Gen.Variant.Graftor.316353_a1d5430d2e

by malwarelabrobot on March 24th, 2018 in Malware Descriptions.

Gen:Variant.Graftor.316353 (BitDefender), Trojan.PWS.Panda.12096 (DrWeb), Gen:Variant.Graftor.316353 (B) (Emsisoft), Artemis!A1D5430D2EEA (McAfee), Gen:Variant.Graftor.316353 (FSecure), Win32:Evo-gen [Susp] (AVG), Win32:Evo-gen [Susp] (Avast), Gen:Variant.Graftor.316353 (AdAware), Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: a1d5430d2eea1a47fbb1f1c85939cd2b
SHA1: 355e755ba2ade21e55f041cf6afab64bf18626d5
SHA256: da33386ba4c9a9b5ecb31690a8148dfde0f5eb7b2827adb0c977a20475f2e4e7
SSDeep: 6144:7NwPUaSN35D1XnsOBXrOzrDTwHhUbBFzXA/mGy9JVUcWsflqkqDlkZj:7NBF1NRraDTwHhABFzQ/g9SsflqJDij
Size: 394240 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-12-08 17:44:06
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

xyhykagea.exe:1816
%original file name%.exe:320
WinMail.exe:4072

The Trojan injects its code into the following process(es):

taskhost.exe:252
Explorer.EXE:284
Dwm.exe:528
TPAutoConnect.exe:2068
conhost.exe:2076
conhost.exe:2764

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process xyhykagea.exe:1816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpEBE6.tmp (8020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpEBF6.tmp (7709 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpEBE6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpEBF6.tmp (0 bytes)

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Igqyypiviklu\xyhykagea.exe (791 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpee4f0d5f.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpDBA1.tmp (7709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpDB72.tmp (8020 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpDBA1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpDB72.tmp (0 bytes)

The process WinMail.exe:4072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (35168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\690B3C40-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_4072_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\690B3C40-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab696.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6A7.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_4072_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab696.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6A7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_4072_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

Registry activity

The process WinMail.exe:4072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E2 07 03 00 05 00 17 00 13 00 06 00 22 00 58 02"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "95 2A 84 13 DA C2 D3 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

Dropped PE files

MD5	File path
4ff27ea3d40f8189d208d1d52b62fbcf	c:\Users\"%CurrentUserName%"\AppData\Roaming\Igqyypiviklu\xyhykagea.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpSendRequestExA
HttpSendRequestA
InternetSetFilePointer
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
GetMessageW
PeekMessageW

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
RegQueryValueExA
RegQueryValueExW
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
send
WSASend
getaddrinfo
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

Company Name:
Product Name: MDI Application
Product Version: 1, 0, 0, 1
Legal Copyright: Copyright ? 1998
Legal Trademarks:
Original Filename: MDI.EXE
Internal Name: MDI
File Version: 1, 0, 0, 1
File Description: MDI MFC Application
Comments:
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	36418	36864	3.46761	b4e3548e6cf6fbed11cc7c33d69b21f8
.rdata	40960	8014	8192	3.33415	323289d8c12c15ede18759a56be3cce2
.data	49152	564	4096	0.402592	29f7752e5f12d5c58e48cc02bf9419d0
.rsrc	53248	339180	339968	5.47731	8409808dea55f7b7c8a23a2530e18c8e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a1363.dscg.akamai.net/pki/crl/products/CodeSignPCA.crl
crl.microsoft.com	62.140.236.171
genmjob3.ru

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Length: 558

Content-Type: application/pkix-crl

Content-MD5: PMABL5b49EFkwY194FAj2Q==

Last-Modified: Wed, 23 Aug 2017 20:44:38 GMT

ETag: 0x8D4EA67C5E6D892

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: a02d63f4-0001-0004-5dc6-1cb2f2000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Fri, 23 Mar 2018 19:06:40 GMT

Connection: keep-alive

0..*0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Copyright (c) 20
00 Microsoft Corp.1#0!..U....Microsoft Code Signing PCA..111110211944Z
..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0... .....7.......
..0...*.H...............&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..
6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud);.?....J_...Fu...
.<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#.
..T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . ....G..#....T..G;.....
.HTTP/1.1 200 OK..Content-Length: 558..Content-Type: application/pkix-
crl..Content-MD5: PMABL5b49EFkwY194FAj2Q==..Last-Modified: Wed, 23 Aug
 2017 20:44:38 GMT..ETag: 0x8D4EA67C5E6D892..Server: Windows-Azure-Blo
b/1.0 Microsoft-HTTPAPI/2.0..x-ms-request-id: a02d63f4-0001-0004-5dc6-
1cb2f2000000..x-ms-version: 2009-09-19..x-ms-lease-status: unlocked..x
-ms-blob-type: BlockBlob..Date: Fri, 23 Mar 2018 19:06:40 GMT..Connect
ion: keep-alive..0..*0......0...*.H........0..1.0...U....US1.0...U....
Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U...
"Copyright (c) 2000 Microsoft Corp.1#0!..U....Microsoft Code Signing P
CA..111110211944Z..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0
... .....7.........0...*.H...............&..%PIu@.....\0KF....0..^.h9=
.1jT,5.L....Ed ..6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud)
;.?....J_...Fu....<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..
Tr..Ch.[.z:....#...T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . .

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

taskhost.exe_252_rwx_01120000_00047000:

.text

`.data

.reloc

HTTP/1.1

HTTP/1.0

hXXps://

GET /favicon.ico HTTP/1.1

HTTP/1.

atmos_hvnc.module

atmos_ffcookie.module

atmos_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

￥

value=[%s], code=[%s]

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

*.facebook.com

*.twitter.com

*.instagram.com

*.booking.com

*.sharepoint.com

*.yahoo.com

login.yahoo.com

*.google.com

accounts.google.com

192.168.*.*

127.0.0.1

*/wp-login.php*

*.xn--p1ai

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

573 6.wwd/$%

8<*/9‘

7<*6)4"1

#'>$'#,*

  -*.",.# 0(

(260"$2>9

:'->:-= =

!'/7)3)9,

1,&51&6 6-

*9>&& $*)

 ;* (1/8

.)<*1?09

az.bjbewEe[a{{hbe}>ryx

3979946~

rc&*W %X(- ~.>8CT

:'->:-= =7

 ! &/%:?

8%/<8/?)?5

= *9=*:,:*

 6&2/; |

*!7 4)?,

eaO1fJ28=rT)=6w.krd

90>jsw.QU

_getFirefoxCookie

hXXp://

PR_OpenTCPSocket

update.exe

config.bin

ShellExecuteExW

%s%s%s

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

SSShdl

PSSSSSSh

9.tI3

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

RegCreateKeyW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

PSAPI.DLL

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

NtQueryKey

ntdll.dll

SUWt^Ht[Ht.Huc

5"6;6\6~6

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

kshell32.dll

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

Global\XXX

Rapport

*.swf

*.flv

*.png

*.jpg

*.ico

*.gif

*.css

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

Process (u minute): %s

Input: %s

nspr4.dll

nss3.dll

chrome.dll

Chrome

Firefox

nole32.dll

CRYPTBASE.dll

\sysprep\sysprep.exe

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

explorer.exe

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming\Exezegiq\iwbynafe.nec

C:\Users\"%CurrentUserName%"\AppData\Roaming\Exezegiq

iwbynafe.nec

C:\Users\"%CurrentUserName%"\AppData\Roaming

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh\ibpusecoy.qug

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh

ibpusecoy.qug

Explorer.EXE_284_rwx_04040000_00047000:

.text

`.data

.reloc

HTTP/1.1

HTTP/1.0

hXXps://

GET /favicon.ico HTTP/1.1

HTTP/1.

atmos_hvnc.module

atmos_ffcookie.module

atmos_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

￥

value=[%s], code=[%s]

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

*.facebook.com

*.twitter.com

*.instagram.com

*.booking.com

*.sharepoint.com

*.yahoo.com

login.yahoo.com

*.google.com

accounts.google.com

192.168.*.*

127.0.0.1

*/wp-login.php*

*.xn--p1ai

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

573 6.wwd/$%

8<*/9‘

7<*6)4"1

#'>$'#,*

  -*.",.# 0(

(260"$2>9

:'->:-= =

!'/7)3)9,

1,&51&6 6-

*9>&& $*)

 ;* (1/8

.)<*1?09

az.bjbewEe[a{{hbe}>ryx

3979946~

rc&*W %X(- ~.>8CT

:'->:-= =7

 ! &/%:?

8%/<8/?)?5

= *9=*:,:*

 6&2/; |

*!7 4)?,

eaO1fJ28=rT)=6w.krd

90>jsw.QU

_getFirefoxCookie

hXXp://

PR_OpenTCPSocket

update.exe

config.bin

ShellExecuteExW

%s%s%s

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

SSShdl

PSSSSSSh

9.tI3

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

RegCreateKeyW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

PSAPI.DLL

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

NtQueryKey

ntdll.dll

SUWt^Ht[Ht.Huc

5"6;6\6~6

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

kshell32.dll

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

Global\XXX

Rapport

*.swf

*.flv

*.png

*.jpg

*.ico

*.gif

*.css

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

Process (u minute): %s

Input: %s

nspr4.dll

nss3.dll

chrome.dll

Chrome

Firefox

nole32.dll

CRYPTBASE.dll

\sysprep\sysprep.exe

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

explorer.exe

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh\ibpusecoy.qug

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh

ibpusecoy.qug

Dwm.exe_528_rwx_010A0000_00047000:

