Trojan.NSIS.StartPage_3b9f271b03

by malwarelabrobot on August 19th, 2017 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 3b9f271b031ed7fc63537a243ec35b19
SHA1: 46a2de67f1e7edb9c451618ef3899596f5716921
SHA256: 6df8f75fcfd8b56862fcd88ea6a577272571d1d0aede169a095567f3f0c27163
SSDeep: 24576:IZ6w8wuU5wJvqtDWMzxFLd9QtV58KtAXeoSEZvIcQNsJluf6wB:gX8TYwJu7Qtv88AuoVAcCsJqXB
Size: 1180968 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:41
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

AnCamCorder_UpdateVer_3.4.6.exe:868
AnCamCorder_UpdateVer_3.4.6.exe:3396
AnCamCorder_UpdateVer_3.4.6.exe:3908
AnCamCorder_UpdateVer_3.4.6.exe:3640
AntoolsUpdate_SetUp.exe:2824
AntoolsUpdate_SetUp.exe:1252
AntoolsUpdate_SetUp.exe:760
AntoolsUpdate_SetUp.exe:3184
AntoolsUpdate_SetUp.exe:1528
ancamcorderupdate.exe:2308
ancamcorderupdate.exe:3476
ancamcorderupdate.exe:4004
ancamcorderupdate.exe:3096
ancamcorderupdate.exe:3264
%original file name%.exe:1976

The Trojan injects its code into the following process(es):

AnCamCorder_UpdateVer_3.4.6.exe:1668

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process AnCamCorder_UpdateVer_3.4.6.exe:868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\AntoolsUpdate_SetUp[1].exe (64618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\locate.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ ÃƒÂÃ‚Â¦Ã‚Â°Ãƒâ€¦.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe (12065 bytes)
%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe (2374 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\NSISPromotionEx.ini (191 bytes)
C:\Windows\System32\gmarket.ico (17 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll (20878 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\FILEDownPlug120308.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\EasySet.exe (14979 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\System.dll (23 bytes)
%Program Files%\AHNSOFT\AnCamCorder\AnCamcorder.exe (51326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\installoption.ini (1563 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (2 bytes)
C:\DelUS.bat (190 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\ÃƒË†Ã‚Â¯Ã‚Â°ÃƒÂ¦Ã‚Â¼Ã‚Â³ÃƒÂÃ‚Â¤ Ã‚Â±ÃƒÂ¦Ãƒâ‚¬ÃƒÂ¢Ãƒâ‚¬ÃƒÅ’.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll (927 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\install.bat (70 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\ShellLink.dll (12 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll (3623 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\StringFind.dll (1770 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvid.inf (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\AntoolsUpdate_SetUp.exe (41400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\SelfDelete.dll (48 bytes)
C:\Windows\System32\auction.ico (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\DLLWebCount120207.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\timetemp.ini (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\gettext.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorder.ini (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\getday[1].htm (8 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\NSISPromotionEx.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\installoption.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\SetHoldData.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\AntoolsUpdate_SetUp.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\SelfDelete.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\AntoolsUpdate_SetUp[1].exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\stack.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiAD5E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\locate.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\FILEDownPlug120308.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\ShellLink.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\gettext.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\getday[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\StringFind.dll (0 bytes)

The process AnCamCorder_UpdateVer_3.4.6.exe:3396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AntoolsUpdate_SetUp[1].exe (72854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\AntoolsUpdate_SetUp.exe (45760 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\SelfDelete.dll (48 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ ÃƒÂÃ‚Â¦Ã‚Â°Ãƒâ€¦.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\StringFind.dll (1770 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe (11832 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\ShellLink.dll (12 bytes)
%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe (2374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Windows\System32\gmarket.ico (17 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll (20878 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\DLLWebCount120207.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\EasySet.exe (14979 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\gettext.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\AnCamcorder.exe (51326 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (2 bytes)
C:\DelUS.bat (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\installoption.ini (1563 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\ÃƒË†Ã‚Â¯Ã‚Â°ÃƒÂ¦Ã‚Â¼Ã‚Â³ÃƒÂÃ‚Â¤ Ã‚Â±ÃƒÂ¦Ãƒâ‚¬ÃƒÂ¢Ãƒâ‚¬ÃƒÅ’.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\NSISPromotionEx.ini (191 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll (1004 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\SetHoldData.dll (1667 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\install.bat (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\getday[1].htm (8 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll (3623 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvid.inf (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[1].htm (4 bytes)
C:\Windows\System32\auction.ico (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\DLLWaitForKillProgram.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\timetemp.ini (60 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorder.ini (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\System.dll (23 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AntoolsUpdate_SetUp[1].exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\FILEDownPlug120308.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\AntoolsUpdate_SetUp.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\installoption.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logexp[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\gettext.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\NSISPromotionEx.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\SetHoldData.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\SelfDelete.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss69F8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\StringFind.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\ShellLink.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getday[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll (0 bytes)

The process AnCamCorder_UpdateVer_3.4.6.exe:3908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\locate.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\KillProcDLL.dll (8 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ ÃƒÂÃ‚Â¦Ã‚Â°Ãƒâ€¦.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe (12065 bytes)
%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe (2374 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\installoption.ini (1563 bytes)
C:\Windows\System32\gmarket.ico (17 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll (20878 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\DLLWebCount120207.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\EasySet.exe (15654 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\AntoolsUpdate_SetUp.exe (9020 bytes)
%Program Files%\AHNSOFT\AnCamCorder\AnCamcorder.exe (51326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\AntoolsUpdate_SetUp[1].exe (30922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\FILEDownPlug120308.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (2 bytes)
C:\DelUS.bat (190 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\ÃƒË†Ã‚Â¯Ã‚Â°ÃƒÂ¦Ã‚Â¼Ã‚Â³ÃƒÂÃ‚Â¤ Ã‚Â±ÃƒÂ¦Ãƒâ‚¬ÃƒÂ¢Ãƒâ‚¬ÃƒÅ’.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\SelfDelete.dll (48 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll (927 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\install.bat (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\SetHoldData.dll (1667 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\ShellLink.dll (12 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll (3623 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\System.dll (23 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvid.inf (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\gettext.dll (56 bytes)
C:\Windows\System32\auction.ico (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\StringFind.dll (1770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getday[1].htm (8 bytes)
%Program Files%\AHNSOFT\AnCamCorder\timetemp.ini (60 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorder.ini (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\AntoolsUpdate_SetUp[1].exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\FILEDownPlug120308.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\locate.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\SelfDelete.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\stack.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\gettext.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\StringFind.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logexp[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\NSISPromotionEx.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\getday[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\SetHoldData.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnD393.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\ShellLink.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\AntoolsUpdate_SetUp.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\installoption.ini (0 bytes)

