumps into the scope of local '%s'
no visible label '%s' for <goto> at line %d
<%s> at line %d not inside a loop
![](inbox/head.png)
UButton#execute
task.png
uw_close.png
Kernel32.DLL
PSAPI.DLL
VDMDBG.DLL
SQLITE_
d-d-d d:d:d
d-d-d
d:d:d
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
failed to allocate %u bytes of memory
RowKey
GetProcessHeap
%s-shm
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict at line %d
recovered %d pages from %s
%s%c%s
failed to get page %d
%d of %d pages missing from overflow list starting at %d
freelist leaf count too big on page %d
unable to get the page. error code=%d
Page %d:
On tree page %d cell %d:
btreeInitPage() returns error code %d
cannot limit WAL size: %s
recovered %d frames from WAL file %s
2nd reference to page %d
invalid page number %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
Pointer map page %d is referenced
Page %d is never used
unknown database %s
Offset %d out of range %d..%d
On page %d at right child:
Multiple uses for byte %u of page %d
Fragmentation of %d bytes reported as %d on page %d
MJ delete: %s
%s-mjXXXXXX9XXz
-mjX9X
MJ collide: %s
FOREIGN KEY constraint failed
,%s%s
%s(%d)
FOREIGN KEY
%z: %s
%s constraint failed
cannot open savepoint - SQL statements in progress
abort at %d in [%s]: %s
bind on a busy prepared statement: [%s]
unable to use function %s in the requested context
zeroblob(%d)
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
sqlite_master
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
database table is locked: %s
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot commit transaction - SQL statements in progress
sqlite_temp_master
indexed
foreign key
cannot open %s column for writing
misuse of aliased aggregate %s
cannot open value of type %s
cannot open table without rowid: %s
cannot open virtual table: %s
no such column: "%s"
cannot open view: %s
not authorized to use function: %s
%s: %s.%s
%s: %s.%s.%s
%s prohibited in %s
the "." operator
variable number must be between ?1 and ?%d
Expression tree is too large (maximum depth %d)
%d columns assigned %d values
too many SQL variables
too many columns in %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
unknown function: %s()
misuse of aggregate: %s()
%.*s"%w"%s
sqlite_rename_table
%s%.*s"%w"
sqlite_rename_parent
sqlite_rename_trigger
sub-select returns %d columns - expected %d
USING INDEX %s FOR IN-OPERATOR
EXECUTE %s%s SUBQUERY %d
hex literal too big: %s
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
%s OR name=%Q
type='trigger' AND (%s)
table %s may not be altered
sqlite_
view %s may not be altered
there is already another table or index with this name: %s
sqlite_stat4
sqlite_stat3
DELETE FROM %Q.%s WHERE %s=%Q
CREATE TABLE %Q.%s(%s)
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
too many attached databases - max %d
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
database %s is already in use
no such database: %s
unable to open database: %s
sqlite_%
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
object name reserved for internal use: %s
cannot detach database %s
sqlite_detach
database %s is locked
%s %T cannot reference objects in database %s
sqlite_attach
%s cannot use variables
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
too many columns on %s
there is already an index named %s
default value of column [%s] is not constant
duplicate column name: %s
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
sqlite_stat%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
