MD5: 3d7f629fbdcb6eeac324de84f5a9d2d4
SHA1: 090aef9f44e0f349e9ac4e658ce6712e716c1db2
SHA256: 7e397e21366949daa842ee793583e2708968b415d77d32777088f061e047bded
SSDeep: 98304:8vt z3I jM6lG49Av7P89yiCvQ8uOlGE:8vq/MH4IvoOl
Size: 3956736 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-11 13:53:33
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:552

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\%original file name%.exe.manifest (557 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab62A.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_11D0F22CE6081A4F08D1CBCA0DCF2342 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\3d7f629fbdcb6eeac324de84f5a9d2d4_ec_RBAlarm.txt (46 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar62B.tmp (2712 bytes)
C:\temp_2017Äê10ÔÂ12ÈÕ4ʱ26·Ö27Ãë (895 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\3d7f629fbdcb6eeac324de84f5a9d2d4_ec_ad.txt (80 bytes)
C:\temp_2017Äê10ÔÂ12ÈÕ4ʱ26·Ö47Ãë (249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\3d7f629fbdcb6eeac324de84f5a9d2d4_ec.ini (13033 bytes)
C:\netsw.ini (193 bytes)
C:\config.ini (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_11D0F22CE6081A4F08D1CBCA0DCF2342 (680 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab62A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar62B.tmp (0 bytes)
C:\temp_2017Äê10ÔÂ12ÈÕ4ʱ26·Ö47Ãë (0 bytes)
C:\Windows\System32\drivers\etc\hosts (0 bytes)

Registry activity

The process %original file name%.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\3d7f629fbdcb6eeac324de84f5a9d2d4_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3d7f629fbdcb6eeac324de84f5a9d2d4_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3d7f629fbdcb6eeac324de84f5a9d2d4_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3d7f629fbdcb6eeac324de84f5a9d2d4_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\3d7f629fbdcb6eeac324de84f5a9d2d4_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\3d7f629fbdcb6eeac324de84f5a9d2d4_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3d7f629fbdcb6eeac324de84f5a9d2d4_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 895 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEExM2KD8T+quFVSofwkO2oc=
hxxp://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEExM2KD8T+quFVSofwkO2oc=	23.46.123.27
dns.msftncsi.com
s.symcb.com
teredo.ipv6.microsoft.com
hc.symcd.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEExM2KD8T+quFVSofwkO2oc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: s.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.2

Content-Type: application/ocsp-response

Content-Length: 1763

content-transfer-encoding: binary

Cache-Control: max-age=418010, public, no-transform, must-revalidate

Last-Modified: Mon, 9 Oct 2017 21:29:37 GMT

Expires: Mon, 16 Oct 2017 21:29:37 GMT

Date: Thu, 12 Oct 2017 01:26:33 GMT

Connection: keep-alive
0..........0..... .....0......0...0.......WI.....L.c=...r..7Z..2017100
9212937Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..LL...O...T..........20171009212937Z....20171016212937Z0...*.H.....
........!..X.O...N2z..J...}.#.7..& .d.....5...N$e.FD.....R......rp..A.
..'.s<Kf..J.sP....../a!.!.d.....b.M.....Kq2...2.(...E..T ]..@..h.cg
....o..g.....z...;..)3B;.....6..i@(Q-{..[.).|0.2.H.z...r.=..x.UG_.n.R.
'...bSp.V.!.Y...x\...L._....Q.Q2#...zATB....`....C..^...%....0...0...0
..........^..)......<...T.0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...161122000000Z..171214235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 50.."0...*.H.............0.............................m..|...
.....1rUZN.b.......t. d......O...NY.lR..k .Q.z.g.4(,...Rp.7...0C.j.)Z.
....... ~..3...x.b.-..... S^0<6...!.(..2}...T.fX}...6...(...1...#..
H..|`.yy.<B.z.q$......u.-..K.!......y..8..--....?.,.[.[...5.e.4....
.D..t.;....).J....\fV..G.........0...0...U.......0.0l..U. .e0c0a..`.H.
..E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http:
//VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0.
.....0"..U....0...0.1.0...U....TGV-OFF-500...U.......WI.....L.c=...r..
7Z0...U.#..0.....e......0..C9...3130...*.H.............<wN..g..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

|$D.tm

~%UVW

}?9\$0~9

u$SShe

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

5 passes)

