MD5: ba128a31de44701c560fcca1a050b89d
SHA1: e14b67ca4f4042536f8ca2e021d101547f06ad8a
SHA256: 7e9e05c5f40ceb38c292ba109b8b09b6915d49bcd64a60402c587c1a25484206
SSDeep: 49152:7QUFtXCEbTCNxKCnFnQXBbrtgb/iQvu0UHOJ:2E6NxvWbrtUTrUHOJ
Size: 2213565 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2012-03-05 10:37:55
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mscaps.exe:2748
wtmps.exe:2700
%original file name%.exe:1932
@AE1.tmp.exe:1116
NOTEPAD.EXE:3596
NOTEPAD.EXE:3744
NOTEPAD.EXE:3676
NOTEPAD.EXE:3568
NOTEPAD.EXE:2284
NOTEPAD.EXE:3524
NOTEPAD.EXE:3536
NOTEPAD.EXE:2240
NOTEPAD.EXE:3732
NOTEPAD.EXE:3704
netsh.exe:2472
netsh.exe:636
launch.exe:2640
WdExt.exe:2332
WINMINE.EXE:3636
WINMINE.EXE:3664
WINMINE.EXE:3608
WINMINE.EXE:3772

The Trojan injects its code into the following process(es):

360Inst_62.exe:644
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mscaps.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (406 bytes)
%System%\wtime32.dll (29045 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (0 bytes)

The process wtmps.exe:2700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\mscaps.exe (27349 bytes)

The process %original file name%.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (18098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\360Inst_62.exe (23936 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (0 bytes)

The process @AE1.tmp.exe:1116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000CBA8B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB933_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC597_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1EE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (242745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7AA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC180_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC22C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF9C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4AD_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC113_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB79D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB897_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC624_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB878_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC12_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB82A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4EB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD79_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB66_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC5C6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2B9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8F5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0B5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC48E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC019_Rar\@AE1.tmp.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBCEC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC317_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBD3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC31_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC430_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC057_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC662_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9C0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF8C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC75C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC6F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB7DC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBABA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4CC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC038_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7CA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC336_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC568_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBF2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC151_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC45F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9EF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBFFA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC827_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC50B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0D4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB95_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9DF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC077_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC374_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0E4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC420_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC3D2_Rar\@AE1.tmp.exe (13122 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB77E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0A6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC643_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6EF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC24B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB859_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC29A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6C0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2D8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA1E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC70E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC067_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD4A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC142_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC26B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA2D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB7FB_Rar\@AE1.tmp.exe (13122 bytes)
C:\%original file name%.exe (2792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB73F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7E9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC682_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF2F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBAF8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC559_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC605_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1CE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC808_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (455744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9FE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB37_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1A0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC123_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8D6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA5C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC355_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC46E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC9E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBB4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se7.tmp (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC3B3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1BF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0C5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC20D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp6.tmp (1304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC76C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC73D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8B6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD0C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC44F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBCBE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC029_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6A1_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB914_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF7D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC49D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2F7_Rar\@AE1.tmp.exe (13122 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Se7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp6.tmp (0 bytes)
C:\cbf7d (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)

The process 360Inst_62.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_icon.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_logo.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\360net.dll (111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_title.JPG (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (2467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\setup.ini (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\IELog.jpg (8 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_icon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_logo.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_title.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\setup.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\IELog.jpg (0 bytes)

The process launch.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (112 bytes)

The process WdExt.exe:2332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\000CCD48_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD576_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE37F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE499_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD14F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB13_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCAC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCEDE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD72B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE17C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5F0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE62F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD854_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE40_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA38_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2C6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2A7_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD15F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE41C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpF.tmp (36444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE7A6_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA0A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDB3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpE.tmp (21164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD4D9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE65E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDF0B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD29_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD73B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6ED_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE16C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCC8C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4A8_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE52_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE01_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE370_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE15D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCD8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE600_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD084_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5E3_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCEFD_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE787_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD585_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (26548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE360_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (18508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB52_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD324_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5C2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6CD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE729_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5F3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD4BA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5C4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD362_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE322_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB90_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD71C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE796_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCC9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB32_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3C0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF6B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD41E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD864_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8CF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE777_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE479_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE12E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDBA0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE64E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1BA_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDC3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF0D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9CB_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8FE_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD98D_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8DE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC7B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE719_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD305_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD249_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE70A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD77_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE331_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF4C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF2C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD873_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC6B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD893_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6BE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE312_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD74A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE890_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE13D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (28924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2D4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6DD_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE18B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB04_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3DF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD1EB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp10.tmp (55476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD278_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2F3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF3C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8B0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCB9_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC3C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2E3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0F1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD45C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB81_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD046_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9FA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0C3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE4F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE489_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD883_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD1DC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6AE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDD07_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDD17_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3A1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD612_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD38_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF9A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD18E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC8A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5D3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1DA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB42_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCF8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD007_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2E5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDF2_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE758_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCDD5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE90D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB71_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE19B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4B8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE44B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD825_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCEA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD47C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD065_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD844_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8EE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5B4_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD44D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD566_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE7B6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCFB9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE20_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCC9C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD120_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8A2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5D1_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE43B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE46A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD49B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE610_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE42B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE30_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDD2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE341_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB61_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCE8_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0A3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE351_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE748_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE14D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8C1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE45A_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD20B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8BF_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE03_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCFA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD75A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4C8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5A5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE881_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD382_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD343_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD835_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9BB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDE2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE13_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE63F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE739_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6FC_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8A0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD816_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD595_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1CA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1AB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE91D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2C4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA29_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE32_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3EF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9DB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCFD8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5E1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE767_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD19_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (48916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA19_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD602_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCBB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC5B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD026_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8B2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA48_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE11_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE61F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF1D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB23_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA67_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD70C_Rar\WdExt.exe (13122 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpE.tmp (0 bytes)

