Trojan.Generic.20490643_ce58858cf9

by malwarelabrobot on March 21st, 2017 in Malware Descriptions.

Trojan.Generic.20490643 (B) (Emsisoft), Trojan.Generic.20490643 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: ce58858cf934faff370df9a87e4501d6
SHA1: 885b88738a383cb225250059a76ab45031648464
SHA256: 50f0c5f4bb9a2ce652f9bbfe0d23d0b4944c3da528a850bf5ff0284392552317
SSDeep: 24576:UZImNoP3JCGtsmUWABcCktGtIRb92nxfN2nqhXjuLojq8C:Uz fJYmUCCa8IRx2x12qh6LalC
Size: 1527808 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-11-03 08:04:54
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1900

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sslnavcancel[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getimage[1].jpg (2144 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD623.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A2EA55F20CC96EF43A26E7FAF8A2217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A2EA55F20CC96EF43A26E7FAF8A2217 (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD622.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD623.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD622.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\ce58858cf934faff370df9a87e4501d6_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??????
Product Name: 2016???Q??Q??[vip?????]
Product Version: 1.9.6.0
Legal Copyright:

Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.9.6.0
File Description: ????qq?????Q???
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	786106	786432	4.53179	ba838b5b8bd592a3c95f6970d847f793
.rdata	790528	617262	618496	4.89045	1d165cc57001bf63f3ee854cdd4bcbcb
.data	1409024	300234	86016	3.78543	c8df97cf31112958a5ee3352d27f2ad8
.rsrc	1712128	29704	32768	3.89631	4924d77ba657c49a0465f9ed68190932

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a1574.b.akamai.net/getimage?aid=11000101&0.46598424223382673
hxxp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673	112.90.83.73
hxxp://guenon.mig.tencent-cloud.net/web/payszx/index.jsp?p=yd&appId=1
hxxp://pay.qq.com/	14.18.245.151
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEHF2+m7Z+GDj1WzD9OigflM=
hxxp://e6845.dscb1.akamaiedge.net/ss.crl
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0=	23.42.27.27
hxxp://mpay.qq.com/web/payszx/index.jsp?p=yd&appId=1	119.147.21.163
hxxp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673	2.21.89.43
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon	172.217.20.174
hxxp://ss.symcb.com/ss.crl	23.42.21.163
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY	172.217.20.174
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.42.27.27
hxxp://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEHF2+m7Z+GDj1WzD9OigflM=	23.42.27.27

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18+P0= HTTP/1.1

Cache-Control: max-age = 363986

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Sun, 17 Nov 2013 16:06:48 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1454

content-transfer-encoding: binary

Cache-Control: max-age=396679, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Mar 2017 15:56:48 GMT

Expires: Fri, 24 Mar 2017 15:56:48 GMT

Date: Mon, 20 Mar 2017 01:48:11 GMT

Connection: keep-alive
0..........0..... .....0......0...0........FC..&..<.0...Y......2017
0317155648Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._).
.a..%...0a.. ...M|......20170317155648Z....20170324155648Z0...*.H.....
........~y..._e.OK.E.d..p.....-..g..CT.0.~.....().sK..}...c;..Q;.;F.^z
v...F(....7U.........3...;...yt..<.v.......]Z..A.o.Fd...i}....t5@o.
iU..~......y.Sv0K^p.,...*......?!~...diK.q...qr..."?.W...{S....$......
.S..\6.M....b.)........MZ..4_..#.....Z.....[.2...dw...%.u....0...0...0
..4.......My_e.\....'....j0...*.H........0_1.0...U....US1.0...U....Ver
iSign, Inc.1705..U....Class 3 Public Primary Certification Authority0.
..161122000000Z..171214235959Z0..1.0...U....US1.0...U....Symantec Corp
oration1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PC
A - G1 OCSP Responder Certificate 50.."0...*.H.............0..........
...4..IP.....B..h.....]..).]w.!"..a..{...="....._...~.s1.E.......;...6
&/...\2..A....\..T aH:.8lH^.....l.v.$...K=sZf.*.|.%.Pb.......B..*f.T\w
.:.s.... ....9..4..cV...3.qc.c..j<.f.....>1X.I...P%?.........5R-
....Ca14..X.U....u.....:.z.\.k..b.E.v..,.J................0..0...U....
0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps
0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U..
......0... .....0......0"..U....0...0.1.0...U....TGV-OFF-470...*.H....
.........G..\..R.P..e]...N.....m.....4f......b4"8v..b.R....`.Auz......
....2=...@..........5..cWh....J......r...g.h......Kw'...j.@...x.....<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV+c/AZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEHF2+m7Z+GDj1WzD9OigflM= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcd.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1609