.text

`.data

.reloc

HTTP/1.1

HTTP/1.0

hXXps://

GET /favicon.ico HTTP/1.1

HTTP/1.

atmos_hvnc.module

atmos_ffcookie.module

atmos_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

￥

value=[%s], code=[%s]

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

*.facebook.com

*.twitter.com

*.instagram.com

*.booking.com

*.sharepoint.com

*.yahoo.com

login.yahoo.com

*.google.com

accounts.google.com

192.168.*.*

127.0.0.1

*/wp-login.php*

*.xn--p1ai

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

573 6.wwd/$%

8<*/9‘

7<*6)4"1

#'>$'#,*

  -*.",.# 0(

(260"$2>9

:'->:-= =

!'/7)3)9,

1,&51&6 6-

*9>&& $*)

 ;* (1/8

.)<*1?09

az.bjbewEe[a{{hbe}>ryx

3979946~

rc&*W %X(- ~.>8CT

:'->:-= =7

 ! &/%:?

8%/<8/?)?5

= *9=*:,:*

 6&2/; |

*!7 4)?,

eaO1fJ28=rT)=6w.krd

90>jsw.QU

_getFirefoxCookie

hXXp://

PR_OpenTCPSocket

update.exe

config.bin

ShellExecuteExW

%s%s%s

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

SSShdl

PSSSSSSh

9.tI3

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

RegCreateKeyW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

PSAPI.DLL

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

NtQueryKey

ntdll.dll

SUWt^Ht[Ht.Huc

5"6;6\6~6

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

kshell32.dll

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

Global\XXX

Rapport

*.swf

*.flv

*.png

*.jpg

*.ico

*.gif

*.css

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

Process (u minute): %s

Input: %s

nspr4.dll

nss3.dll

chrome.dll

Chrome

Firefox

nole32.dll

CRYPTBASE.dll

\sysprep\sysprep.exe

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

explorer.exe

sXXXX

:\Users\"%CurrentUserName%"\AppData\Roaming\Exezegiq\iwbynafe.nec

C:\Users\"%CurrentUserName%"\AppData\Roaming\Exezegiq

iwbynafe.nec

C:\Users\"%CurrentUserName%"\AppData\Roaming

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh\ibpusecoy.qug

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh

ibpusecoy.qug

TPAutoConnect.exe_2068_rwx_00550000_00047000:

.text

`.data

.reloc

HTTP/1.1

HTTP/1.0

hXXps://

GET /favicon.ico HTTP/1.1

HTTP/1.

atmos_hvnc.module

atmos_ffcookie.module

atmos_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

￥

value=[%s], code=[%s]

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

*.facebook.com

*.twitter.com

*.instagram.com

*.booking.com

*.sharepoint.com

*.yahoo.com

login.yahoo.com

*.google.com

accounts.google.com

192.168.*.*

127.0.0.1

*/wp-login.php*

*.xn--p1ai

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

573 6.wwd/$%

8<*/9‘

7<*6)4"1

#'>$'#,*

  -*.",.# 0(

(260"$2>9

:'->:-= =

!'/7)3)9,

1,&51&6 6-

*9>&& $*)

 ;* (1/8

.)<*1?09

az.bjbewEe[a{{hbe}>ryx

3979946~

rc&*W %X(- ~.>8CT

:'->:-= =7

 ! &/%:?

8%/<8/?)?5

= *9=*:,:*

 6&2/; |

*!7 4)?,

eaO1fJ28=rT)=6w.krd

90>jsw.QU

_getFirefoxCookie

hXXp://

PR_OpenTCPSocket

update.exe

config.bin

ShellExecuteExW

%s%s%s

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

SSShdlU

PSSSSSSh

9.tI3

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

RegCreateKeyW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

PSAPI.DLL

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

NtQueryKey

ntdll.dll

SUWt^Ht[Ht.Huc

5"6;6\6~6

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

kshell32.dll

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

Global\XXX

Rapport

*.swf

*.flv

*.png

*.jpg

*.ico

*.gif

*.css

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

Process (u minute): %s

Input: %s

nspr4.dll

nss3.dll

chrome.dll

Chrome

Firefox

nole32.dll

CRYPTBASE.dll

\sysprep\sysprep.exe

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

explorer.exe

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh\ibpusecoy.qug

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh

ibpusecoy.qug

conhost.exe_2076_rwx_000D0000_00047000:

.text

`.data

.reloc

HTTP/1.1

HTTP/1.0

hXXps://

GET /favicon.ico HTTP/1.1

HTTP/1.

atmos_hvnc.module

atmos_ffcookie.module

atmos_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

￥

value=[%s], code=[%s]

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

*.facebook.com

*.twitter.com

*.instagram.com

*.booking.com

*.sharepoint.com

*.yahoo.com

login.yahoo.com

*.google.com

accounts.google.com

192.168.*.*

127.0.0.1

*/wp-login.php*

*.xn--p1ai

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

573 6.wwd/$%

8<*/9‘

7<*6)4"1

#'>$'#,*

  -*.",.# 0(

(260"$2>9

:'->:-= =

!'/7)3)9,

1,&51&6 6-

*9>&& $*)

 ;* (1/8

.)<*1?09

az.bjbewEe[a{{hbe}>ryx

3979946~

rc&*W %X(- ~.>8CT

:'->:-= =7

 ! &/%:?