Registry activity

The process mscaps.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ef2b00e3-19da-4e78-b118-6b6451b719f2}]
"Locale" = "*"
"StubPath" = "%System%\mscaps.exe /s /n /i:U shell32.dll"
"Version" = "1,125,2406,1"
"ComponentID" = "DirectShow"

The process %original file name%.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB C8 AA F4 12 CA 95 E8 36 32 DA B0 28 55 37 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process @AE1.tmp.exe:1116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Temp]
"adm0.bat" = "adm0"
"adm1.bat" = "adm1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\adm914]
"a4_0" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\adm914]
"a1_0" = "3432392762"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\adm914\695404737]
"43014726" = "0500687474703A2F2F6D617474666F6C6C2E65752E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F7374312E646973742E73752E6C742F6C6F676F682E67696600687474703A2F2F6C70626D782E72752F6C6F676F732E67696600687474703A2F2F626A65726D2E6D6173732E68632E72752F6C6F676F682E67696600687474703A2F2F534F536954455F41564552495F534F5369544545452E6861686168"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\adm914\695404737]
"14338242" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\adm914\695404737]
"7169121" = "36"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\adm914\695404737]
"35845605" = "169"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 F8 7C 41 A0 B7 D2 25 A1 57 96 0C C7 27 24 0F"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\adm914\695404737]
"28676484" = "35"

[HKCU\Software\adm914]
"a3_0" = "17001001"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\adm914\695404737]
"50183847" = "AB5E0738695C8F8323226F12B1D03D7D79E71A90760ACADED2B04A211637CD4145F6749BEE9023AA532184F995577060D6510DE74D26646EFEDFC32366D2CC8E7771C37E919020908A4DB60C10921A99946050DEA9E148F0FFAB69F3A9524762D4085A5E517FCB0C38FF00DB7E5CB8BFF62F51C41C88B0B67DC3FC07CB089EF3"

[HKCU\Software\adm914]
"a2_0" = "5517"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\adm914\695404737]
"21507363" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"@AE1.tmp.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\@AE1.tmp.exe:*:Enabled:ipsec"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process NOTEPAD.EXE:3596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 2C 75 B5 55 DB 14 7F F9 66 83 9E C6 0D 7A 8E"

The process NOTEPAD.EXE:3744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 3A 43 EB 5A 68 F1 3F 69 6D E7 A1 28 99 CA C6"

The process NOTEPAD.EXE:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 4C F5 BF 53 E2 2E 89 2B 97 32 89 38 4A 75 33"

The process NOTEPAD.EXE:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C B1 0D 26 80 9A 15 AD A4 E5 9E 23 90 83 C3 0A"

The process NOTEPAD.EXE:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 81 14 33 75 6C B5 42 FB CA 23 A6 5D C7 8E A3"

The process NOTEPAD.EXE:3524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 9F 77 0F 2D CF E9 A3 CF 49 91 F0 46 14 19 18"

The process NOTEPAD.EXE:3536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 0D 4E 24 68 C0 36 99 93 80 5E 4E C5 72 D5 60"

The process NOTEPAD.EXE:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 2A 29 CA 73 7B E8 5D 1E C6 30 DC 39 A2 C7 6E"

The process NOTEPAD.EXE:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 C7 AB 2A 3B 32 2B D4 A4 00 3E 42 2D 49 BE 45"

The process NOTEPAD.EXE:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 08 44 87 A7 CB 26 8D 8C 23 4D CB D7 3E F1 72"

The process 360Inst_62.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 8C 71 66 57 57 3A 03 26 33 1D DD D2 DF F8 8C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"360Install" = ""

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"360Inst_62.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\360Inst_62.exe:*:Enabled:360安全中心"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process netsh.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 81 80 38 59 A1 8B AA 53 6F 49 48 65 F8 18 FB"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process netsh.exe:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 65 79 74 D5 AF 7E 6F AB 74 89 A0 6F FF BA 88"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The process launch.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 2C 53 6A 49 F5 F0 52 BB B5 FE 88 6F 80 3C B3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"

The process WdExt.exe:2332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 BD 40 FB 03 75 E4 3C 2F 53 96 A8 AB 79 82 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process WINMINE.EXE:3636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 D1 4D B5 B9 32 7C D0 C5 95 79 7F C4 14 D4 3C"

The process WINMINE.EXE:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 51 56 33 4F 18 AC BE A2 01 70 7A 6E 10 C8 E1"

The process WINMINE.EXE:3608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 A7 70 10 45 9E 9B 28 CC 8D 43 EE 4F 8C DA E8"

The process WINMINE.EXE:3772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 83 2F 45 76 60 E3 6D 17 71 F7 10 48 22 41 C2"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: 360.cn
Product Name: 360Inst.exe
Product Version: 2.2.0.1004
Legal Copyright: Copyright (C) 360.cn Inc.All Rights Reserve
Legal Trademarks: 360????
Original Filename:
Internal Name:
File Version: 2.2.0.1004
File Description: 360??????????
Comments:
Language: English

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://softm-b.update.360safe.com/360safe/safe_home.cab?value=27832
hxxp://pinst.360.cn/360safe/safe_home.cab?value=27832	106.120.168.93
windowsupdate.microsoft.com	65.55.50.189
tr.p.360.cn	106.120.169.158
st.p.360.cn	218.30.118.91

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /360safe/safe_home.cab?value=27832 HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

Host: pinst.360.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.8

Date: Sun, 29 May 2016 03:42:32 GMT

Content-Type: application/octet-stream

Content-Length: 24698

Last-Modified: Fri, 01 Apr 2016 08:17:31 GMT

Connection: close

Accept-Ranges: bytes
MSCF....z`......,...........................b"........\DY. .IELog.jpg.
8...b"....\DY. .safe_icon.bmp..!...%....\DY. .safe_logo.jpg."....F....
\DY. .safe_title.JPG......\.....HmR .setup.ini.i.Z8._.rCK...T.K.088. .
....lp.....A..lp'.'...B.,....w....%..@.}.......{...'...U.U.....S..L.,.
.$.!..........v..x .bj..@. ......$[Kgg{~..;'fc3.....j..nl........q.76.
.;...- vB..5....3!J-..V.{..."...V.TT7..6.3...&.t.w....;......9...Q.2..
..a.J.[.gk!JQ.....29...&.bfe2e.f%.fcf.................3...s......n....
...U.%.....Q.V.........h............`r..s6vg.s....8....b........&P.g!J
.?T..WP.......-...N..`......a.fQ.;A].M.0t..,..I..0i...!.M1.........e..
(a3.f.3~QNQ.v.7.$.#!...&......)!...*.......E...q.r...H.`...b|....b.b..
..\\.....99...........?.......PGu(....P..:C.,... 5.r-.......9...;B\.f.
.P[.[..C......w.f.g,......\..!....?........`...v0nv.......a...f...@EFF
FAFEAA....`....c........{................G...Sb.?......},"\\.'......O.
M#..: .P...........M  .&........."2.*..........X...... .p...Q..Q...>
;.. S.=D..CU1.tx.......W4.j....E..G.8..M.)N.R..$A...............v.....
!2.....1%;>..jr.........>.L..H..".<[email protected].)..`..Z......i_.0y...
...%..'.t..8....X*..b..'.v.klaZ...Q..`.....o......A.=.'...fb{|k...A..A
..:.H.*......o.1.s|..$.......e3.Ie...FPH3A....(.....1[v5d......q.M..0H
.%......S.12#..g4p2F..H"}..Th........B...8..5k....W.y..3...&7j..../...
2"...,."O.PV@A.{A,f..N9L..._...&.`^2....t..F-.......[.f.3..(.c.PL.Y1.`
..}..F.T..............o..<.....qH;..n.......%$.r....e.D..YNG...)..|
.....v1.&..&6.......'...2|v..0.8.....f..b.i...R.U..IG<1.A.6...&
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

SRPQSSh

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

DES part of OpenSSL 0.9.7c 30 Sep 2003

libdes part of OpenSSL 0.9.7c 30 Sep 2003

MD5 part of OpenSSL 0.9.7c 30 Sep 2003

MD4 part of OpenSSL 0.9.7c 30 Sep 2003

SHLWAPI.dll

VERSION.dll

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

RegCloseKey

RegDeleteKeyW

RegOpenKeyExW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

MSIMG32.dll

MSVCP60.dll

WS2_32.dll

SETUPAPI.dll

HttpQueryInfoW

InternetOpenUrlW

InternetCanonicalizeUrlA

InternetCrackUrlA

WININET.dll

MSVCRT.dll

_wcmdln

PSAPI.DLL

iphlpapi.dll

Secur32.dll

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

GetProcessHeap

UnhookWindowsHookEx

SetWindowsHookExW

.?AV?$CDialogImpl@VCCancelMsgBox@@VCWindow@ATL@@@ATL@@

.?AVCCancelMsgBox@@

.?AVCHttpDownload@@

HttpGetLastError

HttpGetReceivedLength

HttpGetContentLength

HttpGetConnectState

HttpGetState

HttpResetAll

HttpWait

HttpCancel

HttpDownload

HttpInitDownPara

HttpDeleteDownloadObj

HttpCreateDownloadObj

ag.p.360.cn

tr.p.360.cn

221.194.134.221

220.181.126.81

error %d

124.238.243.54

<TIME><TICK HTTPRATE/HTTPCONN-P2PRATE/P2PCONN-HTTPDATA/HTTPDUP-P2PDATA/P2PDUP-PERCENTAGE>,

[%s] %s

%u/%u-%u/%u-%u/%u-%u/%u-%d%%>,

function shExpMatch(host, domain) {var c = domain.charAt(0); if(c == "\*") {var str = host.charAt(0)   domain; var exp1 = new RegExp(str); return host.match(exp1);} else {var exp2 = new RegExp(domain); return host.match(exp2);} }

function dnsDomainLevels(host) {var idx = host.indexOf(".");if(idx == -1) return 0; var substr = host.substring(idx   1); return 1   dnsDomainLevels(substr);}

function myIpAddress() { return "127.0.0.1"; }

function dnsResolve(host) { return "127.0.0.1"; }

function localHostOrDomainIs(host, hostdom) {if(hostdom.match(host)) return true; else return false; }

function dnsDomainIs(host, domain) {if(host.match(domain)) return true; else return false; }

function isPlainHostName(host) {if(host.match(".")) return false; else return true; }