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

Bv=kAv.SCv

shlwapi.dll

user32.dll

psapi.dll

advapi32.dll

ntdll.dll

dbghelp.dll

OLEACC.DLL

ole32.dll

EnumWindows

EnumChildWindows

ShellExecuteA

MsgWaitForMultipleObjects

{B6F7542F-B8FE-46a8-9605-98856A687097}

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

{18C0788E-59AE-4112-B452-6BF0C1B727FB}

ap:\SampleWav.wav

\SampleWav.wav

Windows 95 Utopia Sound Scheme

mazrob@panix.com

whichurl

PopSomeUrl

_ec.ini

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

isshowverscroll

_ec_RBAlarm.txt

\config.ini

\oem.ini

\about.html

<html><head><style type="text/css">a:link {text-decoration: none;color: #FF0000}a:visited {text-decoration: none;color: #999999}a:hover {text-decoration: none;color: #0000FF}a:active {text-decoration: none;color: #FF0000}BODY { SCROLLBAR-ARROW-COLOR:#FFFFFF;SCROLLBAR-FACE-COLOR:#CCCCCC;SCROLLBAR-DARKSHADOW-COLOR:#FFFFFF;SCROLLBAR-HIGHLIGHT-COLOR:#FFFFFF;SCROLLBAR-3DLIGHT-COLOR:#FFFFFF;SCROLLBAR-SHADOW-COLOR:#FFFFFF;SCROLLBAR-TRACK-COLOR:#FFFFFF;border:none}div { font-family: "tahoma"; font-size: 9pt; letter-spacing: 1pt; word-spacing: 1pt}p { font-family: "tahoma"; font-size: 9pt; letter-spacing: 1pt; word-spacing: 1pt}</style></head><body link="#0066CC" vlink="#0066CC" alink="#0066CC"><script language="JavaScript">var win_art=window.open("hXXps://s.click.taobao.com/t?e=m=2&s=QhD64SyxccocQipKwQzePCperVdZeJviEViQ0P1Vf2kguMN8XjClAkvZlFzOliqCdUmGWa6wtlkVxVZ+c/OJhpPo+rdbrqxw4PFzMPxcp0u1UGE13cxIVlW00662PG2K8Cm/wUl4ESHcHtRpEUy6RLSgd9R/v5WktY4Qt2cZ1lVeY+y0blbhscYl7w3/A2kb","info","width=1024,height=600")</script><p><font size="4" face="

<a href="hXXps://pan.baidu.com/share/home?uk=1597443720" target="_blank">hXXps://pan.baidu.com/share/home?uk=1597443720</a>

282476501

<a href="hXXps://pan.baidu.com/share/home?uk=3110472904" target="_blank">hXXps://pan.baidu.com/share/home?uk=3110472904</a>

303310822

<a href="hXXp://yanzhoudezhu.ys168.com" target="_blank">hXXp://yanzhoudezhu.ys168.com</a>

<a href="hXXp://apsoft.ys168.com" target="_blank">hXXp://apsoft.ys168.com</a>

1790042182

<a href="hXXps://1790042182.taobao.com" target="_blank">hXXps://1790042182.taobao.com</a>

aibabaaimama@foxmail.com</b></font></p><div><img src="hXXp://7xqqgi.com1.z0.glb.clouddn.com/阿P软件微信订阅号.jpg" width="150" height="150" style="line-height: 28px;"><img src="hXXp://ys-d.ys168.com/233483810/l4I456S395IM5kSeqOP/abbamm_alipay.jpg" width="150" height="150" style="line-height: 28px;"></div></body></html>[ONLINEEND]

hXXps://VVV.cnblogs.com/commonaccount/p/5790761.html

\netsw.ini

0@hXXp://apsoft.ys168.com

hXXps://VVV.cnblogs.com/commonaccount/p/4749954.html

\reload.ini

\reloadahk.exe

!"#$%%&'())* ,-./0123456789:;<="">?

8D$%S

Wf9.ty

u$

GetProcessWindowStation

operator

InternetOpenUrlW

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

GdiplusShutdown

Error text not found (please report)

WSOCK32.dll

WINMM.dll

VERSION.dll

COMCTL32.dll

PSAPI.DLL

GetCPInfo

GetWindowsDirectoryW

KERNEL32.dll

GetKeyState

GetKeyboardLayout

SetWindowsHookExW

UnhookWindowsHookEx

RegisterHotKey

UnregisterHotKey

GetAsyncKeyState

GetKeyboardState

SetKeyboardState

keybd_event

VkKeyScanExW

MapVirtualKeyW

ExitWindowsEx

USER32.dll

GDI32.dll

COMDLG32.dll

RegCloseKey

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

RegCreateKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteExW

SHFileOperationW

SHELL32.dll

OLEAUT32.dll

GetProcessHeap

zcÁ

; <COMPILER: v1.1.13.01>

ifnotexist, reload.ini

IniRead, sec, reload.ini, general, sec2wait, 3

IniRead, exe, reload.ini, general, exepath

if ( exe = "" )

sleep, %sec0

run, %exe%

IniWrite, %blank%, reload.ini, general, exepath

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity version="1.1.00.00" processorArchitecture="*" name="AutoHotkey" type="win32"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><asmv3:application><asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings"><dpiAware>true</dpiAware></asmv3:windowsSettings></asmv3:application></assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

1790042182

hXXp://wpa.qq.com/msgrd?v=1&uin=1790042182&site=qq&menu=yes

WScript.Shell

rundll32.exe url.dll,FileProtocolHandler

Internet Explorer\IEXPLORE.EXE

P@iexplore.exe

Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE\path

Tencent\QQ\Bin\QQ.exe

Tencent\QQLite\Bin\QQ.exe

QQ.exe

\system32\taskmgr.exe

%SystemRoot%CreateShortcut

HotKey

WindowStyle

BASEURL=hXXp://VVV.fuck123.com

URL=hXXp://VVV.fuck123.com

hXXp://VVV.fuck123.com

Speed.bat

\Speed.bat

cmd.exe /c rd /s /q "

c:\Del.exe

c:\DelFile.sys

cmd.exe /c del "

f:\lnk\0001\0002\0003\0004\0005\0006\0007\0008\0009\0010\0011\0012\0013\0014\0015\0016\0017\0018\0019\0020\0021\0022\0023\0024\0025\0026\0027\0028\0029\0030\0031\0032\0033\0034\0035\0036\0037\0038\0039\0040\0041\0042\0043\0044\0045\0046\0047\0048

nosetie.ap

.DEFAULT\Software\Microsoft\Internet Explorer\Main\

Default_Page_URL

Default_Search_URL

\friends.txt

_ec_ad.txt

c:\ap\apsoft.txt

hXXps://VVV.cnblogs.com/commonaccount/p/4750152.html

\sgg\sgg.exe

\update.html

hXXp://VVV.dywt.com.cn/news/2009/071001.html

hXXps://pan.baidu.com/share/home?uk=1597443720

282476501

hXXps://pan.baidu.com/share/home?uk=3110472904

303310822

hXXp://yanzhoudezhu.ys168.com

hXXp://apsoft.ys168.com

hXXps://1790042182.taobao.com

00:00:00

hXXps://VVV.cnblogs.com/commonaccount/p/5575118.html

hXXp://fangwentongji.blog.163.com/blog/static/226087030201410217745717/

\showhotkey2quitblock.txt

\online.ini

\offline.ini

VVV.baidu.com

Windows\System32\drivers\etc\hosts

42.121.252.58 VVV.cnblogs.com

\isonline.apsoft

cmd.exe /c ipconfig /flushdns

11000002000001

ifeng.com

{0002DF05-0000-0000-C000-000000000046}

{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}

{6D5140C1-7436-11CE-8034-00AA006009FA}

nojingmozipmeici.ap

nojingmoziponce.ap

noyouxiatupian.ap

notanlianjiye.ap

noyouxiabiaotitianjia.ap

nosetie.ap

noinsad.ap

nowzdh.ap

noyxie.ap

noupdatemsg.ap

nogonggao.ap

1234567890

hXXps://VVV.cnblogs.com/commonaccount/p/4750212.html

\kjm.ini

.html

<a href="hXXp://pan.baidu.com/share/home?uk=1597443720" target="_blank">hXXp://pan.baidu.com/share/home?uk=1597443720</a>

hXXp://yanzhoudezhu.ys168.com/

noyxie.ap

hXXp://wpa.qq.com/msgrd?v=1&uin=

\shezhic.ini

\picture.txt

\music.txt

|*.bmp;*.jpg;*.gif

ap:\screencap.bmp

\screencap.bmp

ap:\bingd.bmp

|123.exe|456.exe|someprog.exe|

hXXp://apsoft.ys168.com/

taskmgr.exe

|*.mp3

hXXp://

|*.wav

hXXps://VVV.cnblogs.com/commonaccount/p/5002579.html

Microsoft.XMLHTTP

hXXps://VVV.baidu.com

hXXp://VVV.sina.com.cn

\apLog.txt

apLog.txt

thisfullexename

noupdatemsg.ap

.manifest

name="C.App"

version="1.0.0.0"

