Skip to main content

Gen.Variant.Graftor.51367_cb40394705


Gen:Variant.Graftor.51367 (B) (Emsisoft), Gen:Variant.Graftor.51367 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: cb4039470565afca078b395eca897312

SHA1: 66d082b1617b34a690a641a699a5db26a05048aa

SHA256: a3b555d8f5d0d190edf1df5d0f2f1b0ddd239d5fdd1341bd5a93b4f40adece83

SSDeep: 49152:m2yxYsMylQdylnveur62l042dkhYEqF8xa4WMvzAQU3t1NXX5:Yez0QdQF042AY8xlWrQktfXJ

Size: 4775936 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: StdLib

Created at: 2015-06-12 21:58:34

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:660

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!local settings!history!history.ie5!mshist012015072420150725!_!SHMSFTHISTORY!___DDrawCheckExclMode____DDrawExclMode__DDrawDriverObjectListMutexDDrawWindowListMutexc:!documents and settings!adm!userdata!CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:660 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\b_red_1[2].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_220x220[1].jpg (4555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB2YLuwbXXXXXcBXXXXXXXXXXXX_!!27753963-0-saturn_solar.jpg_100x100[1].jpg (1055 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB20lFxcVXXXXXvXXXXXXXXXXXX_!!22151314-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB22_GoaVXXXXXDXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_100x100[2].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\zx110_0829[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\CAIFW52V.htm (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\bgs14[1].png (1210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\logo_20150723[1].png (2730 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (1618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2jXQtcFXXXXX1XpXXXXXXXXXX_!!31150008-0-saturn_solar.jpg_100x100[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2BD1EaVXXXXXwXXXXXXXXXXXX_!!16908763-0-saturn_solar.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\siteClicks[1].xml (250 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (1369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2rIWhXqRaXXXXXXXX_!!57378349.jpg_220x220[1].jpg (5284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T25WotXgtbXXXXXXXX-32492444.jpg_120x120[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (1306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2O0dzXCFaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (2446 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\cert-beian_0829[1].png (134 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\__his__[1].xml (198 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\/t/acookie/[1].xml (222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB2vGinaVXXXXaHXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2T6BAXslbXXXXXXXX-32492444.jpg_120x120[1].jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T21ZRnXEJaXXXXXXXX-32492444.jpg_120x120[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2J8B2cXXXXXbGXXXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_120x120[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\baidu_web[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\wea_0829[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\tanxclick[2].js (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yxlmbbt[1].txt (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2MlyLXatXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\CAENI3QT.html (4670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\lazyloading[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2WbyYXilXXXXXXXXX_!!0-0-newland.jpg_220x220[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\go_top[1].png (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\b_red_1[1].gif (2 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\__indifference__[1].xml (510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2WbyYXilXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\CAQ3SL23.htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\mz_movie_3[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2ng1UaVXXXXXUXpXXXXXXXXXX_!!33353600-0-saturn_solar.jpg_120x120[1].jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB2ng1UaVXXXXXUXpXXXXXXXXXX_!!33353600-0-saturn_solar.jpg_120x120[1].jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2vGinaVXXXXaHXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2J8B2cXXXXXbGXXXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_120x120[2].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB20lFxcVXXXXXvXXXXXXXXXXXX_!!22151314-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\20150715091754[1].jpg (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB19yTCHpXXXXcpXVXXS1yp.VXX-12-21[1].png (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB1U94NHpXXXXcnXXXX4GcnYpXX-32-1322[1].png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\s_blue_4[1].gif (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2AGmOaVXXXXXpXXXXXXXXXXXX_!!15731023-0-saturn_solar.jpg_100x100[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\CA4P63YP.htm (438 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\tanxclick[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB19CrFHpXXXXc9XFXXS1yp.VXX-12-21[1].png (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\blank[1].png (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\i_tmall[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\2345_1224[1].eot (9117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\tipSet_ie6[1].png (748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2hf9kXzdaXXXXXXXX-32492444.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\CAO5E705.com/?k83357698&r=&tp=3&tsid=0a67299e000055b2548e100d02923830&pid=mm_26632324_6858394_30122664&count=45&p4p=jsonp0ichrhal2 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\w_day40[1].png (517 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\tanx_ssp_pvid[1].xml (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\cnxh_spr_150722[1].png (351 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\tanx_ssp_pvid_1[1].xml (318 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2SHVpXDFaXXXXXXXX-32492444.jpg_120x120[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2PnxYcXXXXXaNXpXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2BD1EaVXXXXXwXXXXXXXXXXXX_!!16908763-0-saturn_solar.jpg_120x120[1].jpg (974 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\ico_amazon[1].png (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\main_spr_0829[1].png (975 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\skin0_20[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\CASXY70X.com/?k83357698&r=&tp=3&tsid=0a67299e000055b2548e100d02923830&number=17&callback=jsonp1ichrhal2 (932 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\tip_stopXP_2[1].png (1 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\data-userdata[1].xml (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\20150715111507[1].jpg (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB1UVf.HpXXXXaMXXXXAz6UFXXX-16-16[1].png (481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T1eydxFB8cXXXXXXXX_!!0-item_pic.jpg_220x220[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\y2x5_150626[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB2PnxYcXXXXXaNXpXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\AppEn[1].htm (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\banner2_20150724[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB1U94NHpXXXXcnXXXX4GcnYpXX-32-1322[1].png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\fix_search[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB19CrFHpXXXXc9XFXXS1yp.VXX-12-21[1].png (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2MlyLXatXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (1552 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\__siteClicksTip__[1].xml (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\search_140829[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\ico_taobao[1].png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\b_red_1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2lO0zXE4aXXXXXXXX-32492444.jpg_120x120[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\banner1_150703[1].png (701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T1eydxFB8cXXXXXXXX_!!0-item_pic.jpg_220x220[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\privacy[1].js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\tongji[1].htm (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\app[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\mz_suning_150529[1].png (1 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\lc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB19yTCHpXXXXcpXVXXS1yp.VXX-12-21[1].png (297 bytes)
C:\config.ini (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\mz_ctrip_141231[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\mystyle_wait[1].gif (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\main[1].js (3698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_220x220[1].jpg (4805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\wc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB2fOuaaVXXXXbUXXXXXXXXXXXX_!!12268332-0-saturn_solar.jpg_100x100[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB22_GoaVXXXXXDXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2O0dzXCFaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2AGmOaVXXXXXpXXXXXXXXXXXX_!!15731023-0-saturn_solar.jpg_100x100[1].jpg (3 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (828 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\kz_tmall_20150721[1].gif (3489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\acbeacon2[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\cert-cyberpolice_0829[1].png (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\mz_ic_tmall2[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\mz_pop[1].png (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\mz_toggle[1].png (986 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\stopXPTime[1].xml (162 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\foot_20141112[1].png (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\top_20150327[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\feature_v1[2].htm (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2WbyYXilXXXXXXXXX_!!0-0-newland.jpg_120x120[2].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\s_blue_4[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\feature_v1[1].htm (97 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tanx[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\tanxssp[1].js (1487 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\tanxssp_acookie_expires[1].xml (214 bytes)
C:\Proxy.dll (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\body0_2[1].png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\acbeacon2[1].html (486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\login_1217[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\myfav_0610[1].png (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (776 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\/t/acookie/[1].xml (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2WuRlcVXXXXXQXXXXXXXXXXXX_!!22151314-0-saturn_solar.jpg_100x100[1].jpg (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2O0dzXCFaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\b_red_1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\CASXY70X.com/?k83357698&r=&tp=3&tsid=0a67299e000055b2548e100d02923830&number=17&callback=jsonp1ichrhal2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2WbyYXilXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2ng1UaVXXXXXUXpXXXXXXXXXX_!!33353600-0-saturn_solar.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\www.aaa[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\AppEn[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (0 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB1U94NHpXXXXcnXXXX4GcnYpXX-32-1322[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB20lFxcVXXXXXvXXXXXXXXXXXX_!!22151314-0-saturn_solar.jpg_100x100[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB19yTCHpXXXXcpXVXXS1yp.VXX-12-21[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB1U94NHpXXXXcnXXXX4GcnYpXX-32-1322[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T1eydxFB8cXXXXXXXX_!!0-item_pic.jpg_220x220[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\s_blue_4[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2AGmOaVXXXXXpXXXXXXXXXXXX_!!15731023-0-saturn_solar.jpg_100x100[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2O0dzXCFaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\tanxclick[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2MlyLXatXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\b_red_1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\feature_v1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\CAO5E705.com/?k83357698&r=&tp=3&tsid=0a67299e000055b2548e100d02923830&pid=mm_26632324_6858394_30122664&count=45&p4p=jsonp0ichrhal2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\app[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2J8B2cXXXXXbGXXXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2BD1EaVXXXXXwXXXXXXXXXXXX_!!16908763-0-saturn_solar.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB19CrFHpXXXXc9XFXXS1yp.VXX-12-21[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB2vGinaVXXXXaHXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2MlyLXatXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2PnxYcXXXXXaNXpXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_100x100[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_220x220[1].jpg (0 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\/t/acookie/[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB22_GoaVXXXXXDXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_100x100[1].jpg (0 bytes)