8%/<8/?)?5

= *9=*:,:*

 6&2/; |

*!7 4)?,

eaO1fJ28=rT)=6w.krd

90>jsw.QU

_getFirefoxCookie

hXXp://

PR_OpenTCPSocket

update.exe

config.bin

ShellExecuteExW

%s%s%s

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

SSShdl

PSSSSSSh

9.tI3

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

RegCreateKeyW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

PSAPI.DLL

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

NtQueryKey

ntdll.dll

SUWt^Ht[Ht.Huc

5"6;6\6~6

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

kshell32.dll

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

Global\XXX

Rapport

*.swf

*.flv

*.png

*.jpg

*.ico

*.gif

*.css

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

Process (u minute): %s

Input: %s

nspr4.dll

nss3.dll

chrome.dll

Chrome

Firefox

nole32.dll

CRYPTBASE.dll

\sysprep\sysprep.exe

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

explorer.exe

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh\ibpusecoy.qug

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh

ibpusecoy.qug

conhost.exe_2764_rwx_00520000_00047000:

.text

`.data

.reloc

HTTP/1.1

HTTP/1.0

hXXps://

GET /favicon.ico HTTP/1.1

HTTP/1.

atmos_hvnc.module

atmos_ffcookie.module

atmos_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SV1)

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

￥

value=[%s], code=[%s]

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

hXXp://VVV.google.com/webhp

*.facebook.com

*.twitter.com

*.instagram.com

*.booking.com

*.sharepoint.com

*.yahoo.com

login.yahoo.com

*.google.com

accounts.google.com

192.168.*.*

127.0.0.1

*/wp-login.php*

*.xn--p1ai

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

573 6.wwd/$%

8<*/9‘

7<*6)4"1

#'>$'#,*

  -*.",.# 0(

(260"$2>9

:'->:-= =

!'/7)3)9,

1,&51&6 6-

*9>&& $*)

 ;* (1/8

.)<*1?09

az.bjbewEe[a{{hbe}>ryx

3979946~

rc&*W %X(- ~.>8CT

:'->:-= =7

 ! &/%:?

8%/<8/?)?5

= *9=*:,:*

 6&2/; |

*!7 4)?,

eaO1fJ28=rT)=6w.krd

90>jsw.QU

_getFirefoxCookie

hXXp://

PR_OpenTCPSocket

update.exe

config.bin

ShellExecuteExW

%s%s%s

%s, u %s %u u:u:u GMT

; charset=%s

HTTP/1.1 %u %s

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

SSShdlR

PSSSSSSh

9.tI3

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

RegCreateKeyW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

PSAPI.DLL

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlW

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

NtQueryKey

ntdll.dll

SUWt^Ht[Ht.Huc

5"6;6\6~6

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

kshell32.dll

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

X-TS-Rule-Name: %s

X-TS-Rule-PatternID: %u

X-TS-BotID: %s

X-TS-Domain: %s

X-TS-SessionID: %s

Content-Type: application/x-www-form-urlencoded

X-TS-Header-Cookie: %S

X-TS-Header-Referer: %S

X-TS-Header-AcceptEncoding: %S

X-TS-Header-AcceptLanguage: %S

X-TS-Header-UserAgent: %S

Global\XXX

Rapport

*.swf

*.flv

*.png

*.jpg

*.ico

*.gif

*.css

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

Process (u minute): %s

Input: %s

nspr4.dll

nss3.dll

chrome.dll

Chrome

Firefox

nole32.dll

CRYPTBASE.dll

\sysprep\sysprep.exe

Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}

explorer.exe

sXXXX

C:\Users\"%CurrentUserName%"\AppData\Roaming

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh\ibpusecoy.qug

C:\Users\"%CurrentUserName%"\AppData\Roaming\Duumydycynoh

ibpusecoy.qug

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

xyhykagea.exe:1816
%original file name%.exe:320
WinMail.exe:4072
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpEBE6.tmp (8020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpEBF6.tmp (7709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Igqyypiviklu\xyhykagea.exe (791 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpee4f0d5f.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpDBA1.tmp (7709 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpDB72.tmp (8020 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (35168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\690B3C40-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_4072_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\690B3C40-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab696.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6A7.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Graftor.316353_a1d5430d2e

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet