TrojanDownloader.Win32.Genome.gxoa_5a4e7104ee – Adaware

Trojan-Downloader.Win32.Genome.gxoa (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 5a4e7104eec7aa193c948f874f8bfb45

SHA1: 54768cd7b1817c961c87730e1048acfea81d4a7c

SHA256: 6c2903a4bfab5cec466817324786134b5906c66304b77138286bd839498c81bb

SSDeep: 24576:anGfdRGmay4PjE9bUix084d2mVWca83VSQCbLL0BnqQv:6GfjGfjkoPwx8cHbLIBn7

Size: 1072387 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: A.P.P.

Created at: 2009-06-07 00:41:59

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

shandian.exe:1236
shandian.exe:1800

The Trojan-Downloader injects its code into the following process(es):

sdad.exe:1612
%original file name%.exe:1352

File activity

The process sdad.exe:1612 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa9[1].jpg (2716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b19[1].jpg (2659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stylemini[1].css (5481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\0[1].swf (14391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nvxing_509_366[1].htm (2357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\normal_bg[1].png (6644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa7[1].jpg (3459 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[2].jpg (10051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa1[1].jpg (7228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\miniindex[1].htm (1247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b19[1].jpg (1816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\min[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (21204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[2].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b16[1].jpg (7280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa9[1].jpg (2739 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (495 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[1].jpg (4737 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b17[1].jpg (8088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b13[1].jpg (5737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa5[1].jpg (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa6[1].jpg (4716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa8[1].jpg (2800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa5[1].jpg (15139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\meinv[1].htm (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Untitled-3[1].jpg (2528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa10[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa2[1].jpg (5536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_new2[1].png (10020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xinwen[1].htm (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Close[1].gif (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\close[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cpc_img[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cpc_img[1].htm (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b14[1].jpg (10434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_swf[1].asp (2097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[2].jpg (11588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (2795 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\meinv[1].htm (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\d[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[1].jpg (7936 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[2].jpg (1736 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[2].txt (817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shehui_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b17[1].jpg (6124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lieqi_509_366[1].htm (4014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[1].jpg (10771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b14[1].jpg (9831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shehui_509_366[1].htm (2816 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[2].htm (2276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa8[1].jpg (1736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (4478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa2[1].jpg (7096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[2].jpg (12362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lieqi_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa7[1].jpg (2280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[1].js (51789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_ztyw[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2012_swf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[1].jpg (5752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-2[1].gif (1840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa1[1].jpg (10131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xinwen[1].htm (1799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b16[1].jpg (5628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa10[1].jpg (4059 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b13[1].jpg (5136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-1[1].gif (2360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[2].js (4781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nvxing_509_366[1].htm (2273 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[1].txt (1263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa6[1].jpg (4736 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b14[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shehui_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xinwen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa9[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa8[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_swf[1].asp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lieqi_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa7[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nvxing_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b17[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b13[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b16[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa5[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa6[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa10[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b19[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\meinv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa2[1].jpg (0 bytes)

The process shandian.exe:1236 makes changes in the file system.

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF82D5.tmp (0 bytes)

The process shandian.exe:1800 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fine_cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_arrow_h[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (1879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\rec[1].do (377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[1].js (8409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1] (7853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[2].js (3170 bytes)
%Program Files%\shandian\bin\twcache.ini (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo_1112293[1].gif (188 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon4[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].js (3509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setting_icon[1].gif (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin3[1].gif (1266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fbg_about[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\subnav_v41[1].png (634 bytes)
%Program Files%\shandian\bin\ImgCache\123.sogou.com_favicon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\foot_slider[1].jpg (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-video-2[1].gif (225 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\favicon[1].ico (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\get_tj[1].php (1019 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (1398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20130531144119_126[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_tip[1].png (1555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1].htm (6365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-ico[1].png (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[2].js (254 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526151008_75[1].jpg (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin_[1].css (21 bytes)
%Program Files%\shandian\bin\theworld.ac (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526163242_997[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[1].js (3123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[1].js (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[1].js (2935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin2_0[1].gif (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163043_207[1].jpg (1264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\guide_tip[1].png (3144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\texture[1].gif (1611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140520113551_825[1].jpg (401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-news[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selogo_111207[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[2].js (1368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v53_2icos[1].gif (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wan.sogou[1].txt (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20130820165531_481[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[1].js (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[2].png (2331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[2].js (11947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setskinbg[1].gif (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[2].js (2303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-ico-2b[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_top[1].jpg (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140508103513_537[1].gif (3628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[2].js (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\search_arrow[1].gif (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\20130830161205_609[1].gif (2642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skin_tips_n1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\edKzjJ6oPX1140[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\start_button[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zd7uDX2EkK0904[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[2].js (1187 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[2].js (2772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163446_912[1].jpg (1815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-erweima2[1].png (3488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_123_v53[1].php (14237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\welcome_cn[1].htm (1469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\titlebg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526170756_638[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\v53_bicos[1].gif (826 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[1].js (0 bytes)
%Program Files%\shandian\bin\shandian.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_tip[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (0 bytes)

