MD5: 9bd9f1f6d929a406b3ac3fc329ac2627
SHA1: 425033f3375cdb4c54059df361c8b4020ee19e9d
SHA256: b7ffcdb03f9cabb522e0238a6d4137ca16d01cf4d178ac6860a9c9f77b890b39
SSDeep: 12288:I90CZxPlgjhE/EcCeqPCDoJz5FGU9tUgWDencg2pQ/YXf2jSjK7:I9Fgmv5quOGhgle0CujSjK
Size: 671744 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2018-06-14 14:09:21
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3516

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Windows\System32\COMCTL32.OCX (608 bytes)
C:\Windows\System32\COMDLG32.OCX (307 bytes)
C:\Windows\MTziL.dll (332 bytes)
C:\Windows\System32\drivers\etc\hosts (9 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version]
"(Default)" = "1.2"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\MSComDlg.CommonDialog.1\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\MSComDlg.CommonDialog\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Font Property Page Object"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}]
"(Default)" = "ICommonDialog"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "ICommonDialogEvents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASMANCS]
"MaxFileSize" = "1048576"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.OCX, 1"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS]
"(Default)" = "2"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASAPI32]
"MaxFileSize" = "1048576"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID]
"(Default)" = "MSComDlg.CommonDialog.1"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX, 1"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID]
"(Default)" = "MSComDlg.CommonDialog"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"Version" = "1.2"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASAPI32]
"EnableFileTracing" = "0"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASMANCS]
"EnableFileTracing" = "0"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Help Property Page Object"

[HKCR\MSComDlg.CommonDialog\CurVer]
"(Default)" = "MSComDlg.CommonDialog.1"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1]
"(Default)" = "132499"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2]
"(Default)" = "Microsoft Common Dialog Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"Version" = "1.2"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Open Property Page Object"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\MSComDlg.CommonDialog]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\MSComDlg.CommonDialog.1]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Color Property Page Object"

[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\9bd9f1f6d929a406b3ac3fc329ac2627_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"

[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Print Property Page Object"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 9100 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Hguea3MatshjLaoec
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: Triptofan 3.0part3.exe
Internal Name: Triptofan 3.0part3
File Version: 1.00
File Description:
Comments:
Language: English (United Kingdom)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://googleapis.l.google.com/ajax/libs/jquery/2.1.3/jquery.min.js
hxxp://pl14336753.pvclouds.com/c1/91/cd/c191cdedf2d49ff724fe8b19d5277cff.js
hxxp://www3.l.google.com/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0=
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6
hxxp://googleapis.l.google.com/css?family=Oswald:400,700
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k
hxxp://pagead46.l.doubleclick.net/pagead/js/adsbygoogle.js
hxxp://ad.a-ads.com/713373?size=468x60
hxxp://ie8eamus.com/sfp.js
hxxp://www.modulepush.com/e604cb81f3c1551e1b0b66f6ab1e3f05/invoke.js
hxxp://go.oclasrv.com/apu.php?zoneid=1369047
hxxp://e734.a.akamaiedge.net/js/300/addthis_widget.js
hxxp://deloton.com/apu.php?zoneid=1369047
hxxp://216.58.215.115//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts
hxxp://pl14336753.pvclouds.com/invoke.js
hxxp://www.modulepush.com/watch.263388127039?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid=
hxxp://www.modulepush.com/watch.263388127039?shu=a00fe2beca0898b02346310b7d90e007f9b9e1bdc9f7e494a5bc35eacdf33ac8d9f02c278312950caf09c1a6404488e50c23d214a55cf37091bb07ca582fc96f106d3c4bbe549f9c&pst=1529333207&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&kw=[]&tz=3&dev=r&res=4.0
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCAmuJW8izj/K
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCDVgU4Bnrknm
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ=
hxxp://crt.comodoca.com.cdn.cloudflare.net/COMODORSAAddTrustCA.crt
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA=
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI=
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI=
hxxp://scontent.xx.fbcdn.net/connect/xd_arbiter/r/mAiQUwlReIP.js?version=42
hxxp://cs9.wac.phicdn.net/sha2-ha-server-g6.crl
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc=
hxxp://rvip1.ue.cachefly.net/sha2-ha-server-g6.crl
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY=
hxxp://waw02s17-in-f19.1e100.net/favicon.ico
hxxp://cdnjs.cloudflare.com/ajax/libs/fingerprintjs2/1.6.1/fingerprint2.min.js
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl
hxxp://cs9.wpc.v0cdn.net/IE9CompatViewList.xml
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl
hxxp://fonts.googleapis.com/css?family=Oswald:400,700	172.217.18.170
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8=	93.184.220.29
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM
hxxp://crl4.digicert.com/sha2-ha-server-g6.crl	66.225.197.197
hxxp://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml	152.199.19.161
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCAmuJW8izj/K
hxxp://fonts.gstatic.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff	172.217.18.163
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA=	93.184.220.29
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	77.222.148.97
hxxp://www.urldelivery.com/watch.263388127039?shu=a00fe2beca0898b02346310b7d90e007f9b9e1bdc9f7e494a5bc35eacdf33ac8d9f02c278312950caf09c1a6404488e50c23d214a55cf37091bb07ca582fc96f106d3c4bbe549f9c&pst=1529333207&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&kw=[]&tz=3&dev=r&res=4.0	198.134.112.241
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6
hxxp://fonts.gstatic.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff	172.217.18.163
hxxp://www.bnserving.com/invoke.js
hxxp://www.urldelivery.com/watch.263388127039?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid=	198.134.112.241
hxxp://crl3.digicert.com/sha2-ha-server-g6.crl	93.184.220.29
hxxp://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js	172.217.23.170
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY=	93.184.220.29
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ=
hxxp://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0=
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc=	178.255.83.1
hxxp://www.citpekalongan.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts
hxxp://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
hxxp://www.citpekalongan.com/favicon.ico
hxxp://crt.comodoca.com/COMODORSAAddTrustCA.crt
hxxp://s7.addthis.com/js/300/addthis_widget.js	2.22.92.206
hxxp://sr.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI=	23.51.123.27
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCDVgU4Bnrknm
hxxp://staticxx.facebook.com/connect/xd_arbiter/r/mAiQUwlReIP.js?version=42
1.bp.blogspot.com	172.217.18.161
2.bp.blogspot.com	172.217.18.161
scontent.fiev7-2.fna.fbcdn.net	77.222.131.81
www.paypalobjects.com	80.239.245.5

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\System32\MSINET.OCX (267 bytes)
   C:\Windows\System32\COMCTL32.OCX (608 bytes)
   C:\Windows\System32\COMDLG32.OCX (307 bytes)
   C:\Windows\MTziL.dll (332 bytes)
   C:\Windows\System32\drivers\etc\hosts (9 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.