content-transfer-encoding: binary

Cache-Control: max-age=591891, public, no-transform, must-revalidate

Last-Modified: Sun, 19 Mar 2017 22:08:46 GMT

Expires: Sun, 26 Mar 2017 22:08:46 GMT

Date: Mon, 20 Mar 2017 01:48:22 GMT

Connection: keep-alive
0..E......>0..:.. .....0..... 0..'0......E ....e.u.....x..7....2017
0319220846Z0s0q0I0... ..........d.....k... P.....d.._`.a.U..C..`*..z.C
....qv.n..`..l....~S....20170319220846Z....20170326220846Z0...*.H.....
.........f.#........H......<..4n....*...M.........[S.o..{......[D..
.7........*..jf]6.<...&..4*....@......q..S.)..Q.........^.^.>..n
.....TGC=......R.......BVjuHY.FLS......sE.S$S!...^.%.......g....vC....
..W.F_"Z.k.f...bae........G......B.StZ...jv...O.A]..l.5;...U......n0..
j0..f0..N.......Dh.ciH.........!0...*.H........0~1.0...U....US1.0...U.
...Symantec Corporation1.0...U....Symantec Trust Network1/0-..U...&Sym
antec Class 3 Secure Server CA - G40...170204000000Z..170505235959Z0@1
>0<..U...5Symantec Class 3 Secure Server CA - G4 OCSP Responder0
.."0...*.H.............0......... B.}.@...E2.......&kg.#.c..7f#0....!.
...Z.G..|.o..W{2.m.l.cM...%......V.Wx6I.t....Q,U^......;.U<ie...X.{
.6. .4...ep....q..OuV...F...s.f....!....K....O....Oj.?Yd6^Mlw.6.k..*./
.......b..Q4...H.s.........(...toW...9...............&...D...{T{......
..4.;/pa<...........0...0... .....0......0"..U....0...0.1.0...U....
TGV-D-38570...U.#..0..._`.a.U..C..`*..z.C..0...U......E ....e.u.....x.
.7..0...U.......0.0n..U. .g0e0c..`.H...E....0T0&.. .........hXXp://www
.symauth.com/cps0*.. .......0...  hXXp://VVV.symauth.com/rpa0...U.%..0
... .......0...U...........0...*.H.............x..b5XG.........T^2....
.T..............zq.............f....#|.....P...R.....]...la.(.21{...C.
....K.....R..H.b....3L..52}5.8.......%.......l=..$X$_..01.3.....&l<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=405589, public, no-transform, must-revalidate

Last-Modified: Fri, 17 Mar 2017 18:27:12 GMT

Expires: Fri, 24 Mar 2017 18:27:12 GMT

Date: Mon, 20 Mar 2017 01:48:16 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017031
7182712Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170317182712Z....20170324182712Z0...*.H.....
...........E9.q.h..T.vi.K.}[.....v.9......F...&......X..d6pj..q.Q..,R.
.F.$.........o:g*.|...n..1.q|...c....n..W.q......7....1mX-....hr..'...
6...&...e.|....q8@........'~._.T..i..Z."...)..........V....V.U.e......
.,.|.....L...X.j)....n...V(..%."fO[Q..\..."y.e....Z.B.....0...0...0...
.......^..)......<...T.0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriS
ign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Publ
ic Primary Certification Authority - G50...161122000000Z..171214235959
Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Tr
ust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certifi
cate 50.."0...*.H.............0.............................m..|......
..1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z....
.... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..H..
|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4.....D.
.t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H...E
....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://w
ww.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0....
..0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..7Z0
...U.#..0.....e......0..C9...3130...*.H.............<wN..g...S.<<< skipped >>>

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: captcha.qq.com

Cache-Control: no-cache

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP=CAO PSA OUR

Content-Length: 2368

Set-Cookie: verifysession=h013d04c62b54ab627dc04a93fd526c5eb5ad88ad941617911717f7034478cfb6b06ad58adbbb4933f0; PATH=/; DOMAIN=qq.com;