%sX

360Pd
2I64X

360Pd%s

%s-%s

HTTP/1.0 200 OK

%s%s%s

GET /index.html HTTP/1.0

127.0.0.1

TCP Port

st.p.360.cn

stun01.sipphone.com

%s%s-%s

Referer: %s

Content-Length: %d

Content-Type: multipart/form-data; boundary=%s

Host: %s

User-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)

User-Agent: %s

%s %s HTTP/1.1

ku6.com

fastweb

Content-Disposition: form-data; name="%s"

<4,$?7/'

(3-!0,1'8"5.*2$

Corrupted file or wrong key

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

controlURL

hXXp://

URLBase

HTTP/1.1

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

AddPortMapping

NewPortMappingDescription

NewInternalPort

NewExternalPort

DeletePortMapping

External NAT port in use

External NAT port in use: Too many retries

Error getting StaticPortMappingCollection

Port mapping not owned by this class

RemoveNatPortMapping

%s:%d-ID(%s)-NAT(%d)-VER(%d)-STAT(%d)-FULL(%d%%)-DNVOL(%u)-UPVOL(%u),

Cid[%u] %s

HOST%d(%s)-PRI(%d)-ZONE(%d)-VOL(%u)-CNT(%d),

%s:%d-HOST(%s)-VOL(%u)-OK(%d)-ERR(%d),

HTTP/

%s %s

0|2008-10-08|15:04:02|QHErrObj.cpp|1||MEM|1|

version="1.0.0.0"

360Inst.exe

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

@ /URL:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HttpDownLib

%s360net.dll

%s\%s

%s\*.*

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

?value=%d

kernel32.dll

%d.%d.%d.%d

%s.exe

@PDown://b7=1|b2=%d|p2=%s|p3=%d|p4=%d|%s|h1=%s|h3=%d|b9=%d

PDown://b7=1|b2=%d|p3=%d|p4=%d|%s|h1=%s|h3=%d|b9=%d

mod=Installer&ver=%s&t_pidpro=%s_%s

%s /S /D=%s

%s /D=%s

1.2.0.1004

hXXp://pdown.stat.360safe.com/dimana.htm

@ddrawex.dll

ddraw.dll

d3d9.dll

d3d8thk.dll

d3d8.dll

@,%s,

MainWindowSize

Description%d

Urls

HTTPTimeup

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_PERFORMANCE_DATA

HKEY_USERS

pdown://p2=%s|b5=%s|b6=%s|p4=%d;%s;%s;%u;

%sNUList.ini

HNetCfg.FwAuthorizedApplication

HNetCfg.FwMgr

[Login] ---------- end ----------

[Login] ---------- start ----------

----------[CreateP2SPTask] ID:%d, pdonw:%s, file:%s----------

----------[StartTask] ID:%d----------

----------[StopTask] ID:%d----------

----------[GetFinishMessage] ID:%d----------

[DiskScheduler] type:%d, taskid:%d, cost:%dms, msg:%d.

[DiskFile] set file valid data failed file:%s %d

[CDiskFile::RenameFile] MoveFile fail, error code is %d

[CDiskFile::RenameFile] file(%s) already exist

%s.%u

[__check_piece_hash] id:%d, piece:%d

[CDiskFile::__write_disk] WriteFile fail, error code is %d

[CDiskFile::__write_disk] SetFilePointer fail, error code is %d

[CDiskFile::__read_disk] ReadFile fail, error code is %d

[CDiskFile::__read_disk] SetFilePointer fail, error code is %d

[CDiskFile::__open_file] create file(%s) fail! error code is %d

Kernel32.dll

n[Use Tcp Proxy]:Tcp %s, %d

[change tracker ip]: udp: %s ,tcpproxy:%s %d

Drop result %s:%d

Receive result %s:%d %I64u flag %d

Registering %s:%d %I64u

tracker Udp dns resolve: %s:%d

[Use Udp Server]

login server , public ip %s:%d private ip %s:%d peerid: %s

ReDirect Server ,Relogin

PeerId Exist, ReLogin

share: taskid %d hash %s result %d

GetPeer: taskid %d hash %s result %d

[TaskScheduler] type:%d, taskid:%d, cost:%dms, msg:%d.

360P2SP.dll

\LiveUpdateLog\P2SP.log

PolicyControl%d

[CTaskMgr] DNS proxy: %s

\livep.dat

[CTaskMgr::__update_config] update livep.dat

[CTaskMgr::__check_load] traffic control stop! load:%d disk:%d , taskmgr:%d

[CTaskMgr::__check_load] traffic control start! load:%d disk:%d , taskmgr:%d

[CTaskMgr::__CreateTask] Init task fail. Id:%d, Pdown:%s, File:%s

[CTaskMgr::__sendmsg_knl] type:%d, taskid:%d, cost:%dms, msg:%d.