<requestedExecutionLevel

hXXps://VVV.cnblogs.com/commonaccount/p/4749988.html

nojingmoziponce.ap

\win98xp_.zip

\ApTimeAlarm-2.txt

noyouxiabiaotitianjia.ap

nojingmozipmeici.ap

hXXps://VVV.cnblogs.com/commonaccount/p/4750101.html

\everydo_.zip

notanlianjiye.ap

hXXps://VVV.cnblogs.com/commonaccount/p/5885209.html

hXXps://VVV.cnblogs.com/commonaccount/p/4750085.html

*.txt

|*.txt

282476501

.comment {color:green}

#56Uguv

g5Ÿ

ap:\samplepic.jpg

v2.xxx

hXXp://news.baidu.com/

5OwM4.uWw

H9%U?x

".GI@

.XQTL

%Dj"P_

0d!.yl

G %CX

B.DXY&

'^.ob $OH;

z%6XkP

l.yK(

&%.DC

@^sð5S

0!.US3K

)A.lP

%cktF

CLA%C[8

Ü>@

;.cKq

*.DTT^v7

fPSX].BuLM

f1/i.rP

b%D)0

C].iiI)s

`ÎP[@G6

.wDeZJ

\.zY.>K

[<K.Cq

4.xS;`

kÚ?

M%SX)A

C2.BY

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

?%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

windows

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

MSVFW32.dll

AVIFIL32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WS2_32.dll

RASAPI32.dll

WinExec

GetWindowsDirectoryA

SetWindowsHookExA

GetKeyboardType

CreateDialogIndirectParamA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

MSIMG32.dll

WINSPOOL.DRV

comdlg32.dll

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

oledlg.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

icmp.dll

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

.PAVCResourceException@@

%d-%d-%d

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG

(*.JPG)|*.jpg|BMP

(*.BMP)|*.bmp|GIF

(*.GIF)|*.gif|

(*.ICO)|*.ico|

(*.CUR)|*.cur||

USER32.DLL

(*.htm;*.html)|*.htm;*.html

<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>

<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>

<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>

<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>

burlywood

\winhlp32.exe

%d%d%d

rundll32.exe shell32.dll,

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(%S)%M%D %y-%m-%d

After RemoveDC(), pen counter: %d, bursh counter: %d, font counter: %d

!!! Create pen ERROR! ErrNo.[%d]

  Create pen No.%d

!!! Create brush ERROR! ErrNo.[%d]

  Create brush No.%d

!!! Create font ERROR! ErrNo.[%d]

  Create font No.%d

- Delete pen No.%d

- Delete brush No.%d

- Delete font No.%d

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

c:\%original file name%.exe

*.yUW

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

AutoHotkey

%s[Object]: 0x%p

AppsKey

ListHotkeys

KeyHistory

DetectHiddenWindows

SetKeyDelay

KeyWait

URLDownloadToFile

MsgBox

IfMsgBox

Hotkey

AHK Keybd

Warning: The keyboard and/or mouse hook could not be activated; some parts of the script will not function.

Modifiers (Hook's Logical) = %s

Modifiers (Hook's Physical) = %s

Prefix key is down: %s

NOTE: Only the script's own keyboard events are shown

(not the user's), because the keyboard hook isn't installed.

NOTE: To disable the key history shown below, add the line "#KeyHistory 0" anywhere in the script. The same method can be used to change the size of the history buffer. For example: #KeyHistory 100 (Default is 40, Max is 500)

The oldest are listed first. VK=Virtual Key, SC=Scan Code, Elapsed=Seconds since the previous event. Types: h=Hook Hotkey, s=Suppressed (blocked), i=Ignored because it was generated by an AHK script, a=Artificial, #=Disabled via #IfWinActive/Exist, U=Unicode character (SendInput).

E7 X

X X

%u hotkeys have been received in the last %ums.

(see #MaxHotkeysPerInterval in the help file)

Nonexistent hotkey.

Nonexistent hotkey variant (IfWin).

Max hotkeys.

The AltTab hotkey "%s" must specify which key (L or R).

The AltTab hotkey "%s" must have exactly one modifier/prefix.

"%s" is not allowed as a prefix key.

"%s" is not a valid key name.

scX

vkX

%s[%Iu of %Iu]: %-1.60s%s

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%s\%s

AutoHotkey2

Critical Error: %s

<>=/|^,:*&~!()[]{} -?."'\;`

>AUTOHOTKEY SCRIPT<

Could not extract script from EXE.

<>=/|^,:

<>=/|^,:. -*&!?~

Join

Hotkeys/hotstrings are not allowed inside functions.

Duplicate hotkey.

Note: The hotkey %s will not be active because it does not exist in the current keyboard layout.