The process AnCamCorder_UpdateVer_3.4.6.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll (3623 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\AntoolsUpdate_SetUp.exe (26313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\gettext.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AntoolsUpdate_SetUp[1].exe (35754 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvid.inf (2 bytes)
%Program Files%\AHNSOFT\AnCamCorder\timetemp.ini (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\DLLWaitForKillProgram.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\EasySet.exe (14979 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll (1004 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll (20878 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\FILEDownPlug120308.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\install.bat (70 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe (11832 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\installoption.ini (1563 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorder.ini (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\getday[1].htm (8 bytes)
%Program Files%\AHNSOFT\AnCamCorder\AnCamcorder.exe (51326 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyFDDE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getday[1].htm (0 bytes)

The process AnCamCorder_UpdateVer_3.4.6.exe:3640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\AntoolsUpdate_SetUp[1].exe (76638 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\gettext.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\StringFind.dll (1770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ ÃƒÂÃ‚Â¦Ã‚Â°Ãƒâ€¦.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe (12065 bytes)
%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe (2374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Windows\System32\gmarket.ico (17 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll (20878 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll (37 bytes)
%Program Files%\AHNSOFT\AnCamCorder\EasySet.exe (14979 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getday[1].htm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\installoption.ini (1563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\System.dll (23 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (2 bytes)
C:\DelUS.bat (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\DLLWebCount120207.dll (56 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\ÃƒË†Ã‚Â¯Ã‚Â°ÃƒÂ¦Ã‚Â¼Ã‚Â³ÃƒÂÃ‚Â¤ Ã‚Â±ÃƒÂ¦Ãƒâ‚¬ÃƒÂ¢Ãƒâ‚¬ÃƒÅ’.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll (927 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\install.bat (70 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\AntoolsUpdate_SetUp.exe (53380 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll (3623 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvid.inf (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\SelfDelete.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\ShellLink.dll (12 bytes)
C:\Windows\System32\auction.ico (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\KillProcDLL.dll (8 bytes)
%Program Files%\AHNSOFT\AnCamCorder\timetemp.ini (60 bytes)
%Program Files%\AHNSOFT\AnCamCorder\AnCamcorder.exe (51326 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorder.ini (146 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\gettext.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\SelfDelete.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\FILEDownPlug120308.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\AntoolsUpdate_SetUp[1].exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy3F22.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\StringFind.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\NSISPromotionEx.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\SetHoldData.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\getday[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\ShellLink.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\AntoolsUpdate_SetUp.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\installoption.ini (0 bytes)

The process AntoolsUpdate_SetUp.exe:2824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\AHNSOFT\Antools\Uninstall.exe (2131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\ns1066.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logexp[1].htm (4 bytes)
%Program Files%\AHNSOFT\Antools\AnToolUpdate.exe (48742 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€¦ÃƒÂ¸ÃƒÂÃƒÂ® Ãƒâ€¦ÃƒÂ«Ãƒâ€¡Ãƒâ€¢Ã‚Â¾ÃƒÂ·Ã‚ÂµÃ‚Â¥Ãƒâ‚¬ÃƒÅ’Ãƒâ€ Ã‚Â®.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll (22 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\ns1066.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\xml.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\UserMgr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\IsVista.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll (0 bytes)

The process AntoolsUpdate_SetUp.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\AHNSOFT\Antools\Uninstall.exe (2131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\nsExec.dll (14 bytes)
%Program Files%\AHNSOFT\Antools\AnToolUpdate.exe (48742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\UserMgr.dll (1554 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€¦ÃƒÂ¸ÃƒÂÃƒÂ® Ãƒâ€¦ÃƒÂ«Ãƒâ€¡Ãƒâ€¢Ã‚Â¾ÃƒÂ·Ã‚ÂµÃ‚Â¥Ãƒâ‚¬ÃƒÅ’Ãƒâ€ Ã‚Â®.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\nsC785.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll (22 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\IsVista.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\xml.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC706.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\UserMgr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logexp[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\nsC785.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll (0 bytes)

The process AntoolsUpdate_SetUp.exe:760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\AHNSOFT\Antools\Uninstall.exe (2131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\UserMgr.dll (1554 bytes)
%Program Files%\AHNSOFT\Antools\AnToolUpdate.exe (48742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\KillProcDLL.dll (1604 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€¦ÃƒÂ¸ÃƒÂÃƒÂ® Ãƒâ€¦ÃƒÂ«Ãƒâ€¡Ãƒâ€¢Ã‚Â¾ÃƒÂ·Ã‚ÂµÃ‚Â¥Ãƒâ‚¬ÃƒÅ’Ãƒâ€ Ã‚Â®.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\ns9D88.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\DLLWaitForKillProgram.dll (56 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[2].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\IsVista.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\UserMgr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\ns9D88.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\xml.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\DLLWaitForKillProgram.dll (0 bytes)

The process AntoolsUpdate_SetUp.exe:3184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\AHNSOFT\Antools\Uninstall.exe (2131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[1].htm (4 bytes)
%Program Files%\AHNSOFT\Antools\AnToolUpdate.exe (48742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\DLLWebCount120207.dll (56 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€¦ÃƒÂ¸ÃƒÂÃƒÂ® Ãƒâ€¦ÃƒÂ«Ãƒâ€¡Ãƒâ€¢Ã‚Â¾ÃƒÂ·Ã‚ÂµÃ‚Â¥Ãƒâ‚¬ÃƒÅ’Ãƒâ€ Ã‚Â®.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\nsEE17.tmp (14 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\UserMgr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\xml.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logexp[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\stack.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\IsVista.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\nsEE17.tmp (0 bytes)

The process AntoolsUpdate_SetUp.exe:1528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\AHNSOFT\Antools\Uninstall.exe (2131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\DLLWebCount120207.dll (56 bytes)
%Program Files%\AHNSOFT\Antools\AnToolUpdate.exe (48742 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\ns5A42.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[2].htm (4 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€¦ÃƒÂ¸ÃƒÂÃƒÂ® Ãƒâ€¦ÃƒÂ«Ãƒâ€¡Ãƒâ€¢Ã‚Â¾ÃƒÂ·Ã‚ÂµÃ‚Â¥Ãƒâ‚¬ÃƒÅ’Ãƒâ€ Ã‚Â®.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\xml.dll (2127 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logexp[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\IsVista.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\ns5A42.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\UserMgr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\xml.dll (0 bytes)