Registry activity

The process %original file name%.exe:660 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072420150725]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015072420150725\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072420150725]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1434135514"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 70 E1 A0 8E 03 EE 20 7F 11 1A 5A C2 96 00 0F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072420150725]
"CachePrefix" = ":2015072420150725:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072420150725]
"CacheRepair" = "0"
"CacheLimit" = "8192"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
a0c138f4dfe8ce9d9cbf18703c8564bfc:\Proxy.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\b_red_1[2].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_220x220[1].jpg (4555 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB2YLuwbXXXXXcBXXXXXXXXXXXX_!!27753963-0-saturn_solar.jpg_100x100[1].jpg (1055 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB20lFxcVXXXXXvXXXXXXXXXXXX_!!22151314-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB22_GoaVXXXXXDXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_100x100[2].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\zx110_0829[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\CAIFW52V.htm (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\bgs14[1].png (1210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\logo_20150723[1].png (2730 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (1618 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2jXQtcFXXXXX1XpXXXXXXXXXX_!!31150008-0-saturn_solar.jpg_100x100[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2BD1EaVXXXXXwXXXXXXXXXXXX_!!16908763-0-saturn_solar.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\siteClicks[1].xml (250 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (1369 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2rIWhXqRaXXXXXXXX_!!57378349.jpg_220x220[1].jpg (5284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T25WotXgtbXXXXXXXX-32492444.jpg_120x120[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (1306 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2O0dzXCFaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (2446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\cert-beian_0829[1].png (134 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\__his__[1].xml (198 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\/t/acookie/[1].xml (222 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB2vGinaVXXXXaHXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2T6BAXslbXXXXXXXX-32492444.jpg_120x120[1].jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T21ZRnXEJaXXXXXXXX-32492444.jpg_120x120[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2J8B2cXXXXXbGXXXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_120x120[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\baidu_web[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\wea_0829[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\tanxclick[2].js (3 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yxlmbbt[1].txt (201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2MlyLXatXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (3892 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\CAENI3QT.html (4670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\lazyloading[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2WbyYXilXXXXXXXXX_!!0-0-newland.jpg_220x220[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\go_top[1].png (134 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\b_red_1[1].gif (2 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\__indifference__[1].xml (510 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2WbyYXilXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\CAQ3SL23.htm (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\mz_movie_3[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2ng1UaVXXXXXUXpXXXXXXXXXX_!!33353600-0-saturn_solar.jpg_120x120[1].jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB2ng1UaVXXXXXUXpXXXXXXXXXX_!!33353600-0-saturn_solar.jpg_120x120[1].jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2vGinaVXXXXaHXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2J8B2cXXXXXbGXXXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_120x120[2].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB20lFxcVXXXXXvXXXXXXXXXXXX_!!22151314-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\20150715091754[1].jpg (110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB19yTCHpXXXXcpXVXXS1yp.VXX-12-21[1].png (297 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB1U94NHpXXXXcnXXXX4GcnYpXX-32-1322[1].png (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\s_blue_4[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2AGmOaVXXXXXpXXXXXXXXXXXX_!!15731023-0-saturn_solar.jpg_100x100[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\CA4P63YP.htm (438 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\tanxclick[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB19CrFHpXXXXc9XFXXS1yp.VXX-12-21[1].png (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\blank[1].png (953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\i_tmall[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\2345_1224[1].eot (9117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\tipSet_ie6[1].png (748 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2hf9kXzdaXXXXXXXX-32492444.