*%s::

if not GetKeyState("%s")

{Blind}%s%s{%s DownTemp}

*%s up::

{Blind}{%s Up}

#InstallKeybdHook

#HotkeyModifierTimeout

#HotkeyInterval

#MaxHotkeysPerInterval

#MaxThreadsPerHotkey

#KeyHistory

#MenuMaskKey

: -*/|&^.

<>=/|^,:*&~!()[]{} -?."

Invalid hotkey.

"%s" requires at least %d parameter%s.

"%s" requires that parameter #%u be non-blank.

<>=/|^,:*&~!()[]{}"

<>=/|^,:*&~!()[]{} -?

Quote marks are required around this key.

<>=/|^,:*&~!()[]{} -?.

%s.%s

Unsupported parameter default.

%s.%.*s := %.*s,

GetKey

HasKey

detecthiddenwindows

keydelay

subkey

thishotkey

priorhotkey

timesincethishotkey

timesincepriorhotkey

priorkey

Too many parameters passed to function.

Missing "key:" in object literal.

Too few parameters passed to function.

Unsupported method call syntax.

%s%s%s

%%%s%s%s

Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after it is in parentheses to the right (if not 0). The bottommost line's elapsed time is the number of seconds since it executed.

u:

if %s %s %s and %s

%s%s %s %s

For %s,%s in %s

%s (%d) : ==> %s

Specifically: %s

in #include file "%s"

%s%s:%s %-1.500s

Specifically: %-1.100s%s

Error at line %u

Line Text: %-1.100s%s

%s (%d) : ==> Warning: %s

%s (a %s variable%s)

%s (in function %s)

Local Variables for %s()%s

%sGlobal Variables (alphabetical)%s

Window: %s

Keybd hook: %s

Mouse hook: %s

Enabled Timers: %u of %u (%s)

Interrupted threads: %d%s

Paused threads: %d of %d (%d layers)

Modifiers (GetKeyState() now) = %s

Key History has been disabled via #KeyHistory 0.

System verbs unsupported with RunAs.

%s %s

.exe.bat.com.cmd.hta

Verb: <%s>

Action: <%-0.400s%s>%s

Params: <%-0.400s%s>

&#%d;

EndKey:

0xX

0xX

s%sLeft

%sTop

%sRight

%sBottom

\AU3_Spy.exe"

%sAU3_Spy.exe"

\AutoHotkey.chm"

%sAutoHotkey.chm"

hh.exe

hXXp://ahkscript.org

Could not open URL hXXp://ahkscript.org in default browser.

SOFTWARE\AutoHotkey

AutoHotkey v1.1.13.01

set cdaudio door %s wait

open %s type cdaudio alias cd wait shareable

set cd door %s wait

\\.\%c:

Mixer Doesn't Support This Component Type

Component Doesn't Support This Control Type

open "%s" alias AHK_PlayMe

Select File - %s

%s%c%sÊll Files (*.*)%c*.*%c

All Files (*.*)

Text Documents (*.txt)

1.1.13.01

\AutoHotkey.exe

Pos%s

Len%s

Pos%d

Len%d

Compile error %d at offset %d: %hs

RunAs: Missing advapi32.dll.

0.0.0.0

Select Folder - %s

%u.%u.%u.%u

.----/01/01/01

0xX -

%s%ws

AutoHotkeyGUI

%sGui

Button%s

msctls_hotkey32

Report

Password

Supported only for the tray menu

&Suspend Hotkeys

Gdd

dddddd

The following %s name contains an illegal character:

The maximum number of MsgBoxes has been reached.

&Lines most recently executed

&Hotkeys and their methods

&Key history and script info

&Web Site

(*.*)

Grid.Document

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:552

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\%original file name%.exe.manifest (557 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab62A.tmp (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_11D0F22CE6081A4F08D1CBCA0DCF2342 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\3d7f629fbdcb6eeac324de84f5a9d2d4_ec_RBAlarm.txt (46 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar62B.tmp (2712 bytes)
   C:\temp_2017Äê10ÔÂ12ÈÕ4ʱ26·Ö27Ãë (895 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\3d7f629fbdcb6eeac324de84f5a9d2d4_ec_ad.txt (80 bytes)
   C:\temp_2017Äê10ÔÂ12ÈÕ4ʱ26·Ö47Ãë (249 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\3d7f629fbdcb6eeac324de84f5a9d2d4_ec.ini (13033 bytes)
   C:\netsw.ini (193 bytes)
   C:\config.ini (35 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_11D0F22CE6081A4F08D1CBCA0DCF2342 (680 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.