[CTaskMgr::__sendmsg_knl] send fail! current load: %d

sd-d-d d:d:d:=[%s]-->%s

>hXXp://pstat.p.360.cn/uplog.php

pstat.p.360.cn

%s\LiveUpdateLog\track-dddddd.d.log

FindProxyForURL

[P2SP_FindProxyForURL]

. Result: %s.

. URL: %s, Host: %s.

[CProxyMgr::GetProxyAddrW] P2SP_FindProxyForURL fail

%s_%d

[NotifyWinPop] %d , %s ,%s ,%s

%s;%d;%s;%s

customhttp

%s;%d;%s;%s;%d

HTTP Proxy Authorization

http=

hXXp://wpad.%s/wpad.dat

hXXp://%s/wpad.dat

HTTPMINPIECE

MAXHTTPCONN

MAXCONNMSG

HTTPTIMEOUT

%u.%u.%u.%u

KICKHTTP

MSGQUEUE

HTTPDATA

HTTPHDR

HTTPCONN

[UdpListing] Port :%d

[UdpListing] Err: %d

[TcpListing] Nattype =%d , Port = %d

[TcpListing] Err: %d

[UPnp] is Open :NatType:%d, port: %d

StunRecv:Type %d Count:%d

mStunt Dns resolve: %s:%d

Net Type StunTypePortRestrictedNat

Nat Test again,Relogin %d

Begin Login

tudp %6s

tudp %6s flag:%d seq: ack: len M

passive

tudp send action:%6s

tudp send action:%s

tudp action:%6s ini ack:%d ack:%d

tracker rsp not login

Disconnect from %s:%d , reason %d , api_reason %d

[=]connect to %s:%d

[=]Requesting Meta %s:%d

[=]Send request index %d begin %d lenth %d

[=]connected from %s:%d

[=]Handshake with %s:%d %d

[=]recv bitfield s:%d, %d bytes

[=]recv meta req s:%d, %s

[=]recv Meta File from %s :%d , %d

[=]recv have %s :%d , %d

[=]recv piece request %s :%d , index %d begin %d length %d

[=]recv piece data %s :%d , index %d begin %d length %d

[=]recv cancel %s :%d , index %d begin %d length %d

[=]recv interest %s :%d

[=]recv unchoke %s :%d

[=]Disconnect s:%d, status %d , Reason %d , api %d

< UDP %s

< TCP %s

><TCP

><UDP

<HTTP

TaskID = %u FileName=%s ErrorCode= %d

TaskID = %u ErrorCode = %d

TaskID = %u ErrorCode = %d PDownURL = %s

TaskID = %u URL = %s File=%s

TaskID = %u Start

TaskID = %u File = %s

TaskID = %u FileName = %s

TaskID = %u Pause

TaskID = %u StopSeed

TaskID = %u Stop

,IP|%u,ER|%u

TaskID|%u,ErrorCode|%d,LineNo|%d,DnCount|%d,HttpNum|%d,DnFailCount|%d,FStatus|%d,IsTorrent|%d,Peers|%d,Seeds|%d,P2SS|%I64d,P2PS|%I64d,PDMode|%d,Dup|%I64d,P2SDUP|%I64d,P2PDUP|%I64d,P2PTS|%I64d,P2PUS|%I64d,P2PTDS|%I64d,P2PUDS|%I64d,Proxy|%d,DNSTime|%u,ConTime|%u,HeadTime|%u,DataTime|%u,61Err|%d,60Err|%d,54Err|%d,53Err|%d,DNS|%u,416Code|%u,502Code|%u,503Code|%u,ElsNum|%u,Nat|%d,HttpMgrFail|%d

Cid = %u TaskID = %u PieceMgr InitCid Ok

Cid = %u TaskID = %u PieceMgr InitCid fail

Cid = %u TaskID = %u GetHttpStatInfo fail

Cid = %u TaskID = %u HttpConnnect fail

Cid = %u TaskID = %u m_nFinishStatus not working Delete

Cid = %u TaskID = %u SetFileLen %I64d

Cid = %u TaskID = %u Httpcode = %u Delete

Cid = %u TaskID = %u IsContinueDownload fail Delete

Cid = %u TaskID = %u WriteRange fail ErrorCode = %u, Delete

Cid = %u TaskID = %u

Cid = %u TaskID = %u OnNotifyHttpData fail Delete

Cid = %u TaskID = %u IsContinueDownload fail Delete

Cid = %u TaskID = %u Delete Reason = %u HttpCode = %d

TaskID = %u Cid = %u

TaskID = %u Cid = %u ErrorCode = %d

Cid = %u TaskID = %u Delete Reason = %u

Cid = %u TaskID = %u OnNotifyHttpRelease Delete

%u-%s

TaskID = %u ErrorCode = %u

TaskID = %u Index = %u ErrorCode = %d

[P2SPLOG] Taskid:%d, Filelen:%I64d(Byte), Time:%d(ms), Avgrate:%d(KBps), P2S:%I64d(%d%%), P2P:%I64d(%d%%) Dup %I64u, P2S Dup %I64u, P2P Dup %I64u, MaxConNum:%d