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\CAO5E705.com/?k83357698&r=&tp=3&tsid=0a67299e000055b2548e100d02923830&pid=mm_26632324_6858394_30122664&count=45&p4p=jsonp0ichrhal2 (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\w_day40[1].png (517 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\tanx_ssp_pvid[1].xml (310 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2x_nxXilbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\cnxh_spr_150722[1].png (351 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\tanx_ssp_pvid_1[1].xml (318 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (732 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2SHVpXDFaXXXXXXXX-32492444.jpg_120x120[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2PnxYcXXXXXaNXpXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2BD1EaVXXXXXwXXXXXXXXXXXX_!!16908763-0-saturn_solar.jpg_120x120[1].jpg (974 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\ico_amazon[1].png (536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\main_spr_0829[1].png (975 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\skin0_20[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\CASXY70X.com/?k83357698&r=&tp=3&tsid=0a67299e000055b2548e100d02923830&number=17&callback=jsonp1ichrhal2 (932 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\tip_stopXP_2[1].png (1 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\data-userdata[1].xml (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\20150715111507[1].jpg (902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2JIyWXchbXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB1UVf.HpXXXXaMXXXXAz6UFXXX-16-16[1].png (481 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T1eydxFB8cXXXXXXXX_!!0-item_pic.jpg_220x220[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\y2x5_150626[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB2PnxYcXXXXXaNXpXXXXXXXXXX_!!17220219-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\AppEn[1].htm (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\banner2_20150724[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB1U94NHpXXXXcnXXXX4GcnYpXX-32-1322[1].png (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2fJ2LXeJbXXXXXXXX_!!0-2-newland.png_120x120[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\fix_search[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB19CrFHpXXXXc9XFXXS1yp.VXX-12-21[1].png (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2MlyLXatXXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (1552 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\__siteClicksTip__[1].xml (142 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\search_140829[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\ico_taobao[1].png (958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\b_red_1[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2lO0zXE4aXXXXXXXX-32492444.jpg_120x120[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\banner1_150703[1].png (701 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\T1eydxFB8cXXXXXXXX_!!0-item_pic.jpg_220x220[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\privacy[1].js (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\tongji[1].htm (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\app[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\mz_suning_150529[1].png (1 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\lc[1].xml (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB19yTCHpXXXXcpXVXXS1yp.VXX-12-21[1].png (297 bytes)
    C:\config.ini (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\mz_ctrip_141231[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\mystyle_wait[1].gif (381 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\main[1].js (3698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_220x220[1].jpg (4805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\wc[1].xml (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\TB2fOuaaVXXXXbUXXXXXXXXXXXX_!!12268332-0-saturn_solar.jpg_100x100[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\TB22_GoaVXXXXXDXXXXXXXXXXXX_!!32914748-0-saturn_solar.jpg_100x100[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2O0dzXCFaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\TB2AGmOaVXXXXXpXXXXXXXXXXXX_!!15731023-0-saturn_solar.jpg_100x100[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (828 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\kz_tmall_20150721[1].gif (3489 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\acbeacon2[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\cert-cyberpolice_0829[1].png (134 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\mz_ic_tmall2[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2_4fjXl8bXXXXXXXX-32492444.jpg_120x120[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\mz_pop[1].png (663 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\mz_toggle[1].png (986 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\stopXPTime[1].xml (162 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (1040 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\foot_20141112[1].png (134 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2oKx2Xh0dXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2gr4xXr0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\top_20150327[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\feature_v1[2].htm (86 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2WbyYXilXXXXXXXXX_!!0-0-newland.jpg_120x120[2].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\s_blue_4[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\feature_v1[1].htm (97 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tanx[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\tanxssp[1].js (1487 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\tanxssp_acookie_expires[1].xml (214 bytes)
    C:\Proxy.dll (151 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\body0_2[1].png (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\acbeacon2[1].html (486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\login_1217[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PKHNZ4FT\T2Iea4Xc0bXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\JLFKPZ9T\myfav_0610[1].png (108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\T2GpbEXfdbXXXXXXXX_!!57378349.jpg_120x120[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\/t/acookie/[1].xml (134 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LJ0YYHI5\T2U5aLXXhaXXXXXXXX_!!0-0-newland.jpg_120x120[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P0DCL5G0\TB2WuRlcVXXXXXQXXXXXXXXXXXX_!!22151314-0-saturn_solar.jpg_100x100[1].jpg (5 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ????
Product Name: LOL?????????
Product Version: 4.4.0.0
Legal Copyright: ?????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.4.0.0
File Description: ?????????????
Comments: ????????
Language: Language Neutral