The process ancamcorderupdate.exe:2308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ancamcoder20150825[1].htm (938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AnCamCorder_UpdateVer_3.4.6.exe (50 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ancamcoder20150825[1].htm (0 bytes)

The process ancamcorderupdate.exe:3476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ancamcoder20150825[1].htm (938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AnCamCorder_UpdateVer_3.4.6[1].exe (122136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AnCamCorder_UpdateVer_3.4.6.exe (68717 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (3 bytes)

The process ancamcorderupdate.exe:4004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ancamcoder20150825[1].htm (938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AnCamCorder_UpdateVer_3.4.6.exe (50 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ancamcoder20150825[1].htm (0 bytes)

The process ancamcorderupdate.exe:3096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ancamcoder20150825[1].htm (938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AnCamCorder_UpdateVer_3.4.6.exe (50 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ancamcoder20150825[1].htm (0 bytes)

The process ancamcorderupdate.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ancamcoder20150825[1].htm (0 bytes)

The process %original file name%.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\AntoolsUpdate_SetUp.exe (38020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\SelfDelete.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\installoption.ini (1563 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ ÃƒÂÃ‚Â¦Ã‚Â°Ãƒâ€¦.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe (11832 bytes)
%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe (2374 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\gettext.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll (20878 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
%Program Files%\AHNSOFT\AnCamCorder\EasySet.exe (14979 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll (22 bytes)
%Program Files%\AHNSOFT\AnCamCorder\AnCamcorder.exe (51326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\DLLWaitForKillProgram.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (2 bytes)
C:\DelUS.bat (142 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\ShellLink.dll (12 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\ÃƒË†Ã‚Â¯Ã‚Â°ÃƒÂ¦Ã‚Â¼Ã‚Â³ÃƒÂÃ‚Â¤ Ã‚Â±ÃƒÂ¦Ãƒâ‚¬ÃƒÂ¢Ãƒâ‚¬ÃƒÅ’.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll (927 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\install.bat (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\getday[1].htm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AntoolsUpdate_SetUp[1].exe (62178 bytes)
C:\Windows\System32\gmarket.ico (17 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll (3623 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\StringFind.dll (1770 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvid.inf (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\System.dll (23 bytes)
C:\Windows\System32\auction.ico (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll (37 bytes)
%Program Files%\AHNSOFT\AnCamCorder\timetemp.ini (60 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorder.ini (146 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnF21B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\DLLWaitForKillProgram.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\KillProcDLL.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\gettext.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\FILEDownPlug120308.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\NSISPromotionEx.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\DLLWebCount120207.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\AntoolsUpdate_SetUp.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\ShellLink.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\SelfDelete.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\installoption.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\SetHoldData.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AntoolsUpdate_SetUp[1].exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\StringFind.dll (0 bytes)

Registry activity

The process AnCamCorder_UpdateVer_3.4.6.exe:868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AnCamCorder]
"holddate" = "20170819"
"Update" = "false"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\TypeLib]
"(Default)" = "{06F5FFD1-C190-40E9-83D4-9A943BB1771C}"

[HKCR\Iekey.iekeybho\CurVer]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}]
"(Default)" = "iekeybho Class"

[HKCU\Software\AnCamCorder]
"ver" = "20170427"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "103"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"(Default)" = "%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll"

[HKCU\Software\AnCamCorder]
"module" = "20150914"

[HKCR\Iekey.iekeybho\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\VersionIndependentProgID]
"(Default)" = "Iekey.iekeybho"

[HKCU\Software\AnCamCorder]
"PID" = "home"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\Iekey.iekeybho]
"(Default)" = "iekeybho Class"

[HKCR\Iekey.iekeybho.1]
"(Default)" = "iekeybho Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\ProgID]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\AnCamCorder]
"dir" = "%Program Files%\AHNSOFT\AnCamCorder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayName" = "AnCamCorder Uninstall"
"UninstallString" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\locate.dll,"

[HKCR\Iekey.iekeybho.1\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayIcon" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AnCamCorder" = "%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe -o"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\Implemented Categories]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\VersionIndependentProgID]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\TypeLib]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\Programmable]
[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\ProgID]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process AnCamCorder_UpdateVer_3.4.6.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AnCamCorder]
"holddate" = "20170819"
"Update" = "false"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\TypeLib]
"(Default)" = "{06F5FFD1-C190-40E9-83D4-9A943BB1771C}"

[HKCR\Iekey.iekeybho\CurVer]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}]
"(Default)" = "iekeybho Class"

[HKCU\Software\AnCamCorder]
"ver" = "20170427"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "102"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"(Default)" = "%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll"

[HKCU\Software\AnCamCorder]
"module" = "20150914"

[HKCR\Iekey.iekeybho\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\VersionIndependentProgID]
"(Default)" = "Iekey.iekeybho"

[HKCU\Software\AnCamCorder]
"PID" = "home"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\Iekey.iekeybho]
"(Default)" = "iekeybho Class"

[HKCR\Iekey.iekeybho.1]
"(Default)" = "iekeybho Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\ProgID]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\AnCamCorder]
"dir" = "%Program Files%\AHNSOFT\AnCamCorder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayName" = "AnCamCorder Uninstall"
"UninstallString" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll,"

[HKCR\Iekey.iekeybho.1\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayIcon" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AnCamCorder" = "%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe -o"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

The Trojan deletes the following value(s) in system registry:

The process AnCamCorder_UpdateVer_3.4.6.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AnCamCorder]
"holddate" = "20170819"
"Update" = "false"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\TypeLib]
"(Default)" = "{06F5FFD1-C190-40E9-83D4-9A943BB1771C}"

[HKCR\Iekey.iekeybho\CurVer]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}]
"(Default)" = "iekeybho Class"

[HKCU\Software\AnCamCorder]
"ver" = "20170427"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "104"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"(Default)" = "%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll"

[HKCU\Software\AnCamCorder]
"module" = "20150914"

[HKCR\Iekey.iekeybho\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\VersionIndependentProgID]
"(Default)" = "Iekey.iekeybho"

[HKCU\Software\AnCamCorder]
"PID" = "home"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\Iekey.iekeybho]
"(Default)" = "iekeybho Class"