The process %original file name%.exe:1352 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config0.ini (4 bytes)
%Program Files%\shandian\bin\shandian.exe (28283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (505 bytes)
%Program Files%\shandian\config.ini (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·\ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚Â¶ÃƒÆ’Ã¢â‚¬ÂÃƒÆ’Ã‹Å“ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\shandian\ico\anquan.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
%Program Files%\shandian\ico\taobao.ico (15 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config.ini (3 bytes)
%Program Files%\shandian\bin\sdad.exe (12955 bytes)
%Program Files%\shandian\shandian.exe (3124 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (700 bytes)
%Documents and Settings%\%current user%\Desktop\360Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â²ÃƒÆ’Ã‹â€ Ãƒâ€šÃ‚Â«ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\bind.dll (1989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

Registry activity

The process sdad.exe:1612 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "sdad.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1384939658"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 5C 58 66 4B 24 BA A2 94 27 40 2C 5A 34 A3 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process shandian.exe:1236 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B A3 07 C7 C6 49 47 14 35 26 8F F2 AB EF 42 58"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process shandian.exe:1800 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014052620140527\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CacheLimit" = "8192"

"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
"shandian.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CachePrefix" = ":2014052620140527:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "shandian.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"shandian.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1301653454"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 77 BC E3 97 80 BF 68 43 6B C5 06 B7 50 06 CF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1352 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·]
"DisplayName" = "ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·]
"Publisher" = "ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·]
"URLInfoAbout" = "http://www.sd.com"
"DisplayIcon" = "%Program Files%\shandian\shandian.exe"