Cid = %u TaskID = %u WriteSlice fail, Delete

Cid = %u TaskID = %u Delete

Cid = %u TaskID = %u Read FilePos Error Offset= %I64d FileLen = %I64d

Cid = %u TaskID = %u DataReq Index Error Index = %d MaxIndex = %d

TaskID = %u Load TorrentData fail ErrorCode = %d

ERR(%u)-Cid(%u)

Cid = %u TaskID = %u AsyncStartHttp fail ErrorCode = %d

Cid = %u TaskID = %u AllocRange fail

TaskID = %u SetFileLen %I64d

TaskID = %u Delay = %d

Cid = %u TaskID = %u SendRequest fail ErrorCode = %d

Cid = %u TaskID = %u AllocSlice fail

TaskID = %u Downlaod fail ErrorCode = %d

TaskID = %u httpMrg Downlaod fail ErrorCode = %d

TaskID = %u Downlaod fail ErrorCode = %d

Cid = %u TaskID = %u Torrent Http Start

TaskID = %u AsyncConnect fail

TaskID = %u http init fail

TaskID = %u SetProxy fail

%s:%d-PType(%u)-AType(%u)

sd.p.360.cn

hXXp://sd.p.360.cn/%s.trt

Cid = %u TaskID = %u Torrent Delete

TaskID = %u Download Torret fail

TaskID = %u Cid = %u Dataoffset is bigger than filelen

TaskID = %u Cid = %u TorrentBuffer is NULL

TaskID = %u Cid = %u NOT INIT

TaskID = %u Cid = %u Proxy Auth fail

TaskID = %u Cid = %u Auth type unknown

Cid = %u TaskID = %u Error = %u

Cid = %u TaskID = %u OnNotifyTorrentRelease

TaskID = %u Rename start

TaskID = %u CheckFile Start

TaskID = %u change Auth type = %d

ID(%u)-TYPE(http)-IP(%s)-PORT(%d)

ID(%u)-Host(%s)-IP(%s)-INFO(%s/%s)-TYPE(http)-REASON(%s)-ERRCODE(%u)-ERRPARA(%u)-REDIRECT(%d)-PROXY(%u)-AUTH(%u)-Begin(%I64d)-End(%I64d)-Vol(%I64d)-Rate(%u)-ConnMs(%d)-GetMs(%d)

%s-Timeout(%d)-Quota(%d)

HttpDup

HttpData

CID[=] %s(%s) disconnected, reason %d, api %d, state %d, downloaded %I64d, %d ms

CID[=] %s(%s) closed, error code %d, api %d, state %d, downloaded %I64d, %d ms

CID[=] %s(%s) connect ok,cost %d ms

CID[=] %s(%s) connect failed, %d

CID[=] %s(%s) Receive Header Completed , %d bytes , status code:%d , Content-Length : %I64d

CID[=] %s(%s) Connecting to %s:%d pending %d ms

CID[=] %s(%s) Connecting to %s:%d failed, error code:%d %d ms

DNS Result :%s

DNS Error %d

CID[=] Connecting to %s:%d

CID[=] %s(%s) Connecting to %s:%d

============addportmap success

HTTP://

TaskID = %u exception raised in method CFileMgr::Read, read from file fail(call ReadFile), error code is %d

TaskID = %u exception raised in method CFileMgr::GetSize, file size is too huge

TaskID = %u exception raised in method CFileMgr::GetSize, get file size fail(call GetFileSize), error code is %d

TaskID = %u exception raised in method CFileMgr::LoadMemFile, open file fail, error code is %d

TaskID = %u exception raised in method CFileMgr::LoadMemFile, parameter nNumber must greater than zero

TaskID = %u exception raised in method CFileMgr::LoadMemFile, parameter pBuffer can not be NULL

TaskID = %u exception raised in method CFileMgr::SetMemFile, read from file fail(call WriteFile), error code is %d

TaskID = %u exception raised in method CFileMgr::SetMemFile, open file fail, error code is %d

TaskID = %u exception raised in method CFileMgr::SetMemFile, error code is %d

TaskID = %u exception raised in method CFileMgr::SetMemFile, parameter nNumber must greater than zero

TaskID = %u ,exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL

TaskID = %u exception raised in method CFileMgr::GetMemSize, open file fail, error code is %d

TaskID = %u exception raised in method CFileMgr::LoadTorrentFile, parameter nNumber must greater than zero

TaskID = %u exception raised in method CFileMgr::LoadTorrentFile, parameter pBuffer can not be NULL

TaskID = %u exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL

TaskID = %u exception raised in method CFileMgr::GetTorrentSize, file size is too huge

TaskID = %u exception raised in method CFileMgr::GetTorrentSize, get file size fail(call GetFileSize), error code is %d

TaskID = %u exception raised in method CFileMgr::GetTorrentSize, open file fail, error code is %d

IsFileExisting Error = %d

[AllocRange] cid(%d) fail, errcode:0XX. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d

[AllocRange] cid(%d) ok, from %I64d to %I64d. (%I64d) length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d

[WriteRange] cid(%d) fail. from %I64d to %I64d, errcode:X. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d

[AllocSlice] cid(%d) fail, errcode:0XX. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d

[AllocSlice] cid(%d) ok, index(%d) from %d to %d. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d