PRIMARY KEY missing on table %s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE %s %.*s
table %s may not be indexed
virtual tables may not be indexed
views may not be indexed
index %s already exists
there is already a table named %s
expressions prohibited in PRIMARY KEY and UNIQUE constraints
sqlite_autoindex_%s_%d
table %s may not be dropped
sqlite_stat
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
cannot create a TEMP index on non-TEMP table "%s"
unknown column "%s" in foreign key definition
a JOIN clause is required before %s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
no such index: %S
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
%s.%s
unable to identify the object to be reindexed
%s.rowid
no such collation sequence: %s
duplicate WITH table name: %s
cannot modify %s because it is a view
table %s may not be modified
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_source_id
sqlite_version
sqlite_log
unable to open shared library [%s]
sqlite3_extension_init
sqlite3_
no entry point [%s] in shared library [%s]
automatic extension loading failed: %s
error during initialization: %s
table %S has no column named %s
foreign key mismatch - "%w" referencing "%w"
%d values for %d columns
table %S has %d columns but %d values were supplied
defer_foreign_keys
foreign_key_check
foreign_keys
foreign_key_list
NULL value in %s.%s
*** in database %s ***
malformed database schema (%s)
%z - %s
CREATE TABLE x(type text,name text,tbl_name text,rootpage integer,sql text)
unsupported encoding: %s
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
SELECT name, rootpage, sql FROM "%w".%s ORDER BY rowid
unsupported file format
database schema is locked: %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%.*z:%u
column%d
ORDER BY clause should come after %s not before
recursive aggregate queries not supported
LIMIT clause should come after %s not before
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
too many references to "%s": max 65535
sqlite_sq_%p
no such table: %s
%s.%s.%s
no such index: %s
SELECTs to the left and right of %s do not have the same number of result columns
multiple references to recursive table: %s
'%s' is not a function
table %s has %d values for %d columns
circular reference: %s
recursive reference in a subquery: %s
multiple recursive references: %s
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
expected %d columns for '%s' but got %d
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
cannot VACUUM - SQL statements in progress
SELECT sql FROM "%w".sqlite_master WHERE type='index' AND length(sql)>10
SELECT sql FROM "%w".sqlite_master WHERE type='table'AND name<>'sqlite_sequence' AND coalesce(rootpage,1)>0
INSERT INTO vacuum_db.sqlite_master SELECT*FROM "%w".sqlite_master WHERE type IN('view','trigger') OR(type='table'AND rootpage=0)
SELECT'INSERT INTO vacuum_db.'||quote(name)||' SELECT*FROM"%w".'||quote(name)FROM vacuum_db.sqlite_master WHERE type='table'AND coalesce(rootpage,1)>0
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
DELETE FROM %Q.%s WHERE name=%Q AND type='trigger'
no such trigger: %S
no such column: %s
-- TRIGGER %s
ANY(%s)
TABLE %s
SUBQUERY %d
PRIMARY KEY
AS %s
vtable constructor called recursively: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
automatic index on %s(%s)
too many arguments on %s() - max %d
%s.xBestIndex malfunction
at most %d tables in a join
INDEX %s
COVERING INDEX %s
VIRTUAL TABLE INDEX %d:%s
USING INTEGER PRIMARY KEY (rowid%s?)
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