[HKCR\Iekey.iekeybho.1]
"(Default)" = "iekeybho Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4A 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\ProgID]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\AnCamCorder]
"dir" = "%Program Files%\AHNSOFT\AnCamCorder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayName" = "AnCamCorder Uninstall"
"UninstallString" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppDatÃ‡Æ’"

[HKCR\Iekey.iekeybho.1\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayIcon" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AnCamCorder" = "%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe -o"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

The Trojan deletes the following value(s) in system registry:

The process AnCamCorder_UpdateVer_3.4.6.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Iekey.iekeybho\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\VersionIndependentProgID]
"(Default)" = "Iekey.iekeybho"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"(Default)" = "%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\ProgID]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\TypeLib]
"(Default)" = "{06F5FFD1-C190-40E9-83D4-9A943BB1771C}"

[HKCR\Iekey.iekeybho\CurVer]
"(Default)" = "Iekey.iekeybho.1"

[HKCR\Iekey.iekeybho.1\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKCR\Iekey.iekeybho]
"(Default)" = "iekeybho Class"

[HKCR\Iekey.iekeybho.1]
"(Default)" = "iekeybho Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4D 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}]
"(Default)" = "iekeybho Class"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

The Trojan deletes the following value(s) in system registry:

The process AnCamCorder_UpdateVer_3.4.6.exe:3640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\AnCamCorder]
"holddate" = "20170819"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\TypeLib]
"(Default)" = "{06F5FFD1-C190-40E9-83D4-9A943BB1771C}"

[HKCR\Iekey.iekeybho\CurVer]
"(Default)" = "Iekey.iekeybho.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}]
"(Default)" = "iekeybho Class"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll,"

[HKCR\Interface\{122DB512-8B45-45B4-B2A6-865C803883BD}\TypeLib]
"(Default)" = "{06F5FFD1-C190-40E9-83D4-9A943BB1771C}"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\AnCamCorder]
"ver" = "20170427"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\Interface\{122DB512-8B45-45B4-B2A6-865C803883BD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCR\TypeLib\{06F5FFD1-C190-40E9-83D4-9A943BB1771C}\1.0\0\win32]
"(Default)" = "%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll"

[HKCR\TypeLib\{06F5FFD1-C190-40E9-83D4-9A943BB1771C}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{122DB512-8B45-45B4-B2A6-865C803883BD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\InprocServer32]
"(Default)" = "%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCR\Iekey.iekeybho\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\VersionIndependentProgID]
"(Default)" = "Iekey.iekeybho"

[HKCU\Software\AnCamCorder]
"Update" = "false"
"PID" = "home"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\TypeLib\{06F5FFD1-C190-40E9-83D4-9A943BB1771C}\1.0]
"(Default)" = "iekey 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "101"

[HKCR\Iekey.iekeybho]
"(Default)" = "iekeybho Class"

[HKCR\Iekey.iekeybho.1]
"(Default)" = "iekeybho Class"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}\ProgID]
"(Default)" = "Iekey.iekeybho.1"

[HKCR\TypeLib\{06F5FFD1-C190-40E9-83D4-9A943BB1771C}\1.0\HELPDIR]
"(Default)" = "%Program Files%\AHNSOFT\AnCamCorder"

[HKCU\Software\AnCamCorder]
"dir" = "%Program Files%\AHNSOFT\AnCamCorder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayName" = "AnCamCorder Uninstall"
"UninstallString" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\AnCamCorder_UpdateVer_3_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\Iekey.iekeybho.1\CLSID]
"(Default)" = "{F1A015C9-8106-4120-9D18-21BAEDAB20FF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayIcon" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

[HKCR\Interface\{122DB512-8B45-45B4-B2A6-865C803883BD}]
"(Default)" = "Iiekeybho"

[HKCU\Software\AnCamCorder]
"module" = "20150914"

[HKCR\Interface\{122DB512-8B45-45B4-B2A6-865C803883BD}\TypeLib]
"Version" = "1.0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AnCamCorder" = "%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe -o"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

The Trojan deletes the following value(s) in system registry:

The process AntoolsUpdate_SetUp.exe:2824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayName" = "Antools"

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll,"

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKCU\Software\Antools]
"Install_Dir" = "%Program Files%\AHNSOFT\Antools"

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayIcon" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"UninstallString" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\AntoolsUpdate_SetUp_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process AntoolsUpdate_SetUp.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayName" = "Antools"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll,"

[HKCU\Software\Antools]
"Install_Dir" = "%Program Files%\AHNSOFT\Antools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 48 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayIcon" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

"UninstallString" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process AntoolsUpdate_SetUp.exe:760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayName" = "Antools"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll,"

[HKCU\Software\Antools]
"Install_Dir" = "%Program Files%\AHNSOFT\Antools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayIcon" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

"UninstallString" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process AntoolsUpdate_SetUp.exe:3184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayName" = "Antools"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\locate.dll, , \??\C:\Users\"%CurrentUserName%"\AppDatÃ‡â€ž"

[HKCU\Software\Antools]
"Install_Dir" = "%Program Files%\AHNSOFT\Antools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4B 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antools]
"DisplayIcon" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

"UninstallString" = "%Program Files%\AHNSOFT\Antools\Uninstall.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process AntoolsUpdate_SetUp.exe:1528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process ancamcorderupdate.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process ancamcorderupdate.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ancamcorderupdate_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process ancamcorderupdate.exe:4004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 4C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process ancamcorderupdate.exe:3096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process ancamcorderupdate.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\AnCamCorder]
"holddate" = "20170819"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\AnCamCorder]
"Update" = "false"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll,"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\AnCamCorder]
"ver" = "20170427"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "100"