"UninstallString" = "%Program Files%\shandian\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A A0 54 7B 67 86 E7 2D A2 71 F6 7E 22 83 78 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
a7d710e78711d5ab90e4792763241754	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\Md5dll.dll
00a0194c20ee912257df53bfe258ee4a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\System.dll
e2b78c96162ad8c36a623e6a4ba1c216	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\bind.dll
3a5ed71aa9c6846d95d57235c4c443d7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\xID.dll
8f87437f10cd1ae1d2e8a16c74edb3bd	c:\Program Files\shandian\bin\sdad.exe
14748083682ed1f9ef1dc28bb609050a	c:\Program Files\shandian\bin\shandian.exe
e05c408b45877ca878fc12a27d016568	c:\Program Files\shandian\shandian.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
shandian.exe:1236
shandian.exe:1800
Delete the original Trojan-Downloader file.
Delete or disinfect the following files created/modified by the Trojan-Downloader:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa9[1].jpg (2716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b19[1].jpg (2659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stylemini[1].css (5481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\0[1].swf (14391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nvxing_509_366[1].htm (2357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\normal_bg[1].png (6644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa7[1].jpg (3459 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[2].jpg (10051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa1[1].jpg (7228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\miniindex[1].htm (1247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b19[1].jpg (1816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\min[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (21204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[2].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b16[1].jpg (7280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa9[1].jpg (2739 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (495 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[1].jpg (4737 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b17[1].jpg (8088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b13[1].jpg (5737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa5[1].jpg (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa6[1].jpg (4716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa8[1].jpg (2800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa5[1].jpg (15139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\meinv[1].htm (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Untitled-3[1].jpg (2528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa10[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa2[1].jpg (5536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_new2[1].png (10020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xinwen[1].htm (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Close[1].gif (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\close[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cpc_img[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cpc_img[1].htm (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b14[1].jpg (10434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_swf[1].asp (2097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[2].jpg (11588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (2795 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\meinv[1].htm (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\d[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[1].jpg (7936 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[2].jpg (1736 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[2].txt (817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shehui_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b17[1].jpg (6124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lieqi_509_366[1].htm (4014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[1].jpg (10771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b14[1].jpg (9831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shehui_509_366[1].htm (2816 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[2].htm (2276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa8[1].jpg (1736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (4478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa2[1].jpg (7096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[2].jpg (12362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lieqi_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa7[1].jpg (2280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[1].js (51789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_ztyw[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2012_swf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[1].jpg (5752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-2[1].gif (1840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa1[1].jpg (10131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xinwen[1].htm (1799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b16[1].jpg (5628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa10[1].jpg (4059 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b13[1].jpg (5136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-1[1].gif (2360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[2].js (4781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nvxing_509_366[1].htm (2273 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.mdtxw[1].txt (1263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa6[1].jpg (4736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fine_cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_arrow_h[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (1879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\rec[1].do (377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[1].js (8409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1] (7853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[2].js (3170 bytes)
%Program Files%\shandian\bin\twcache.ini (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo_1112293[1].gif (188 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon4[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].js (3509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setting_icon[1].gif (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin3[1].gif (1266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fbg_about[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\subnav_v41[1].png (634 bytes)
%Program Files%\shandian\bin\ImgCache\123.sogou.com_favicon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\foot_slider[1].jpg (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-video-2[1].gif (225 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\favicon[1].ico (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\get_tj[1].php (1019 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (1398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20130531144119_126[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_tip[1].png (1555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1].htm (6365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-ico[1].png (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[2].js (254 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526151008_75[1].jpg (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin_[1].css (21 bytes)
%Program Files%\shandian\bin\theworld.ac (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526163242_997[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[1].js (3123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[1].js (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[1].js (2935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin2_0[1].gif (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163043_207[1].jpg (1264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\guide_tip[1].png (3144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\texture[1].gif (1611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140520113551_825[1].jpg (401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-news[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selogo_111207[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[2].js (1368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v53_2icos[1].gif (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wan.sogou[1].txt (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20130820165531_481[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[1].js (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[2].png (2331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[2].js (11947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setskinbg[1].gif (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[2].js (2303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-ico-2b[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_top[1].jpg (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140508103513_537[1].gif (3628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[2].js (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\search_arrow[1].gif (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\20130830161205_609[1].gif (2642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skin_tips_n1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\edKzjJ6oPX1140[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\start_button[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zd7uDX2EkK0904[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[2].js (1187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[2].js (2772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163446_912[1].jpg (1815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-erweima2[1].png (3488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_123_v53[1].php (14237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\welcome_cn[1].htm (1469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\titlebg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526170756_638[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\v53_bicos[1].gif (826 bytes)
%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config0.ini (4 bytes)
%Program Files%\shandian\bin\shandian.exe (28283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (505 bytes)
%Program Files%\shandian\config.ini (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·\ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚Â¶ÃƒÆ’Ã¢â‚¬ÂÃƒÆ’Ã‹Å“ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\shandian\ico\anquan.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
%Program Files%\shandian\ico\taobao.ico (15 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config.ini (3 bytes)
%Program Files%\shandian\bin\sdad.exe (12955 bytes)
%Program Files%\shandian\shandian.exe (3124 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÆ’Ã¢â‚¬Â°ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚ÂµÃƒÆ’Ã‚Â§ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (700 bytes)
%Documents and Settings%\%current user%\Desktop\360Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â²ÃƒÆ’Ã‹â€ Ãƒâ€šÃ‚Â«ÃƒÆ’Ã‚Â¤Ãƒâ€šÃ‚Â¯ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬Â ÃƒÆ’Ã‚Â·.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\bind.dll (1989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	49152	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	241664	21744	22016	2.03341	10f67552647fb182549d1b8e84e53598