unknown operation
SQL logic error or missing database
unknown database: %s
large file support is disabled
no such vfs: %s
%s mode not allowed: %s
%s at line %d of [%.10s]
no such %s mode: %s
no such table column: %s.%s
</%s>
<![CDATA[%s]]>
<!%s>
<!--%s-->
<?%s?>
0000000000000000
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
F:\work\uclient_group\uclient-one\build\bin\Release\UClient.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPB
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.gfids$x
.gfids$y
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
GdiplusShutdown
gdiplus.dll
HttpOpenRequestW
HttpQueryInfoW
InternetCrackUrlW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestW
WININET.dll
VERSION.dll
CreateNamedPipeA
CreateNamedPipeW
DisconnectNamedPipe
ConnectNamedPipe
CreatePipe
KERNEL32.dll
EnumWindows
GetKeyState
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegEnumKeyExW
RegDeleteKeyW
RegEnumKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
SHLWAPI.dll
WS2_32.dll
IPHLPAPI.DLL
GetCPInfo
.?AVstl_condition_variable_concrt@details@Concurrency@@
.?AVstl_critical_section_concrt@details@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AUITopologyExecutionResource@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AUIExecutionContext@Concurrency@@
.?AVAppsExportController@@
.?AVAppsImportController@@
.?AVLoginController@@
.?AVUClientScriptExecutor@@
.?AVUScriptExecutor@@
.?AVLuaExecutor@@
.?AVAppsExportView@@
.?AVAppsExportItemView@@
.?AVAppsImportItemView@@
.?AVAppsImportView@@
.?AV?$_Func_impl@V?$_Binder@U_Unforced@std@@P8UControllerView@@AEHPAVUShape@@PAX@ZQAVLoginView@@ABU?$_Ph@$00@2@ABU?$_Ph@$01@2@@std@@V?$allocator@H@2@HPAVUShape@@PAX@std@@
.?AV?$_Binder@U_Unforced@std@@P8UControllerView@@AEHPAVUShape@@PAX@ZQAVLoginView@@ABU?$_Ph@$00@2@ABU?$_Ph@$01@2@@std@@
.?AVLoginView@@
.?AU_Crt_new_delete@std@@
.?AVUHttpClient@@
.?AVinvalid_operation@Concurrency@@
.?AVUHttpClientImpl@@
.?AVProgressImpl@UHttpClientImpl@@
.?AVHttpRequest@@
.?AVHttpResponse@@
.?AVHttpResponseImpl@@
.?AUExecuteInfo@@
.?AVOfflineChromeInstaller@@
.?AVAppExporter@@
.?AVExeApp@@
.?AVUSQLite@@
.?AVUSQLiteQuery@@
c:/A83D1C~1.EXE
localization/English.lproj/PK
localization/English.lproj/Localizable.strings
localization/zh-Hans.lproj/PK
localization/zh-Hans.lproj/Localizable.strings
x%.LT
3@.ko8
an.VH
=\.gs
-K.lT
O.GDZ
Q%U1B
J.HX!O
%S1?]c
.sH.)
"Zz%xQ
bU.oiBb'
.Zgg;L
.Gc`U
~V4%F
c.aYl
V:TvwRfLX%F
-uh}6
v.ba\J
misc/getAllEnApp.json
misc/light_app_template.esc]Q
misc/uap_app_template.escuS
theme/images/about.pnguS}H
theme/images/app_name.png]P
'Eq%DZy
theme/images/arrow_down.png]RmHSQ
theme/images/arrow_up.png]RmHSQ
%UOC3
theme/images/banner.pngDY
LKD-r}d
?M.Un
%xKkR5#P/
theme/images/banner2.jpg
theme/images/banner3.jpg
L 00P.PQ
@-mm}eE]
.sxP@
P.Lu]
C.PdW2
M[.fP
k.OR.cI
theme/images/check_checked.png
theme/images/check_unchecked.png]Q]h
theme/images/conn_fail.png%Y
theme/images/delete.png]P
theme/images/goback.png]U
theme/images/icon_add.png
theme/images/icon_app.png]P
theme/images/icon_ask.png]P
Wd1%U
%U2C8
theme/images/icon_bq8.png]VuT
theme/images/icon_cover.png]Ty<
='8MQe%C
E.yxhEA
theme/images/icon_error.png]W
.RT=g/
~.BPF
"*.*Z
J.dQA
theme/images/icon_green.png
theme/images/icon_info.png]VuT
theme/images/icon_install.png
theme/images/icon_ism.png
K.NeAW
theme/images/icon_java.png
theme/images/icon_light.png
theme/images/icon_nc5.png]P
%x~eiCT
theme/images/icon_nc63.png]S
theme/images/icon_nc65.png]P
IuF
theme/images/icon_save.png]P
theme/images/icon_uclient.png]XeT
.SQp!