[HKCU\Software\AnCamCorder]
"module" = "20150914"
"PID" = "home"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\AnCamCorder]
"dir" = "%Program Files%\AHNSOFT\AnCamCorder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayName" = "AnCamCorder Uninstall"
"UninstallString" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\3b9f271b031ed7fc63537a243ec35b19_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AnCamCorder]
"DisplayIcon" = "%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AnCamCorder" = "%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe -o"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
1dd5b527ff0ba0c0bdbe36c651ab95a4	c:\Program Files\AHNSOFT\AnCamCorder\AnCamcorder.exe
77f872759651f2e9e1437dc253e93de0	c:\Program Files\AHNSOFT\AnCamCorder\EasySet.exe
a0822af45bbc24f13c72d2305e5ec2c2	c:\Program Files\AHNSOFT\AnCamCorder\Uninstall.exe
081c43f877c39ef58c5246c9cc672e11	c:\Program Files\AHNSOFT\AnCamCorder\ancamcorderupdate.exe
7627741977b55f994da9ad44aaa8794e	c:\Program Files\AHNSOFT\AnCamCorder\ksmodule.dll
1cd08c0fa0c5bd53450e332f35304381	c:\Program Files\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll
9ec5bb2442843f530f495806223a4e2b	c:\Program Files\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll
f322e5e14cb697de088905093d482499	c:\Program Files\AHNSOFT\Antools\AnToolUpdate.exe
82362b408cbf5341985d715b0be61a21	c:\Program Files\AHNSOFT\Antools\Uninstall.exe
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll
7d3317f57c1a368480ace3c0ca804eeb	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll
7d3317f57c1a368480ace3c0ca804eeb	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll
7d3317f57c1a368480ace3c0ca804eeb	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll
9c4b8ec42d89f7557bfd90798ce52787	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\DLLWaitForKillProgram.dll
89c563060d908e5df6848ad15731e6d0	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\FILEDownPlug120308.dll
99f345cf51b6c3c317d20a81acb11012	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\KillProcDLL.dll
e25231179633076571aeeead84744f58	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\gettext.dll
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll
7d3317f57c1a368480ace3c0ca804eeb	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\locate.dll
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\stack.dll
0f61a81a543822de5fcb9a8a43f230dd	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	22738	23040	4.45908	c69726ed422d3dcfdec9731986daa752
.rdata	28672	4496	4608	3.59034	a2c7710fa66fcbb43c7ef0ab9eea5e9a
.data	36864	110456	1024	3.20082	e59cdcb732e4bfbc84cc61dd68354f78
.ndata	147456	102400	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	249856	22488	22528	3.08798	cd82b967b2c0816f9b17f43e3e60693c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 9
567703cd852d043520b10b369bd3d02c
f841a2bb70445c26053fe7bdb14409fc
a3e2415d2a407e041854a3b380860d88
a805c3bf513e3d78193d0493696e2272
235d3dba317d9e76d5c1e1560655c75b
d16fad84ab7373cd155589237509140e
775288768eb0725c5f0dabdbf840a31d
0a429cf08145679f8181639cf3de1d02
4a098c445f19deb37a5478f7ea30cecf

URLs

URL	IP
hxxp://app.ancamera.co.kr/updatechk/getday.php	114.108.160.211
hxxp://down.ancamera.co.kr/Antools/AntoolsUpdate_SetUp.exe	210.112.11.141
hxxp://log.adsence.co.kr/logexp.php?aid=AnToolUpdate&kind=inst&pid=home	114.108.160.134
hxxp://log.adsence.co.kr/logexp.php?aid=ancamcorder3.4.1Update&pid=home&kind=inst	114.108.160.134
hxxp://app.ancamera.co.kr/updatechk/ancamcoder20150825.php?pid=home	114.108.160.211
hxxp://down.ancamera.co.kr/update/AnCamCorder_UpdateVer_3.4.6.exe	210.112.11.141

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE User-Agent (webcount)
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /Antools/AntoolsUpdate_SetUp.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: down.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.8.1

Date: Thu, 17 Aug 2017 23:39:11 GMT

Content-Type: application/octet-stream

Content-Length: 484560

Last-Modified: Tue, 29 Mar 2016 04:36:57 GMT

Connection: keep-alive

ETag: "56fa0669-764d0"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................!L.......................................t....
......PO...........F..0...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
..PO.......P...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /logexp.php?aid=ancamcorder3.4.1Update&pid=home&kind=inst HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:39:05 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 17 Aug 2017 23:
39:05 GMT..Content-Type: text/html..Transfer-Encoding: chunked..X-Powe
red-By: PHP/5.3.3..4..ture..0..

GET /updatechk/getday.php HTTP/1.1

User-Agent: webcount

Host: app.ancamera.co.kr

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.2.6

Date: Thu, 17 Aug 2017 23:39:37 GMT

Content-Type: text/html

Transfer-Encoding: chunked

8..20170818..0..HTTP/1.1 200 OK..Server: nginx/1.2.6..Date: Thu, 17 Au
g 2017 23:39:37 GMT..Content-Type: text/html..Transfer-Encoding: chunk
ed..8..20170818..0..

GET /Antools/AntoolsUpdate_SetUp.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: down.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.8.1

Date: Thu, 17 Aug 2017 23:39:37 GMT

Content-Type: application/octet-stream

Content-Length: 484560

Last-Modified: Tue, 29 Mar 2016 04:36:57 GMT

Connection: keep-alive

ETag: "56fa0669-764d0"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................!L.......................................t....
......PO...........F..0...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
..PO.......P...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /updatechk/ancamcoder20150825.php?pid=home HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: app.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.6

Date: Thu, 17 Aug 2017 23:39:07 GMT

Content-Type: text/html

Transfer-Encoding: chunked
bcb..[UPDATE]..AN_FILENUM=3..CHKFILENUM=3..AN_HOLDDATA=14..AN_HOLDCHK=
1..AN_OPTION=0..AN_MUTEXCHK=..AN_MODULE=..MODULETEXT1=........v3.4.1..
.... .......... .............MODULETEXT2=........ ............?..MODUL
ETEXT3=..MODULETEXT4=..MODULETEXT5=..AN_VERSION=20170612..AN_UPDATEURL
=hXXp://down.ancamera.co.kr/update/AnCamCorder_UpdateVer_3.4.6.exe..AN
_UPDATEFILE=AnCamCorder_UpdateVer_3.4.6.exe.. ..[UPFILE1]..AN_TITLE=[.
.]...... ..........AN_SUBTITLE=........ .... ......AN_NAME=.... ......
..[....]..AN_NAME1=[........] v3.4.1 ..........AN_LINCES=hXXp://app.an
camera.co.kr/updatechk/license/ancameralicense5.txt..AN_LINCES1=http:/
/app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..AN_DOWNFIL
EURL=hXXp://down.ancamera.co.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILEN
AME=AnCamcorder.exe..AN_PROGINFO=.......... .... ...... .......... ...
......... .... .............. .... ...............AN_DISCLIPT=..AN_CHE
CK=1..AN_STATE=..[UPFILE2]..AN_NAME=...... ........[....]..AN_NAME1=v3
.4.1 ........ ....[....]..AN_LINCES=hXXp://app.ancamera.co.kr/updatech
k/license/ancameralicense5.txt..AN_DOWNFILEURL=hXXp://down.ancamera.co
.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILENAME=AnCamcorder.exe..AN_LINC
ES1=hXXp://app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..
AN_PROGINFO=........ .... ...... .......... ............ .... ........
...... .... ...............AN_DISCLIPT=..AN_CHECK=1..AN_STATE=..[FILE1
]..AN_NAME=............ .. .... ......AN_LINCES=hXXp://down.ezoneclick
.com/License/savepop_lice.txt..AN_DOWNFILEURL=hXXp://down.ezonecli<<< skipped >>>

GET /updatechk/ancamcoder20150825.php?pid=home HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: app.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.2.6

Date: Thu, 17 Aug 2017 23:39:33 GMT

Content-Type: text/html

Transfer-Encoding: chunked
bcb..[UPDATE]..AN_FILENUM=3..CHKFILENUM=3..AN_HOLDDATA=14..AN_HOLDCHK=
1..AN_OPTION=0..AN_MUTEXCHK=..AN_MODULE=..MODULETEXT1=........v3.4.1..
.... .......... .............MODULETEXT2=........ ............?..MODUL
ETEXT3=..MODULETEXT4=..MODULETEXT5=..AN_VERSION=20170612..AN_UPDATEURL
=hXXp://down.ancamera.co.kr/update/AnCamCorder_UpdateVer_3.4.6.exe..AN
_UPDATEFILE=AnCamCorder_UpdateVer_3.4.6.exe.. ..[UPFILE1]..AN_TITLE=[.
.]...... ..........AN_SUBTITLE=........ .... ......AN_NAME=.... ......
..[....]..AN_NAME1=[........] v3.4.1 ..........AN_LINCES=hXXp://app.an
camera.co.kr/updatechk/license/ancameralicense5.txt..AN_LINCES1=http:/
/app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..AN_DOWNFIL
EURL=hXXp://down.ancamera.co.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILEN
AME=AnCamcorder.exe..AN_PROGINFO=.......... .... ...... .......... ...
......... .... .............. .... ...............AN_DISCLIPT=..AN_CHE
CK=1..AN_STATE=..[UPFILE2]..AN_NAME=...... ........[....]..AN_NAME1=v3
.4.1 ........ ....[....]..AN_LINCES=hXXp://app.ancamera.co.kr/updatech
k/license/ancameralicense5.txt..AN_DOWNFILEURL=hXXp://down.ancamera.co
.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILENAME=AnCamcorder.exe..AN_LINC
ES1=hXXp://app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..
AN_PROGINFO=........ .... ...... .......... ............ .... ........
...... .... ...............AN_DISCLIPT=..AN_CHECK=1..AN_STATE=..[FILE1
]..AN_NAME=............ .. .... ......AN_LINCES=hXXp://down.ezoneclick
.com/License/savepop_lice.txt..AN_DOWNFILEURL=hXXp://down.ezonecli<<< skipped >>>

GET /logexp.php?aid=ancamcorder3.4.1Update&pid=home&kind=inst HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:39:23 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 17 Aug 2017 23:
39:23 GMT..Content-Type: text/html..Transfer-Encoding: chunked..X-Powe
red-By: PHP/5.3.3..4..ture..0..

GET /logexp.php?aid=AnToolUpdate&kind=inst&pid=home HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:39:22 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..

GET /Antools/AntoolsUpdate_SetUp.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: down.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.8.1

Date: Thu, 17 Aug 2017 23:39:28 GMT

Content-Type: application/octet-stream

Content-Length: 484560

Last-Modified: Tue, 29 Mar 2016 04:36:57 GMT

Connection: keep-alive

ETag: "56fa0669-764d0"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................!L.......................................t....
......PO...........F..0...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
..PO.......P...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /update/AnCamCorder_UpdateVer_3.4.6.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: down.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.8.1

Date: Thu, 17 Aug 2017 23:38:49 GMT

Content-Type: application/octet-stream

Content-Length: 1180968

Last-Modified: Thu, 27 Apr 2017 07:40:38 GMT

Connection: keep-alive

ETag: "5901a076-120528"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................0.......\.......................................s....
.......W..............................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@..@.data...x.......
.....p..............@....ndata.......@...........................rsrc.
...W.......X...t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u
...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@.
.vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<< skipped >>>

GET /updatechk/getday.php HTTP/1.1

User-Agent: webcount

Host: app.ancamera.co.kr

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.2.6

Date: Thu, 17 Aug 2017 23:38:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

8..20170818..0..HTTP/1.1 200 OK..Server: nginx/1.2.6..Date: Thu, 17 Au
g 2017 23:38:59 GMT..Content-Type: text/html..Transfer-Encoding: chunk
ed..8..20170818..0..

GET /logexp.php?aid=AnToolUpdate&kind=inst&pid=home HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:38:46 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..

GET /logexp.php?aid=ancamcorder3.4.1Update&pid=home&kind=inst HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:39:33 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 17 Aug 2017 23:
39:33 GMT..Content-Type: text/html..Transfer-Encoding: chunked..X-Powe
red-By: PHP/5.3.3..4..ture..0..

GET /updatechk/getday.php HTTP/1.1

User-Agent: webcount

Host: app.ancamera.co.kr

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.2.6

Date: Thu, 17 Aug 2017 23:39:09 GMT

Content-Type: text/html

Transfer-Encoding: chunked

8..20170818..0..HTTP/1.1 200 OK..Server: nginx/1.2.6..Date: Thu, 17 Au
g 2017 23:39:09 GMT..Content-Type: text/html..Transfer-Encoding: chunk
ed..8..20170818..0..

GET /logexp.php?aid=AnToolUpdate&kind=inst&pid=home HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:39:32 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..

GET /updatechk/getday.php HTTP/1.1

User-Agent: webcount

Host: app.ancamera.co.kr

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.2.6

Date: Thu, 17 Aug 2017 23:38:39 GMT

Content-Type: text/html

Transfer-Encoding: chunked

8..20170818..0..HTTP/1.1 200 OK..Server: nginx/1.2.6..Date: Thu, 17 Au
g 2017 23:38:39 GMT..Content-Type: text/html..Transfer-Encoding: chunk
ed..8..20170818..0..

GET /Antools/AntoolsUpdate_SetUp.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: down.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.8.1

Date: Thu, 17 Aug 2017 23:38:41 GMT

Content-Type: application/octet-stream

Content-Length: 484560

Last-Modified: Tue, 29 Mar 2016 04:36:57 GMT

Connection: keep-alive

ETag: "56fa0669-764d0"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................!L.......................................t....
......PO...........F..0...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
..PO.......P...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /logexp.php?aid=AnToolUpdate&kind=inst&pid=home HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:39:04 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..