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://112.124.102.171/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://112.124.102.171/stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://www.jlbnh.com/	112.124.102.171
hxxp://proxy.sogou.com/?22014
hxxp://www.jlbnh.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a9457b011f4bbe0d90d1e4cb26c539cb6cf8cfc2fb8f4501b35aaa8b9c8547021401098120&lastver=	112.124.102.171
hxxp://njsh.cdn.sogou.com/kan/static/css/DD_belatedPNG_0.0.8a-min.js?t=
hxxp://proxy.sogou.com/css/skin_.css?V=df
hxxp://njsh.cdn.sogou.com/imgn/v32/icon4.gif
hxxp://proxy.sogou.com/v53/jsn/v53_123n.js?V=df
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/subnav_v41.png
hxxp://njsh.cdn.sogou.com/imgn/v32/skin3.gif
hxxp://njsh.cdn.sogou.com/imgn/v32/skin2_0.gif
hxxp://njsh.cdn.sogou.com/imgn/v32/selogo_111207.png
hxxp://njsh.cdn.sogou.com/imgn/v32/setskinbg.gif
hxxp://njsh.cdn.sogou.com/v53/imgn/v53_2icos.gif
hxxp://proxy.sogou.com/dh/dhrc/rec.do?block=gamev2&jsonp=__yx2q&t=1&_stamp=1401098124868
hxxp://njsh.cdn.sogou.com/imgn/123ie/search_arrow.gif
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140508103513_537.gif
hxxp://njsh.cdn.sogou.com/v53/imgn/v53_bicos.gif
hxxp://njsh.cdn.sogou.com/imgu/2013/05/20130531144119_126.png
hxxp://njsh.cdn.sogou.com/imgn/123ie/setting_icon.gif
hxxp://njsh.cdn.sogou.com/imgu/2013/08/20130820165531_481.gif
hxxp://njsh.cdn.sogou.com/u/js/ufo2.js
hxxp://njsh.cdn.sogou.com/imgn/v32/titlebg.png
hxxp://njsh.cdn.sogou.com/v53/imgn/v53_arrow_h.gif
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=wan&ptype=jztf2&pcode=index&rdk=1401098125415&img=pv.gif&sourcelist=0011000100006_0011000100007_0011000100008_0011000100009_0011000100010_0011000100011&titlelist=Ã§Æ’ÂÃ¨Â¡â‚¬Ã¦Â²â„¢Ã¥Å¸Å½_Ã©Â£Å½Ã¤Âºâ€˜Ã¦â€”Â Ã¥ÂÅ’_Ã¦Å¡â€”Ã©Â»â€˜Ã¥Â±Â Ã©Â¾â„¢_Ã¥Â¤Â§Ã©â€”Â¹Ã¥Â¤Â©Ã¥Â®Â«OL_Ã¤Â¸â€¡Ã¤Â¸â€“_SogouÃ¥â€šÂ²Ã¥â€°â€˜2
hxxp://njsh.cdn.sogou.com/v53/imgn/foot_slider.jpg
hxxp://www.jlbnh.com/web/newioage.css	112.124.102.171
hxxp://njsh.cdn.sogou.com/ads_hz/_ads_2.js?t=778387
hxxp://www.jlbnh.com/web/images/texture.gif	112.124.102.171
hxxp://www.jlbnh.com/web/images/start_button.jpg	112.124.102.171
hxxp://njsh.cdn.sogou.com/imgn/v32/fbg_about.png
hxxp://www.jlbnh.com/web/images/guide_top.jpg	112.124.102.171
hxxp://njsh.cdn.sogou.com/imgn/v51/new-erweima2.png
hxxp://njsh.cdn.sogou.com/v53/jsn/main.js?V=107ff6db9da3d62875c7cafb326229a51
hxxp://www.jlbnh.com/web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000	112.124.102.171
hxxp://njsh.cdn.sogou.com/imgn/v32/logo_1112293.gif
hxxp://proxy.sogou.com//v53/get_123_v53.php?block=wt&ver=v53&gfg=1&city=unknown&pid=Af22014&c=1401098128040&method=ajaf&cbf=fn
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=daohang&rdk=1401098128055&img=pv.gif&pars=?rand=1401098128055&suid=null&sduv=1401098128008_9040_00001&ckid=3060_00001_00000_6308_00000_00000&m=null&apid=null&sgtp=null&refer=&page=&pageUrl=http%3A%2F%2F123.sogou.com%2F%3F22014&loc=null&hp=-1&pid=Af22014&ptype=index&pcode=index&yyid=null&skin=null&ver=v53_ie6_df__4&sys=100&ser=null&sev=null&time=5422
hxxp://proxy.sogou.com/jsn/hotdata.js?V=1401098128086
hxxp://njsh.cdn.sogou.com/jsn/citydata.js
hxxp://njsh.cdn.sogou.com/jsn/v33_sugg_ajaj_v40_3.js
hxxp://proxy.sogou.com/images/weather/fine_cloudy.gif
hxxp://proxy.sogou.com/images/weather/cloudy.gif
hxxp://njsh.cdn.sogou.com/imgn/tips/skin_tips_n1.gif
hxxp://www.jlbnh.com/favicon.ico	112.124.102.171
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=daohang&ptype=indexv53&pcode=index&rdk=1401098129555&refer=&page=Ã¦ÂÅ“Ã§â€¹â€”Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†ÂªÃ¯Â¼ÂÃ¯Â¼ÂÃ§Â½â€˜Ã¥Ââ‚¬Ã¥Â¤Â§Ã¥â€¦Â¨,Ã¥Â®Å¾Ã§â€Â¨Ã§Â½â€˜Ã¥Ââ‚¬,Ã¥Â°Â½Ã¥Å“Â¨123.sogou.com&pageUrl=http://123.sogou.com/?22014&img=pv.gif&vcode=v53