Company Name: ????Product Name: LOL?????????Product Version: 4.4.0.0Legal Copyright: ?????????Legal Trademarks: Original Filename: Internal Name: File Version: 4.4.0.0File Description: ?????????????Comments: ????????Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096286822328712964.29646a2fc2882a355d4e3ed16ef6c9869d0e6
.rdata2875392115459811550724.85275a41b37cd2e146f34e829676ebbd39756
.data40304648760106389764.707486a92caa3098671947dc63c5f3b6fd97a
.rsrc49070081053441064963.022691067e5720998d9b04cd00aeae61785b8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://ww.da113.badudns.cc/AppEn.php?appid=540520&md5=c607e3acbcba725b6213f87e9df0b6d2
hxxp://www.2345.com/?k8335769842.62.30.180
hxxp://www.2345.com/css/common_20150330.js?v=2.28.142.62.30.180
hxxp://www.2345.com/time.txt?t=2396250642.62.30.180
hxxp://www.2345.com/css/index_20150722_02.css?v=5.28.142.62.30.180
hxxp://www.2345.com/fonts/2345_1224.eot?42.62.30.180
hxxp://www.2345.com/images/common/top_20150327.png42.62.30.180
hxxp://www.2345.com/images/logo/logo_20150723.png42.62.30.180
hxxp://www.2345.com/i/blank.png42.62.30.180
hxxp://www.2345.com/images/tipSet_ie6.png42.62.30.180
hxxp://www.2345.com/images/body0_2.png42.62.30.180
hxxp://www.2345.com/images/common/login_1217.png42.62.30.180
hxxp://www.2345.com/images/lazyloading.gif42.62.30.180
hxxp://www.2345.com/images/bgs14.png42.62.30.180
hxxp://www.2345.com/i/search0320/baidu_web.gif42.62.30.180
hxxp://www.2345.com/images/skin0_20.png42.62.30.180
hxxp://www.2345.com/images/common/search_140829.png42.62.30.180
hxxp://www.2345.com/right/homepage/zjsVersion.js?t=2396250642.62.30.180
hxxp://www.2345.com/css/input_20150426.js?ver=1.042.62.30.180
hxxp://www.2345.com/css/func_20150716_01.js?ver=1.042.62.30.180
hxxp://p.gds.tanx.com/ex?i=mm_26632324_6858394_30122664
hxxp://www.2345.com/images/kz_tmall_20150721.gif42.62.30.180
hxxp://atanx.alicdn.com.danuoyi.tbcache.com/t/tanxssp.js195.27.31.240
hxxp://www.2345.com/i/banner2_20150724.jpg42.62.30.180
hxxp://atanx.alicdn.com.danuoyi.tbcache.com/t/tanxssp/main.js195.27.31.240
hxxp://atanx.alicdn.com.danuoyi.tbcache.com/t/tanxssp/privacy.js195.27.31.240
hxxp://tianqi.2345.com/t/detect2009v2.php?ver=1.042.62.30.188
hxxp://www.2345.com/i/banner1_150703.png42.62.30.180
hxxp://www.2345.com/right/homepage/newsChannel_20141226.js?t=1437702410&ver=6.24.18.042.62.30.180
hxxp://p.gds.tanx.com/ex?i=mm_26632324_6858394_30122664&cb=jsonp_callback_4578&callback=&userid=&o=&f=&n=&re=1276x846&r=1&cah=818&caw=1276&ccd=32&ctz=3&chl=0&cja=1&cpl=0&cmm=0&cf=10.0&cg=d6d9dfb475bd7883ccdccfd926a04030&pvid=a2d395b3589f66cd99d45c51f7d383d8&pvid_1=d636bc85da57fdb18c4abe5fca1fe7ce&ai=0&ac=8892&prk=65573767&cas=prk&cbh=3043&cbw=1000&dx=1&u=http://www.2345.com/?k83357698&k=&tt=2345莽陆