GET /updatechk/ancamcoder20150825.php?pid=home HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: app.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.4.0

Date: Thu, 17 Aug 2017 23:39:24 GMT

Content-Type: text/html

Transfer-Encoding: chunked
bcb..[UPDATE]..AN_FILENUM=3..CHKFILENUM=3..AN_HOLDDATA=14..AN_HOLDCHK=
1..AN_OPTION=0..AN_MUTEXCHK=..AN_MODULE=..MODULETEXT1=........v3.4.1..
.... .......... .............MODULETEXT2=........ ............?..MODUL
ETEXT3=..MODULETEXT4=..MODULETEXT5=..AN_VERSION=20170612..AN_UPDATEURL
=hXXp://down.ancamera.co.kr/update/AnCamCorder_UpdateVer_3.4.6.exe..AN
_UPDATEFILE=AnCamCorder_UpdateVer_3.4.6.exe.. ..[UPFILE1]..AN_TITLE=[.
.]...... ..........AN_SUBTITLE=........ .... ......AN_NAME=.... ......
..[....]..AN_NAME1=[........] v3.4.1 ..........AN_LINCES=hXXp://app.an
camera.co.kr/updatechk/license/ancameralicense5.txt..AN_LINCES1=http:/
/app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..AN_DOWNFIL
EURL=hXXp://down.ancamera.co.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILEN
AME=AnCamcorder.exe..AN_PROGINFO=.......... .... ...... .......... ...
......... .... .............. .... ...............AN_DISCLIPT=..AN_CHE
CK=1..AN_STATE=..[UPFILE2]..AN_NAME=...... ........[....]..AN_NAME1=v3
.4.1 ........ ....[....]..AN_LINCES=hXXp://app.ancamera.co.kr/updatech
k/license/ancameralicense5.txt..AN_DOWNFILEURL=hXXp://down.ancamera.co
.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILENAME=AnCamcorder.exe..AN_LINC
ES1=hXXp://app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..
AN_PROGINFO=........ .... ...... .......... ............ .... ........
...... .... ...............AN_DISCLIPT=..AN_CHECK=1..AN_STATE=..[FILE1
]..AN_NAME=............ .. .... ......AN_LINCES=hXXp://down.ezoneclick
.com/License/savepop_lice.txt..AN_DOWNFILEURL=hXXp://down.ezonecli<<< skipped >>>

GET /logexp.php?aid=ancamcorder3.4.1Update&pid=home&kind=inst HTTP/1.1

Host: log.adsence.co.kr


HTTP/1.1 200 OK

Server: nginx

Date: Thu, 17 Aug 2017 23:38:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.3.3

4..ture..0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 17 Aug 2017 23:
38:47 GMT..Content-Type: text/html..Transfer-Encoding: chunked..X-Powe
red-By: PHP/5.3.3..4..ture..0..

GET /updatechk/getday.php HTTP/1.1

User-Agent: webcount

Host: app.ancamera.co.kr

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx/1.4.0

Date: Thu, 17 Aug 2017 23:39:27 GMT

Content-Type: text/html

Transfer-Encoding: chunked

8..20170818..0..HTTP/1.1 200 OK..Server: nginx/1.4.0..Date: Thu, 17 Au
g 2017 23:39:27 GMT..Content-Type: text/html..Transfer-Encoding: chunk
ed..8..20170818..0..

GET /Antools/AntoolsUpdate_SetUp.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: down.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.8.1

Date: Thu, 17 Aug 2017 23:39:00 GMT

Content-Type: application/octet-stream

Content-Length: 484560

Last-Modified: Tue, 29 Mar 2016 04:36:57 GMT

Connection: keep-alive

ETag: "56fa0669-764d0"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
........................!L.......................................t....
......PO...........F..0...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
..PO.......P...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....

<<< skipped >>>

GET /updatechk/ancamcoder20150825.php?pid=home HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: app.ancamera.co.kr

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.4.0

Date: Thu, 17 Aug 2017 23:38:48 GMT

Content-Type: text/html

Transfer-Encoding: chunked
bcb..[UPDATE]..AN_FILENUM=3..CHKFILENUM=3..AN_HOLDDATA=14..AN_HOLDCHK=
1..AN_OPTION=0..AN_MUTEXCHK=..AN_MODULE=..MODULETEXT1=........v3.4.1..
.... .......... .............MODULETEXT2=........ ............?..MODUL
ETEXT3=..MODULETEXT4=..MODULETEXT5=..AN_VERSION=20170612..AN_UPDATEURL
=hXXp://down.ancamera.co.kr/update/AnCamCorder_UpdateVer_3.4.6.exe..AN
_UPDATEFILE=AnCamCorder_UpdateVer_3.4.6.exe.. ..[UPFILE1]..AN_TITLE=[.
.]...... ..........AN_SUBTITLE=........ .... ......AN_NAME=.... ......
..[....]..AN_NAME1=[........] v3.4.1 ..........AN_LINCES=hXXp://app.an
camera.co.kr/updatechk/license/ancameralicense5.txt..AN_LINCES1=http:/
/app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..AN_DOWNFIL
EURL=hXXp://down.ancamera.co.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILEN
AME=AnCamcorder.exe..AN_PROGINFO=.......... .... ...... .......... ...
......... .... .............. .... ...............AN_DISCLIPT=..AN_CHE
CK=1..AN_STATE=..[UPFILE2]..AN_NAME=...... ........[....]..AN_NAME1=v3
.4.1 ........ ....[....]..AN_LINCES=hXXp://app.ancamera.co.kr/updatech
k/license/ancameralicense5.txt..AN_DOWNFILEURL=hXXp://down.ancamera.co
.kr/file/4.1/AnCamcorder.exe..AN_DOWNfILENAME=AnCamcorder.exe..AN_LINC
ES1=hXXp://app.ancamera.co.kr/updatechk/license/ancameralicense5.txt..
AN_PROGINFO=........ .... ...... .......... ............ .... ........
...... .... ...............AN_DISCLIPT=..AN_CHECK=1..AN_STATE=..[FILE1
]..AN_NAME=............ .. .... ......AN_LINCES=hXXp://down.ezoneclick
.com/License/savepop_lice.txt..AN_DOWNFILEURL=hXXp://down.ezonecli<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

SearchProtocolHost.exe_3828:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_2736:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

AnCamCorder_UpdateVer_3.4.6.exe_1668:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

adm\AppData\Local\Temp\nstFE0E.tmp\FILEDownPlug120308.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\FILEDownPlug120308.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp

J-%UP.E

<-4}7l

%XX,N$

.reloc

user32.dll

URLDownloadToFileA

urlmon.dll

DeleteUrlCacheEntry

WININET.dll

GetCPInfo

fileDownPlug.dll

YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER

under certain conditions; type `show c' for details.