hxxp://proxy.sogou.com/v53/get_tj.php?hz=4670327&ids=qiche
hxxp://njsh.cdn.sogou.com/v53/imgn/guide_tip.png
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526163043_207.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526163242_997.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526163446_912.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526170756_638.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526151008_75.jpg
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/new-ico.png
hxxp://njsh.cdn.sogou.com/imgu/2013/08/20130830161205_609.gif
hxxp://njsh.cdn.sogou.com/imgn/v51/i-ico-2b.png
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/img-video-2.gif
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/img-news.gif
hxxp://save2.xdwscache.glb0.lxdns.com/img/news_photo/2014/05/26/zd7uDX2EkK0904.jpg
hxxp://save2.xdwscache.glb0.lxdns.com/img/news_photo/2014/05/26/edKzjJ6oPX1140.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140520113551_825.jpg
hxxp://proxy.sogou.com/favicon.ico
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/jquery-1.7.2.min.js	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/stylemini.css	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/nvxing_509_366.htm?time=undefined	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/xinwen.htm?time=undefined	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/lieqi_509_366.htm?time=undefined	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/shehui_509_366.htm?time=undefined	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/jiankang_509_366.htm?time=undefined	117.34.91.39
hxxp://taurus.danuoyi.tbcache.com/material/d7/4/a9ac5ed3b828895d94097c8c6faba.jpg
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/meinv.htm?time=undefined	117.34.91.39
hxxp://drmcmm.e.shifen.com/media/id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs.jpg
hxxp://taurus.danuoyi.tbcache.com/noname.gif
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/Untitled-1.gif	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/Untitled-2.gif	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/Untitled-3.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/normal_bg.png	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/tj.js	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/ico_new2.png	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/min.png	117.34.91.39
hxxp://c.split.cnzz.com/stat.php?id=5645354
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/close.png	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/style.css	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b13.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b15.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b14.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b16.jpg	117.34.91.39
hxxp://c.split.cnzz.com/core.php?web_id=5645354&t=z
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=0&sin=none&t=undefinedundefinedundefined&rnd=441217010
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=&lg=en-us&ntime=1401115709&repeatip=1&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17559&sin=&t=undefinedundefinedundefinedundefinedundefined&rnd=563005344
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b17.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b18.JPG	117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1415945858
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b19.JPG	117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=991898417