[WriteSlice] cid(%d) fail. index(%d) from %d to %d, errcode:X. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d

[__LoadTorrent] invalid torrent file! errcode:x

ID(%u)-TYPE(p2p)-REASON(%s)-ERRCODE(%u)-Vol(%I64d)-Rate(%u)-ConnMs(%d)-BitMs(%d)

ID(%u)-TYPE(p2p)-IP(%s)-PORT(%d)-NAT(%d)

TaskID = %u

TaskID = %u result = %d

RES(%d)-CNT(%d)

ID(%u)-TYPE(http)-IP(0)-PORT(0)

Ip = %s

Cid = %u TaskID = %u Rate = %u MaxRate = %u ,

Cid = %u TaskID = %u ConnectNum = %d

Cid = %u TaskID = %u Ip = %s

TaskID = %u proxy=%d,Errcode = %u

TaskID = %u proxy=%d,Errcode = %u

TaskID = %u Errcode = %u

TaskID = %u ErrorCode = %d,

TaskID = %u ErrorCode = %d ,

Cid = %u TaskID = %u AsyncStartDownload from =%I64d to = %I64d HttpNum = %d

TaskID = %u ErrorCode =%d,

Cid = %u TaskID = %u StopHttp

Cid = %u TaskID = %u Http connect ok

OLDIP(%s)-OLDURL(%s)-NEWURL(%s)

Cid = %u TaskID = %u Recv Http Head Msg ,httpcode= %u

Cid = %u TaskID = %u OnNotifyHttpData can not http

TaskID = %u Cid = %u Proxy Fail Errcode = %u Ip = %s

TaskID = %u Cid = %u HttpErrcode = %u ip = %s

TaskID = %u Cid = %u HttpCode = %u Ip = %s,

TaskID = %u Cid = %u Fail Errcode = %u Ip = %s

TaskID = %u,Cid = %u change Auth type = %d

Cid = %u TaskID = %u by DeleteHttp

Cid = %u TaskID = %u By DeleteConnect

Cid = %u TaskID = %u By DeleteAllHttp

Cid = %u TaskID = %u By DeleteAllConnect

ID(%u)-Host(%s)-IP(%s)-TYPE(http)-REASON(PRECONN)-ERRCODE(%u)-ERRPARA(%u)

%s->%s:%d-PType(%u)-AType(%u)

Ip = %s Url

Ip = %s url= %s

Cid = %u TaskID = %u proxy fail

Cid = %u TaskID = %u ProcHttpUnKnowncode ,HttpCode = %u

Cid[%u] AuthType[%d:%d] ProxyHost[%s:%d]

Cid[%u] AuthType[%d] ProxyHost[%s:%d]

TaskID = %u Cid = %u Httpcode = %d Ip = %s

TaskID = %u Cid = %u Httpcode = %d Ip = %s,

TaskID = %u Cid = %u Httpcode = %d Url= %s

TaskID = %u Cid = %u Httpcode = %d Ip = %s ,

TaskID = %u Cid = %u Httpcode = %d Ip = %s

[P2SPHOST::__addurl] %s

[P2SPHOST::AddIplist] %s - %s

[P2SPHOST::AddIplist] reparse host:%s

[P2SPHOST::BlockUrl] URL: %s

[P2SPHOST::BlockUrl] invalid URL: %s

[P2SPHOST::BlockIp] invalid IP: %s

[P2SPHOST::BlockIp] IP: %s

[P2SPHOST::BlockIp] mask error(%d-%d). IP: %s

[P2SPHOST::BlockIp] too much error(%d-%d). IP: %s

[P2SPHOST::PickIp] IP: %s, traffic: %d, file: %s

[P2SPHOST::UpdateCidTraffic] ip(%s) not mapped!

D:\root.d\dev\360\C  \360PubSrc\360Base\QHMD5.cpp

netmsg.dll

mqutil.dll

wininet.dll

__crt

|hu-hu-hu|hu:hu:hu|%s|%d|%s|%s|%d|%s

%x:%x

%s %u

1830B7BD-F7A3-4c4d-989B-C004DE465EDE

D:\ROOT.D\DEV\360\C  \360PUBSRC\360GPUB\INCLUDE\QHTL.h

HTTPDOWNLIB

360.cn

2, 2, 0, 1004

Copyright (C) 360.cn Inc.All Rights Reserve

)hXXp://pinst.360.cn/360safe/safe_home.cab

%s\360\

'hXXp://VVV.360.cn/custom/xukexieyi.html

%s...

: %dMB

: %dKB/S

setup.ini

360Inst_62.exe_644_rwx_00DF0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

360Inst_62.exe_644_rwx_00E00000_00001000:

|360inst_62.exeM_644_

Explorer.EXE_532_rwx_00FF0000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.text