theme/images/icon_update.png
theme/images/icon_upgrade.png
theme/images/icon_ver.png
theme/images/im/company.png
.kUK~
theme/images/im/group.png
theme/images/im/im_add.png
F.%Sl
theme/images/im/im_search.png
9%S]#
theme/images/im/im_setup.png
theme/images/im/stranger.png
theme/images/im/user.png
theme/images/inbox/head.png]R
theme/images/logo_yonyou.png
theme/images/mw_close.png]QMh
theme/images/mw_drop.png]QMh
theme/images/mw_max.png]Q
theme/images/mw_min.png]QMN
theme/images/mw_res.png]QMH
theme/images/radio_checked.png]S
(zc.Lc
theme/images/radio_tab_ind.png]QM/3Q
f|.tn[,:
theme/images/radio_unchecked.png]R_HSQ
theme/images/rmenu.png]RoH
theme/images/slide_button.png]QMh
theme/images/task.png]RkHSa
theme/images/tb_open.png]P
theme/images/tb_run.png]R{HSa
theme/images/tb_save.png]P
theme/images/title_bg.png
IC.MZ
.mUog
theme/images/update.png
theme/images/user_login.png]R_HSQ
theme/images/user_notlogin.png]R{HSQ
theme/images/uw_close.png]R
theme/images/waiting.gif
localization/English.lproj/
localization/zh-Hans.lproj/
theme/images/about.png
theme/images/app_name.png
theme/images/arrow_down.png
theme/images/arrow_up.png
theme/images/banner.png
theme/images/check_unchecked.png
theme/images/conn_fail.png
theme/images/delete.png
theme/images/goback.png
theme/images/icon_app.png
theme/images/icon_ask.png
theme/images/icon_bq8.png
theme/images/icon_cover.png
theme/images/icon_error.png
theme/images/icon_info.png
theme/images/icon_nc5.png
theme/images/icon_nc63.png
theme/images/icon_nc65.png
theme/images/icon_save.png
theme/images/icon_uclient.png
theme/images/inbox/head.png
theme/images/mw_close.png
theme/images/mw_drop.png
theme/images/mw_max.png
theme/images/mw_min.png
theme/images/mw_res.png
theme/images/radio_checked.png
theme/images/radio_tab_ind.png
theme/images/radio_unchecked.png
theme/images/rmenu.png
theme/images/slide_button.png
theme/images/task.png
theme/images/tb_open.png
theme/images/tb_run.png
theme/images/tb_save.png
theme/images/user_login.png
theme/images/user_notlogin.png
theme/images/uw_close.png
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
4%4u4
1"1@1^1|1
0
0
5%6u6A8
0 020>0|0
>$>:>]>{>
7&858 9;9]9{9
11
1,2I2P2
0%1x1
2,2
7%7X7&888s8
6m6
80[0&181_1
2-3J3}3
4&5~5&656
4L4
; ;$;(;,;0;4;8;<;@;
0(0,0004080\0
6 6$6(6,60646
; ;$;2<9<
<)=$>(>,>0>4>8>
5%5u5
0 0$0(0,00040
2*7479719
3 3$3(3,3:3
>#? ?0?;?
5 5$5(5,50545
1-282B2U2a2o2}2
> >8><>@>
5 5$5(5|5
9 9$9(9,9094989<9
2 2$2(2,20242
:,:4:<:|;
: :$:(:,:0:4:
= =$=(=,=0=4=8=
3 3$3(3,3034383<3
?,?8?@?`?|?
2,282@2`2|2
combase.dll
advapi32.dll
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
__crt_strtox::floating_point_value::as_float
.mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
K[%s]%s
Process request commandline: %s
Response for process request(command): %s
maybe other uclient instance is running, retry: %d
uclient bind to namedpipe
Process command line: %s
onProcessRequest: %s
OK:%d
DuplicateAndReload: %s
DuplicateAndReload OK. (from: %s)
/c " ping 127.0.0.1 -n 1 > nul && del /q /f
````__^^^]
ropenby=%s&trustedSite=%s&compatibleMode=%s
Shell32.dll
\StringFileInfo\%s\%s
s%s/webimage_%x
kernel32.dll
ntdll.dll
windows-874
windows-1251
windows-1250
windows-1253
windows-1252
windows-1258
windows-1255
windows-1254
windows-1257
windows-1256
%s %s
"%s" %s
application/x-www-form-urlencoded
Bad response: %d
Requested URL not found
Server does not support requested method
HTTP/1.0
dUnexpected path index %d
%d %%
dwmapi.dll
UxTheme.dll
%c#%d
Fail to fetch appdesc from: %s
Auto generate appdesc from '%s' succeeded.