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa4.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa3.jpg	117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=59071995
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa5.jpg	117.34.91.39
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=2&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17557&sin=none&t=undefinedundefinedundefined&rnd=1775514661
hxxp://pcookie.split.cnzz.com/app.gif?&cna=PkIKDEZdlGUCAbhrJib8ISST
hxxp://pcookie.split.cnzz.com/app.gif?&cna=PkIKDKU5YBACAbhrJia oqh0
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa6.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa1.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa2.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa7.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa8.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa9.jpg	117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa10.jpg	117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=2108033191
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=3&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17555&sin=none&t=undefinedundefinedundefined&rnd=1145500216
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=845725053
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=4&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17553&sin=none&t=undefinedundefinedundefined&rnd=1207344477
hxxp://cache.adm.cnzz.net/material/d7/4/a9ac5ed3b828895d94097c8c6faba.jpg	195.27.31.240
hxxp://www.mdtxw.org/miniindex/inc/ico_new2.png	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/Untitled-2.gif	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa1.jpg	117.34.91.39
hxxp://p4.123.sogoucdn.com/imgu/2014/05/20140526151008_75.jpg	222.211.87.167
hxxp://www.mdtxw.org/miniindex/nvxing_509_366.htm?time=undefined	117.34.91.39
hxxp://p3.123.sogoucdn.com/imgn/v51/i-ico-2b.png	222.211.87.167
hxxp://p6.123.sogoucdn.com/imgn/123ie/setting_icon.gif	222.211.87.171
hxxp://c.cnzz.com/core.php?web_id=5645354&t=z	42.120.219.6
hxxp://d.123.sogoucdn.com/v53/imgn/v53_arrow_h.gif	222.211.87.167
hxxp://stat.fjmjm.com/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://s9.cnzz.com/stat.php?id=5645354	1.99.192.15
hxxp://p4.123.sogoucdn.com/imgn/v32/fbg_about.png	222.211.87.167
hxxp://www.mdtxw.org/miniindex/xinwen.htm?time=undefined	117.34.91.39
hxxp://p4.123.sogoucdn.com/imgu/2014/05/20140508103513_537.gif	222.211.87.167
hxxp://d.123.sogoucdn.com/imgn/v32/icon4.gif	222.211.87.167
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=&lg=en-us&ntime=1401115709&repeatip=1&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17559&sin=&t=undefinedundefinedundefinedundefinedundefined&rnd=563005344	42.156.140.25
hxxp://cache.adm.cnzz.net/noname.gif	195.27.31.240
hxxp://p8.123.sogoucdn.com/imgn/tips/skin_tips_n1.gif	222.211.87.185
hxxp://www.mdtxw.org/miniindex/tj.js	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/b16.jpg	117.34.91.39
hxxp://www.fjmjm.com/web/newioage.css	112.124.102.171
hxxp://www.mdtxw.org/miniindex/lieqi_509_366.htm?time=undefined	117.34.91.39
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=0&sin=none&t=undefinedundefinedundefined&rnd=441217010	42.156.140.25
hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/img-video-2.gif	222.211.87.167
hxxp://www.mdtxw.org/miniindex/inc/normal_bg.png	117.34.91.39
hxxp://p1.123.sogoucdn.com/imgn/v32/selogo_111207.png	114.80.179.226
hxxp://d.123.sogoucdn.com/v53/jsn/main.js?V=107ff6db9da3d62875c7cafb326229a51	222.211.87.167
hxxp://p2.123.sogoucdn.com/imgu/2013/05/20130531144119_126.png	58.215.147.36
hxxp://www.mdtxw.org/miniindex/images/Untitled-3.jpg	117.34.91.39
hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/new-ico.png	222.211.87.167