.bpu]lj

U.CgZD

`IÑ]

nstFE0E.tmp

V3.3.9 Install

\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp

"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AnCamCorder_UpdateVer_3.4.6.exe"

%Program Files%\AHNSOFT\AnCamCorder

%Program Files%\AHNSOFT\AnCamCorder\xvid\driver

C:\Users\"%CurrentUserName%"\AppData\Local\Temp

AnCamCorder_UpdateVer_3.4.6.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsyFDDE.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AnCamCorder_UpdateVer_3.4.6.exe

AnCamcorder 3.3.9

20170818

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

AnCamCorder_UpdateVer_3.4.6.exe:868
AnCamCorder_UpdateVer_3.4.6.exe:3396
AnCamCorder_UpdateVer_3.4.6.exe:3908
AnCamCorder_UpdateVer_3.4.6.exe:3640
AntoolsUpdate_SetUp.exe:2824
AntoolsUpdate_SetUp.exe:1252
AntoolsUpdate_SetUp.exe:760
AntoolsUpdate_SetUp.exe:3184
AntoolsUpdate_SetUp.exe:1528
ancamcorderupdate.exe:2308
ancamcorderupdate.exe:3476
ancamcorderupdate.exe:4004
ancamcorderupdate.exe:3096
ancamcorderupdate.exe:3264
%original file name%.exe:1976
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\AntoolsUpdate_SetUp[1].exe (64618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\locate.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ ÃƒÂÃ‚Â¦Ã‚Â°Ãƒâ€¦.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe (12065 bytes)
%Program Files%\AHNSOFT\AnCamCorder\Uninstall.exe (2374 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\NSISPromotionEx.ini (191 bytes)
C:\Windows\System32\gmarket.ico (17 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidcore.dll (20878 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\FILEDownPlug120308.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\EasySet.exe (14979 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\System.dll (23 bytes)
%Program Files%\AHNSOFT\AnCamCorder\AnCamcorder.exe (51326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\installoption.ini (1563 bytes)
%Program Files%\AHNSOFT\AnCamCorder\updatelist.ini (2 bytes)
C:\DelUS.bat (190 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\ÃƒË†Ã‚Â¯Ã‚Â°ÃƒÂ¦Ã‚Â¼Ã‚Â³ÃƒÂÃ‚Â¤ Ã‚Â±ÃƒÂ¦Ãƒâ‚¬ÃƒÂ¢Ãƒâ‚¬ÃƒÅ’.lnk (1 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ksmodule.dll (927 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\install.bat (70 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ\Ã‚Â¾ÃƒË†Ãƒâ€žÃ‚Â·Ãƒâ€žÃƒÅ¡Ã‚Â´ÃƒÂµ.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\ShellLink.dll (12 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvidvfw.dll (3623 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\StringFind.dll (1770 bytes)
%Program Files%\AHNSOFT\AnCamCorder\xvid\driver\xvid.inf (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\AntoolsUpdate_SetUp.exe (41400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\SelfDelete.dll (48 bytes)
C:\Windows\System32\auction.ico (17 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\DLLWebCount120207.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\timetemp.ini (60 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyAD7E.tmp\gettext.dll (56 bytes)
%Program Files%\AHNSOFT\AnCamCorder\ancamcorder.ini (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\getday[1].htm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AntoolsUpdate_SetUp[1].exe (72854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\AntoolsUpdate_SetUp.exe (45760 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\SelfDelete.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\StringFind.dll (1770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\gettext.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\installoption.ini (1563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\locate.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\getday[1].htm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn6A28.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\locate.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\installoption.ini (1563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\AntoolsUpdate_SetUp.exe (9020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\AntoolsUpdate_SetUp[1].exe (30922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\SelfDelete.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\gettext.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstD3B4.tmp\StringFind.dll (1770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\getday[1].htm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\AntoolsUpdate_SetUp.exe (26313 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\gettext.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstFE0E.tmp\installoption.ini (1563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\gettext.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\StringFind.dll (1770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\logexp[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\locate.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\installoption.ini (1563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\AntoolsUpdate_SetUp.exe (53380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\SelfDelete.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn3F80.tmp\KillProcDLL.dll (8 bytes)
%Program Files%\AHNSOFT\Antools\Uninstall.exe (2131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\ns1066.tmp (14 bytes)
%Program Files%\AHNSOFT\Antools\AnToolUpdate.exe (48742 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ahnsoft\Ã‚Â¾ÃƒË†Ãƒâ€¦ÃƒÂ¸ÃƒÂÃƒÂ® Ãƒâ€¦ÃƒÂ«Ãƒâ€¡Ãƒâ€¢Ã‚Â¾ÃƒÂ·Ã‚ÂµÃ‚Â¥Ãƒâ‚¬ÃƒÅ’Ãƒâ€ Ã‚Â®.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test_saved.xml (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiFD9.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\nsC785.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsyC707.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\ns9D88.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy9CFB.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnECDE.tmp\nsEE17.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\UserMgr.dll (1554 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\ns5A42.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\IsVista.dll (1613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logexp[2].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\KillProcDLL.dll (1604 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy59A5.tmp\xml.dll (2127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ancamcoder20150825[1].htm (938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AnCamCorder_UpdateVer_3.4.6.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ancamcoder20150825[1].htm (938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AnCamCorder_UpdateVer_3.4.6[1].exe (122136 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ancamcoder20150825[1].htm (938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\DLLWebCount120207.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\AntoolsUpdate_SetUp.exe (38020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\SelfDelete.dll (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\installoption.ini (1563 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\KillProcDLL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\gettext.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\SetHoldData.dll (1667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\stack.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\DLLWaitForKillProgram.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\ShellLink.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\AntoolsUpdate_SetUp[1].exe (62178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\StringFind.dll (1770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\FILEDownPlug120308.dll (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\NSISPromotionEx.ini (191 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF23B.tmp\locate.dll (37 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AnCamCorder" = "%Program Files%\AHNSOFT\AnCamCorder\ancamcorderupdate.exe -o"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.