Connection: close

Content-Type: image/jpeg
......JFIF............."5ef65eed..B.............aG.........C..........
......(.....1#%.(:3=<9387@H\N@DWE78PmQW_bghg>Mqypdx\egc...C.....
../../cB8Bcccccccccccccccccccccccccccccccccccccccccccccccccc......5...
."............................................................}.......
.!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdef
ghijstuvwxyz..........................................................
....................................................................w.
......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVW
XYZcdefghijstuvwxyz...................................................
.................................?......H.i...2.%..9.3.=sR......Y.....
..(.b.s..=.s.Wp].w3.[.b@....s..... q..R...8,.7!......3.*...4\.m....9.G
v.jM..[..]...J.-.ln..#..q]..vo.!.14FE....z...r..Wv..D...........8..]v.
o{kbc.&ig-..r.A......1q..........J(....(...k.Dg ...(.?A\...v..h..o....
....$(.x.......6..\G.R..0....^wv..#BQ0.$.,...B.....n..f.21.&.=.7.F...a
..H?..O. F........v.....Q.p......"...H............I_......M..a..>.E
...H..U.Rzr n..NPv..jI..QEIAE.P.'.....-m.R?...H.........s.(k{|G01.Y.N&
gt;.<~u....s.:....d....p8....o...m<.F.8.$~.s...^.*...ZW.__.c.P..
9.(.lu7.-.O`..2..)<...?.kZ....3Zh.*)...?.Z..4...a..f..`p......8,!..
...v7...........3....8)^....&w.x........$....r.... g|.zF?....f...3...i
<.{.....?.jWV2[Ab.Qu2>..?..%B..AGu}.M...._.....[..c....."kh.....
<...E.<h.B-..1.#.St}SSM.......(.f..q..c:.j....l...:g....I..:.z.$
....q....$o#.EE%J....1...Sk...Ch.R..}.. ../.R.]..].9..I.f0..`.*s..<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: pay.qq.com

Connection: Keep-Alive

Cookie: verifysession=h013d04c62b54ab627dc04a93fd526c5eb5ad88ad941617911717f7034478cfb6b06ad58adbbb4933f0


HTTP/1.1 302 Found

Date: Mon, 20 Mar 2017 01:48:04 GMT

Server: Apache

Location: hXXps://pay.qq.com/

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 183

Connection: close

Content-Type: text/html; charset=iso-8859-1
..........-....0.D.|...l..Z\.CD.Ga.J...).s8H.{r.......$..?.)......T.1.
[.<..b..U...1...#.L.H !..}\..>. .C-...G.<...q..._.&.....i....
..=..U.H.....k......1h....}.U......9b.O.......El......

GET /web/payszx/index.jsp?p=yd&appId=1 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: mpay.qq.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Server: HTTP Load Balancer/2.0

Location: hXXp://pay.qq.com

Content-Type: text/html; charset=utf-8

Content-Length: 55

Date: Mon, 20 Mar 2017 01:48:03 GMT

Cache-Control: no-cache

Pragma: no-cache
The URL has moved <a href="hXXp://pay.qq.com">here</a>.HTT
P/1.1 302 Found..Server: HTTP Load Balancer/2.0..Location: hXXp://pay.
qq.com..Content-Type: text/html; charset=utf-8..Content-Length: 55..Da
te: Mon, 20 Mar 2017 01:48:03 GMT..Cache-Control: no-cache..Pragma: no
-cache..The URL has moved <a href="hXXp://pay.qq.com">here</a
>...

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: ptlogin2.qq.com

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: Tencent Login Server/2.0.0

Location: hXXp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673

Content-Type: text/html

Content-Length: 5

X-N: S

Date: Mon, 20 Mar 2017 01:48:02 GMT

Connection: keep-alive

X-N: S

0..HTTP/1.1 302 Moved Temporarily..Server: Tencent Login Server/2.0.0.
.Location: hXXp://captcha.qq.com/getimage?aid=11000101&0.4659842422338
2673..Content-Type: text/html..Content-Length: 5..X-N: S..Date: Mon, 2
0 Mar 2017 01:48:02 GMT..Connection: keep-alive..X-N: S..0..