hxxp://www.mdtxw.org/miniindex/images/b14.jpg	117.34.91.39
hxxp://d.123.sogoucdn.com/v53/imgn/v53_bicos.gif	222.211.87.167
hxxp://p5.123.sogoucdn.com/imgn/v32/logo_1112293.gif	114.80.179.224
hxxp://wan.sogou.com/dh/dhrc/rec.do?block=gamev2&jsonp=__yx2q&t=1&_stamp=1401098124868	106.120.151.61
hxxp://p0.123.sogoucdn.com/imgn/v32/skin3.gif	114.80.179.210
hxxp://www.mdtxw.org/miniindex/inc/close.png	117.34.91.39
hxxp://123.sogou.com/favicon.ico	106.120.151.61
hxxp://www.mdtxw.org/miniindex/images/b15.jpg	117.34.91.39
hxxp://p1.123.sogoucdn.com/imgu/2014/05/20140526163446_912.jpg	114.80.179.226
hxxp://d.123.sogoucdn.com/v53/imgn/guide_tip.png	222.211.87.167
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=845725053	42.120.219.171
hxxp://pcookie.cnzz.com/app.gif?&cna=PkIKDKU5YBACAbhrJia oqh0	42.120.219.171
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=991898417	42.120.219.171
hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=daohang&ptype=indexv53&pcode=index&rdk=1401098129555&refer=&page=Ã¦ÂÅ“Ã§â€¹â€”Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†ÂªÃ¯Â¼ÂÃ¯Â¼ÂÃ§Â½â€˜Ã¥Ââ‚¬Ã¥Â¤Â§Ã¥â€¦Â¨,Ã¥Â®Å¾Ã§â€Â¨Ã§Â½â€˜Ã¥Ââ‚¬,Ã¥Â°Â½Ã¥Å“Â¨123.sogou.com&pageUrl=http://123.sogou.com/?22014&img=pv.gif&vcode=v53	106.120.151.52
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=2108033191	42.120.219.171
hxxp://www.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a9457b011f4bbe0d90d1e4cb26c539cb6cf8cfc2fb8f4501b35aaa8b9c8547021401098120&lastver=	112.124.102.171
hxxp://123.sogou.com//v53/get_123_v53.php?block=wt&ver=v53&gfg=1&city=unknown&pid=Af22014&c=1401098128040&method=ajaf&cbf=fn	106.120.151.61
hxxp://www.mdtxw.org/miniindex/inc/min.png	117.34.91.39
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=2&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17557&sin=none&t=undefinedundefinedundefined&rnd=1775514661	42.156.140.25
hxxp://p4.123.sogoucdn.com/imgn/v32/selogo_111207.png	222.211.87.167
hxxp://drmcmm.baidu.com/media/id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs.jpg	123.125.65.55
hxxp://www.mdtxw.org/miniindex/jiankang_509_366.htm?time=undefined	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa8.jpg	117.34.91.39
hxxp://p0.123.sogoucdn.com/imgu/2014/05/20140526170756_638.jpg	114.80.179.210
hxxp://123.sogou.com/?22014	106.120.151.61
hxxp://p7.123.sogoucdn.com/imgn/123ie/search_arrow.gif	114.80.179.206
hxxp://d.123.sogoucdn.com/v53/imgn/foot_slider.jpg	222.211.87.167
hxxp://123.sogou.com/jsn/hotdata.js?V=1401098128086	106.120.151.61
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1415945858	42.120.219.171
hxxp://pb.sogou.com/pv.gif?uigs_productid=daohang&rdk=1401098128055&img=pv.gif&pars=?rand=1401098128055&suid=null&sduv=1401098128008_9040_00001&ckid=3060_00001_00000_6308_00000_00000&m=null&apid=null&sgtp=null&refer=&page=&pageUrl=http%3A%2F%2F123.sogou.com%2F%3F22014&loc=null&hp=-1&pid=Af22014&ptype=index&pcode=index&yyid=null&skin=null&ver=v53_ie6_df__4&sys=100&ser=null&sev=null&time=5422	106.120.151.52
hxxp://pic2.xcarimg.com/img/news_photo/2014/05/26/zd7uDX2EkK0904.jpg	222.84.167.30
hxxp://123.sogou.com/v53/jsn/v53_123n.js?V=df	106.120.151.61
hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/img-news.gif	222.211.87.167
hxxp://www.mdtxw.org/miniindex/shehui_509_366.htm?time=undefined	117.34.91.39
hxxp://www.mdtxw.org/miniindex/inc/jquery-1.7.2.min.js	117.34.91.39
hxxp://p3.123.sogoucdn.com/imgn/v51/new-erweima2.png	222.211.87.167
hxxp://p5.123.sogoucdn.com/imgu/2013/08/20130830161205_609.gif	114.80.179.224
hxxp://www.mdtxw.org/miniindex/images/b19.JPG	117.34.91.39
hxxp://www.mdtxw.org/miniindex/meinv.htm?time=undefined	117.34.91.39
hxxp://p0.123.sogoucdn.com/imgn/v32/titlebg.png	114.80.179.210