Explorer.EXE_532_rwx_01E20000_00001000:

|explorer.exeM_532_

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   mscaps.exe:2748
   wtmps.exe:2700
   %original file name%.exe:1932
   @AE1.tmp.exe:1116
   NOTEPAD.EXE:3596
   NOTEPAD.EXE:3744
   NOTEPAD.EXE:3676
   NOTEPAD.EXE:3568
   NOTEPAD.EXE:2284
   NOTEPAD.EXE:3524
   NOTEPAD.EXE:3536
   NOTEPAD.EXE:2240
   NOTEPAD.EXE:3732
   NOTEPAD.EXE:3704
   netsh.exe:2472
   netsh.exe:636
   launch.exe:2640
   WdExt.exe:2332
   WINMINE.EXE:3636
   WINMINE.EXE:3664
   WINMINE.EXE:3608
   WINMINE.EXE:3772
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (406 bytes)
   %System%\wtime32.dll (29045 bytes)
   %System%\mscaps.exe (27349 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp\System.dll (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (18098 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\360Inst_62.exe (23936 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBA8B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB933_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC597_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC1EE_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (242745 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC7AA_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC180_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC22C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBF9C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC4AD_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC113_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB79D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB897_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC624_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB878_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBC12_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB82A_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC4EB_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBD79_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBB66_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC5C6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC2B9_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB8F5_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC0B5_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC48E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC019_Rar\@AE1.tmp.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBCEC_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC317_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBBD3_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBC31_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC430_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC057_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC662_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB9C0_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBF8C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC75C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBC6F_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB7DC_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBABA_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC4CC_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC038_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC7CA_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC336_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC568_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBBF2_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC151_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC45F_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB9EF_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBFFA_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC827_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC50B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC0D4_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBB95_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB9DF_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC077_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC374_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC0E4_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC420_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC3D2_Rar\@AE1.tmp.exe (13122 bytes)
   %WinDir%\system.ini (70 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB77E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC0A6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC643_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC6EF_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC24B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB859_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC29A_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC6C0_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC2D8_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBA1E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC70E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC067_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBD4A_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC142_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC26B_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBA2D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB7FB_Rar\@AE1.tmp.exe (13122 bytes)
   C:\%original file name%.exe (2792 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB73F_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC7E9_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC682_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBF2F_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBAF8_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC559_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC605_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC1CE_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC808_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (455744 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB9FE_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBB37_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC1A0_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (907 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC123_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB8D6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBA5C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC355_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC46E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBC9E_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBBB4_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Se7.tmp (1792 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC3B3_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC1BF_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC0C5_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC20D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Sp6.tmp (1304 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC76C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC73D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB8B6_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBD0C_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC44F_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBCBE_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC029_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC6A1_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CB914_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CBF7D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC49D_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CC2F7_Rar\@AE1.tmp.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_icon.bmp (824 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_logo.jpg (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\360net.dll (111 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\safe_title.JPG (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\setup.ini (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected]\IELog.jpg (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCD48_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD576_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE37F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE499_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD14F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB13_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCCAC_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCEDE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD72B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE17C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE5F0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE62F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD854_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDE40_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDA38_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD2C6_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD2A7_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD15F_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE41C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpF.tmp (36444 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE7A6_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDA0A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDDB3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpE.tmp (21164 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD4D9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE65E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDF0B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCD29_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD73B_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD6ED_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE16C_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCC8C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE4A8_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCE52_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDE01_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE370_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE15D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDCD8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE600_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD084_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD5E3_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCEFD_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE787_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD585_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (26548 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE360_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (18508 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB52_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD324_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE5C2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD6CD_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE729_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD5F3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCD58_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD4BA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD5C4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD362_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE322_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB90_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD71C_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE796_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDCC9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB32_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD3C0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCF6B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD41E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD864_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE8CF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE777_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE479_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE12E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDBA0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE64E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE1BA_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDDC3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCF0D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD9CB_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE8FE_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD98D_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE8DE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDC7B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE719_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD305_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD249_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE70A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCD77_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE331_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCF4C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCF2C_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD873_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDC6B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD893_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD6BE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE312_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD74A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE890_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE13D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (28924 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE2D4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD6DD_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE18B_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB04_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD3DF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD1EB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp10.tmp (55476 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD278_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE2F3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCF3C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE8B0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDCB9_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDC3C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE2E3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD0F1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD45C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB81_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD046_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD9FA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD0C3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDE4F_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE489_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD883_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD1DC_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD6AE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDD07_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDD17_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD3A1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD612_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCD38_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCF9A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD18E_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDC8A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD5D3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE1DA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB42_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDCF8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD007_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD2E5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDDF2_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE758_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCDD5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE90D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB71_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE19B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE4B8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE44B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD825_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCCEA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD47C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD065_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD844_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE8EE_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD5B4_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD44D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD566_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE7B6_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCFB9_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDE20_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCC9C_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD120_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD8A2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE5D1_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE43B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE46A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD49B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE610_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE42B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDE30_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDDD2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE341_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB61_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDCE8_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD0A3_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE351_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE748_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE14D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD8C1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE45A_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD20B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE8BF_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDA58_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCE03_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCCFA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD75A_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE4C8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD5A5_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE881_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD382_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD343_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD835_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD9BB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDDE2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCE13_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE63F_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE739_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD6FC_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE8A0_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD816_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD595_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE1CA_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE1AB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE91D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE2C4_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDA29_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCE32_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD3EF_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD9DB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCFD8_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE5E1_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE767_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCD19_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (48916 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDA19_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD602_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCCBB_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDC5B_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD026_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD8B2_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDA48_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDE11_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CE61F_Rar\WdExt.exe (26244 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CCF1D_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDB23_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CDA67_Rar\WdExt.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\000CD70C_Rar\WdExt.exe (13122 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "360Install" = ""
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.