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: ptlogin2.qq.com

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Server: Tencent Login Server/2.0.0

Location: hXXp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673

Content-Type: text/html

Date: Mon, 20 Mar 2017 01:48:02 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding

00000005..0....00000000..

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: captcha.qq.com

Cache-Control: no-cache

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP=CAO PSA OUR

Content-Length: 2010

Set-Cookie: verifysession=h0117b92d73648111be1fdbca1a1ac49993b053d64d525126f36d07e0df5556adc7168c603c3453ec68; PATH=/; DOMAIN=qq.com;

Connection: close

Content-Type: image/jpeg
......JFIF............."446566f3..B..............&.........C..........
......(.....1#%.(:3=<9387@H\N@DWE78PmQW_bghg>Mqypdx\egc...C.....
../../cB8Bcccccccccccccccccccccccccccccccccccccccccccccccccc......5...
."............................................................}.......
.!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdef
ghijstuvwxyz..........................................................
....................................................................w.
......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVW
XYZcdefghijstuvwxyz...................................................
.................................?../....1. |...<..zR...$..........
..i.........g..4......Y...Cd..|g..J....B...${K.F9........Z].........2H
........$..^G.s.~......j..i%.ke#g.P....4.b.[:.C.A..A...i&...;H.I......
].. ..... .O.W..Ry.Cv..........h...[?..._.Gclf.$g....I5ryZv.z.%..l..W*
.'?.z......:."1....}*T....kXR..F#......."9A.n.`.y. .I.x..1KI.-..7I....
W..EJ.....P2I. ...t..I4.I...&..=..u.Q...v{?>I.\......4..KT/gw.4...o
.F.dP....=..:.:sRxn.......yj.c'........C...........{q]-...Z..r.c>..
....f94..=.Q].!E.P.......|/u8..?....u.]..S...'p..8.?...E.J..S...\....q
..#lR.7..$r.....v5.....%..h.....Kg.....<....#..&(.u>.B)..4....sK
18....._.H...s.(o....Y..Iw*WqbG...._.<.x..Vn...?:w.ex..m....m.0A...
[....H.U.}....y.Vt. .k.=Dx?...%`{;.}k.6.-....G$..:{.K............;pOo.
z~..<Z..R2.@.......x..2.D..y....M..X.K.5..i.!.@.8.....(.x.-.\...i..
...)-..a. Ua7p .-,D[.f.R^.d.... .&..`S...b=.3N......pI..,..`.~..*3<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 404 Not Found

Date: Mon, 20 Mar 2017 01:48:59 GMT

Content-Type: text/html; charset=UTF-8

Server: ocsp_responder

Content-Length: 1668

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:
-5px}@media only screen and (min-resolution:192dpi){#logo{background:u
rl(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_color_150
x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//VVV.googl
e.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}
@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{backgr
ound:url(//VVV.google.com/images/branding/googlelogo/2x/googlelogo_col
or_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{di
splay:inline-block;height:54px;width:150px}.  </style>.  <a h
ref=//VVV.google.com/><span id=logo aria-label=Google></sp
an></a>.  <p><b>404.</b> <ins>Tha<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY HTTP/1.1

Cache-Control: max-age = 345600

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com


HTTP/1.1 404 Not Found

Date: Mon, 20 Mar 2017 01:49:05 GMT

Content-Type: text/html; charset=UTF-8

Server: ocsp_responder

Content-Length: 1668

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN
<!DOCTYPE html>.<html lang=en>.  <meta charset=utf-8>
;.  <meta name=viewport content="initial-scale=1, minimum-scale=1, 
width=device-width">.  <title>Error 404 (Not Found)!!1</ti
tle>.  <style>.    *{margin:0;padding:0}html,code{font:15px/2
2px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body
{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px
}* > body{background:url(//VVV.google.com/images/errors/robot.png) 
100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:h
idden}ins{color:#777;text-decoration:none}a img{border:0}@media screen
 and (max-width:772px){body{background:none;margin-top:0;max-width:non
e;padding-right:0}}#logo{background:url(//VVV.google.com/images/brandi
ng/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-..

GET /ss.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ss.symcb.com


HTTP/1.1 200 OK

Server: Apache

ETag: "2388cd8933b5c29a94912017ff29226d:1489957895"

Last-Modified: Sun, 19 Mar 2017 21:11:35 GMT

Date: Mon, 20 Mar 2017 01:48:26 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl

00006000..0....0.......0...*.H........0~1.0...U....US1.0...U....Symant
ec Corporation1.0...U....Symantec Trust Network1/0-..U...&Symantec Cla
ss 3 Secure Server CA - G4..170319210119Z..170326210119Z0....0!....K..
Kx.:.....37..160628125652Z0!....Rk.......(!u....160331033634Z0!....lv.
..>.?O...^...160622011159Z0!.....6w...iP...s.M..160608011251Z0!....
...1^...B.Ph.H..161208073412Z0!....r-...0u..B\.`...160602011343Z0!....
.......... .....170306134411Z0!......1....9..a..&..170217175936Z0!....
E.u2..1....L....160315011119Z0!....&...X.M?....&F..170223165404Z0!....
N.....e....F?B..160401232208Z0!............XW.M....150816010821Z0!....
..x....Xvheqrv..170102113703Z0!......y.....a..C....160621011139Z0!....
Q8*.|..]6.".4...150330080110Z0!.....!!..O..........151124201031Z0!....
2.....E..yYT.E..161207145003Z0!....eL.Y icf}.:..N..140508200907Z0!....
]3.>.o...SE.....170217175912Z0!.......BRyb. si..!..170211011123Z0!.
......OD....G..7N..170211011123Z0!.......>..z(L..0i...150517010832Z
0!......qBv,....XF....170315011039Z0!....m..D...j .......170303024631Z
0!......Q.0...j.D.....160601160659Z0!.............j f....160613011111Z
0!.....v.;..u7.3......160916195205Z0!....#...1.@..o.&8f..170217011223Z
0!.....8.@.N..w.n.aw..160122052207Z0!.......n....[...6a..140729211122Z
0!.....Z...k1S.<.. I..150727184447Z0!...";.M....Gp.f.....1606211637
27Z0!...#D..!jhMz........160906045841Z0!...#]........x.zW-..1603291143
27Z0!...$.K/."T....w`K...160215003231Z0!...%.vu..;..r*y..E..1508020107
44Z0!...&...$...tX...5...160810011135Z0!...(SD.....h.4vtr...160727

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1900:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

wininet.dll

kernel32.dll

user32.dll

gdiplus.dll

ole32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

GdiplusShutdown

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

V1.9.6.0

hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

hXXp://

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

2261939640

1979702092

2195733177

2629814928

2055665890

1626987327

2576630023

2924736578

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

hXXp://pay.qq.com/ipay/index.shtml

hXXp://VVV.77sqb.com/k.php

hXXp://pay.qq.com/cgi-bin/account/account_qqcard_save_qbqd.cgi

&CardPassword=

@wininet.dll

VVV.meitu.com

VVV.zsno1.com/7

1.gif

2.gif

3.gif

4.gif

5.gif

6.gif

yB.cP

.dTr7

{(.mop~

.Xzxy

%xFwM

f_.Yc

G.HBP

y.WFx

'*U%F

.kYEIY

, #&')*)

-0-(0%()(

*u%UiMS

.qU'(

M<.YR

.ui-5

xZN.ucK

.NN4=

<F.yV)

pD.dh

-8C}{

m.RTta=

N1T'.eKNd

1276458045

hXXp://mpay.qq.com/web/payszx/index.jsp?p=yd&appId=1p

hXXp://175qb.com

hXXp://yuntv.letv.com/bcloud.swf?uu=e394040e6e&vu=2dd8fcdc60&auto_play=1&gpcflag=1

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

GetProcessHeap

WinExec

GetWindowsDirectoryA

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetViewportOrgEx

WINMM.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WS2_32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>

<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>

<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>

<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>

.comment {color:green}

burlywood

\winhlp32.exe

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

- Skin.dll

(*.*)

1.9.6.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_1900_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\sslnavcancel[1] (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getimage[1].jpg (2144 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ErrorPageTemplate[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\705A76DE71EA2CAEBB8F0907449CE086_A7AD5ECEFDDB55D03EC8A580934831A0 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD623.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\errorPageStrings[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_48[1] (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0A2EA55F20CC96EF43A26E7FAF8A2217 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\bullet[1] (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\httpErrorPagesScripts[1] (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0A2EA55F20CC96EF43A26E7FAF8A2217 (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\background_gradient[1] (453 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\navcancl[1] (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD622.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.