hxxp://p5.123.sogoucdn.com/imgu/2014/05/20140526163043_207.jpg	114.80.179.224
hxxp://p1.123.sogoucdn.com/imgn/v32/skin2_0.gif	114.80.179.226
hxxp://www.mdtxw.org/miniindex/images/aaa2.jpg	117.34.91.39
hxxp://www.fjmjm.com/web/images/start_button.jpg	112.124.102.171
hxxp://d.123.sogoucdn.com/ads_hz/_ads_2.js?t=778387	222.211.87.167
hxxp://www.fjmjm.com/web/images/texture.gif	112.124.102.171
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=3&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17555&sin=none&t=undefinedundefinedundefined&rnd=1145500216	42.156.140.25
hxxp://www.mdtxw.org/miniindex/images/aaa4.jpg	117.34.91.39
hxxp://d.123.sogou.com/jsn/v33_sugg_ajaj_v40_3.js	114.80.179.210
hxxp://p0.123.sogoucdn.com/imgu/2014/05/20140526163242_997.jpg	114.80.179.210
hxxp://123.sogou.com/images/weather/fine_cloudy.gif	106.120.151.61
hxxp://stat.fjmjm.com/web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000
hxxp://www.mdtxw.org/miniindex/	117.34.91.39
hxxp://p0.123.sogoucdn.com/imgn/sehome/tjv1/subnav_v41.png	114.80.179.210
hxxp://www.mdtxw.org/miniindex/images/b13.jpg	117.34.91.39
hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=wan&ptype=jztf2&pcode=index&rdk=1401098125415&img=pv.gif&sourcelist=0011000100006_0011000100007_0011000100008_0011000100009_0011000100010_0011000100011&titlelist=Ã§Æ’ÂÃ¨Â¡â‚¬Ã¦Â²â„¢Ã¥Å¸Å½_Ã©Â£Å½Ã¤Âºâ€˜Ã¦â€”Â Ã¥ÂÅ’_Ã¦Å¡â€”Ã©Â»â€˜Ã¥Â±Â Ã©Â¾â„¢_Ã¥Â¤Â§Ã©â€”Â¹Ã¥Â¤Â©Ã¥Â®Â«OL_Ã¤Â¸â€¡Ã¤Â¸â€“_SogouÃ¥â€šÂ²Ã¥â€°â€˜2	106.120.151.52
hxxp://d.123.sogou.com/jsn/citydata.js	114.80.179.210
hxxp://p8.123.sogoucdn.com/imgn/v32/selogo_111207.png	222.211.87.185
hxxp://d.123.sogoucdn.com/kan/static/css/DD_belatedPNG_0.0.8a-min.js?t=	222.211.87.167
hxxp://pcookie.cnzz.com/app.gif?&cna=PkIKDEZdlGUCAbhrJib8ISST	42.120.219.171
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=59071995	42.120.219.171
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=4&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17553&sin=none&t=undefinedundefinedundefined&rnd=1207344477	42.156.140.25
hxxp://123.sogou.com/css/skin_.css?V=df	106.120.151.61
hxxp://www.fjmjm.com/web/images/guide_top.jpg	112.124.102.171
hxxp://www.mdtxw.org/miniindex/images/aaa5.jpg	117.34.91.39
hxxp://d.123.sogoucdn.com/v53/imgn/v53_2icos.gif	222.211.87.167
hxxp://www.mdtxw.org/miniindex/inc/stylemini.css	117.34.91.39
hxxp://www.mdtxw.org/miniindex/inc/style.css	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa7.jpg	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa6.jpg	117.34.91.39
hxxp://123.sogou.com/images/weather/cloudy.gif	106.120.151.61
hxxp://www.mdtxw.org/miniindex/images/aaa9.jpg	117.34.91.39
hxxp://stat.fjmjm.com/stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://p6.123.sogoucdn.com/imgu/2013/08/20130820165531_481.gif	222.211.87.171
hxxp://123.sogou.com/v53/get_tj.php?hz=4670327&ids=qiche	106.120.151.61
hxxp://p0.123.sogoucdn.com/u/js/ufo2.js	114.80.179.210
hxxp://www.mdtxw.org/miniindex/images/Untitled-1.gif	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/b17.jpg	117.34.91.39
hxxp://pic3.xcarimg.com/img/news_photo/2014/05/26/edKzjJ6oPX1140.jpg	222.84.167.30
hxxp://p3.123.sogoucdn.com/imgn/v32/setskinbg.gif	222.211.87.167
hxxp://www.mdtxw.org/miniindex/images/b18.JPG	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa10.jpg	117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa3.jpg	117.34.91.39
hxxp://p0.123.sogoucdn.com/imgu/2014/05/20140520113551_825.jpg	114.80.179.210
hxxp://www.fjmjm.com/favicon.ico	112.124.102.171
down.jsrjrc.org	222.186.60.12

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan-Downloader connects to the servers at the folowing location(s):

Strings from Dumps