try to start not existed app: %s
end RUB, spend time: %d
end PUB, spend time: %d, result: %s
error PUB, spend time: %d, result: %s
error PUB, spend time: %d, error code: %d
UClient location is changed after the last version check,old: %s, now %s
lFail to download uclient from location %s
asyncDynamicProcessApp begin, request app size: %d, first app: %s
process app by uri: %s
tDownload uclient from location %s, but version is not correct, need version: %s, real version: %s
Download uclient from location %s successfully
The request app %s is found, id %s, it will %s be started
Bad request web url: %s
%s download failure! Error code: %d
hXXp://uclient.yonyou.com/fileget/commonresource/chrome/chrome-win64.zip
hXXp://uclient.yonyou.com/fileget/commonresource/chrome/chrome-win32.zip
Parse app profile error, id: %s, codebase: %s name: %s
%x-%x
App id: %s, name: %s, exited with code: %d
start app %s error, app config error
Warm app by commandline: %s
Start app by commandline: %s
App id: %s, name: start error
try to warm app %s but app is already warmd
icon_%x
-Xmx%dM
-Xms%dM
-XX:MaxPermSize=%dM
.%x-%x
uclient cloud: %s
/%x.png
<resources><chrome sharable="true" href="%s" version="%s" optional="true"/></resources>
<app><id>%s</id><name>%s</name><version>%s</version><logo>%s</logo><desc>%s</desc><platform>%s</platform></app>
lfail to setup for app %s whith optional resource: %s
setup for app: %s error, resource: %s
%x.%s
%s download succeed. %d bytes
download: app optional resource not found: %s
download: app error: %s, resource not found: %s
Prepare install app[%s] from: %s
URL:%s protocol handler
\*.lnk
i\bin\javaw.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges
Range%d
\UClient.exe
Active app: %s, with: %s
try to active app %s with argument: %s
Activate app [%s] through port %d OK.
Fail to read warm port file: %s for app %s
Activate app [%s] through port %d failure.
try activate app [%s] through os support.
Filed to save the message to table '%s', msgid = '%s', msgtitle = '%s' time = '%s'. error:'%s'
Filed to open the UClient database '%s'
messages_%x
Filed to create the data to table '%s' error:'%s'
Filed to get the latest message time from table '%s'. error:'%s'
and msgtype = %d
where msgtype = %d
Filed to query sql = '%s'. error:'%s'
where hasRead = %d and msgtype = %d
Filed to delete the messages from table '%s' error:'%s'
update %s set hasRead = %d where id = '%s'
Filed to query table '%s', sql = '%s'. error:'%s'
NTVDM.EXE
Create table %s(%s)
select count(*) from %s where %s='%s'
select count(*) from sqlite_master where type='table' and name='%s'
c:\%original file name%.exe
Export Apps
Import Apps
1.1.0-build 201612261610
1.1.0-build 201612261610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:4000

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\887c79c2.png (12284 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\temp\UClient_1.1.0-build 201802060905.exe (553380 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\procid (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\5416ff4d.png (46228 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4344B8AF97AF3A423D9EE52899963CDE_18137DFDB67BCED2F0AFBCB9940D780B (471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9C20.tmp (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\69ab628f.png (15548 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\UClient.db-journal (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C (1640 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C (471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\卸载UClient.lnk (651 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\downloads\banners\banners.json (573 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4344B8AF97AF3A423D9EE52899963CDE_18137DFDB67BCED2F0AFBCB9940D780B (1640 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\log\main.log (970 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UClient\UClient.lnk (649 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UClient\share\.l (393 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9C21.tmp (2712 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "UClient" = "c:\A83D1C~1.EXE /s"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now