Gen.Variant.Ursu.165537_2e89cb0146
Gen:Variant.Ursu.165537 (BitDefender), Trojan:MSIL/Vigorf.A (Microsoft), Trojan-Dropper.MSIL.Addrop.cqx (Kaspersky), Trojan.Hosts.44902 (DrWeb), Gen:Variant.Ursu.165537 (B) (Emsisoft), Artemis!2E89CB01463E (McAfee), Trojan.Gen.2 (Symantec), AdWare.MSIL.Csdimonetize (Ikarus), Win32:Adware-gen [Adw] (AVG), Win32:Adware-gen [Adw] (Avast), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 2e89cb01463e4de6dd3ab54885870ba5
SHA1: 899d4a9c790be74187bbde7675d94a2e127d7863
SHA256: 69772ce6dc8ba06bfb10f59061195ddb2eeb144565cebbd5fb46cb2042a09ffb
SSDeep: 12288:o7blMvmZ3EuNEiBePS9GL8 iDNdRbMsJsfCNqA4qURdlPIJ:o7blsmZ3ZKqU8DdtMN 4HvlP4
Size: 499639 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
booster.tmp:2228
NewSysMapper.exe:2996
220825.exe:196
booster.exe:2808
booster.exe:3220
%original file name%.exe:2052
2e89cb01463e4de6dd3ab54885870ba5.tmp:2600
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process booster.tmp:2228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\is-HJ2TC.tmp (1 bytes)
%Program Files%\Game\220825.exe (5216 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\is-1737K.tmp (4545 bytes)
%Program Files%\Game\220825.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\PlaneEN.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\PlaneEN.exe (4545 bytes)
The process NewSysMapper.exe:2996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\drivers\etc\hosts (260003 bytes)
The process 220825.exe:196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7054.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7044.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar85BB.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7043.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1710 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (1544 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (1544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab85BA.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7055.tmp (2712 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7054.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.196.12732021 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7044.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7043.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab85BA.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.196.12732021 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar85BB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7055.tmp (0 bytes)
The process booster.exe:2808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8FKEJ.tmp\booster.tmp (1429 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8FKEJ.tmp\booster.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8FKEJ.tmp (0 bytes)
The process booster.exe:3220 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (864 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (864 bytes)
The process %original file name%.exe:2052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TEHGV.tmp\2e89cb01463e4de6dd3ab54885870ba5.tmp (1448 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TEHGV.tmp\2e89cb01463e4de6dd3ab54885870ba5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TEHGV.tmp (0 bytes)
The process 2e89cb01463e4de6dd3ab54885870ba5.tmp:2600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_A2E7FF7CFBC6B9BF06CE29B23F0D7A5A (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4128.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\booster.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\booster.exe (205377 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4129.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874 (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\idp.dll (1502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\NewSysMapper.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\NewSysMapper.exe (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\itdownload.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E698CCB2C296D265AC1A253974E09FD_A2E7FF7CFBC6B9BF06CE29B23F0D7A5A (471 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4128.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\booster.exe.config (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\booster.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4129.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\idp.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\NewSysMapper.exe.config (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\NewSysMapper.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\itdownload.dll (0 bytes)
Registry activity
The process booster.tmp:2228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\RestartManager\Session0001]
"RegFilesHash" = "A2 BF 74 64 9E 5F 04 AD 91 00 14 F2 B9 4F 76 E3"
"RegFiles0000" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\PlaneEN.exe"
"SessionHash" = "DF 87 32 47 3C E3 34 4D CC F2 DA D7 B3 4D 69 29"
"Owner" = "B4 08 00 00 C2 58 6F 5D ED 09 D4 01"
"Sequence" = "1"
The process 220825.exe:196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\220825_RASMANCS]
"MaxFileSize" = "1048576"
The process 2e89cb01463e4de6dd3ab54885870ba5.tmp:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "94 81 33 B7 89 53 F9 B4 DB 9E 76 90 82 1A FA 75"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\RestartManager\Session0000]
"Owner" = "28 0A 00 00 4B 81 FA 53 ED 09 D4 01"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\2e89cb01463e4de6dd3ab54885870ba5_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\RestartManager\Session0000]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence"
"Owner"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| c0fb3ba712fb3e6463a6927a0601a927 | c:\Program Files\Game\220825.exe |
| c0fb3ba712fb3e6463a6927a0601a927 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\PlaneEN.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 2097675 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | cpm.paneladmin.pro |
| 127.0.0.1 | publisher.hmdiadmingate.xyz |
| 127.0.0.1 | hmdicrewtracksystem.xyz |
| 127.0.0.1 | mydownloaddomain.com |
| 127.0.0.1 | linkmate.space |
| 127.0.0.1 | space1.adminpressure.space |
| 127.0.0.1 | trackpressure.website |
| 127.0.0.1 | doctorlink.space |
| 127.0.0.1 | plugpackdownload.net |
| 127.0.0.1 | texttotalk.org |
| 127.0.0.1 | gambling577.xyz |
| 127.0.0.1 | htagdownload.space |
| 127.0.0.1 | mybcnmonetize.com |
| 127.0.0.1 | 360devtraking.website |
| 127.0.0.1 | dscdn.pw |
| 127.0.0.1 | bcnmonetize.go2affise.com |
| 127.0.0.1 | beautifllink.xyz |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Tarder
Product Name: Evader
Product Version: 1.0.2
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Evader Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 41424 | 41472 | 4.6051 | b7ea439d9c6d5ec722056c9243fb3054 |
| DATA | 49152 | 592 | 1024 | 1.89931 | 9b2268ed5360951559d8041925d025fb |
| BSS | 53248 | 3732 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 57344 | 2428 | 2560 | 3.10951 | df5f31e62e05c787fd29eed7071bf556 |
| .tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 65536 | 24 | 512 | 0.132037 | 14dfa4128117e7f94fe2f8d7dea374a0 |
| .reloc | 69632 | 2332 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 73728 | 21492 | 21504 | 3.1319 | ac585582a7a3bf2f812a23ef23df662d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://asedownloadgate.com/exe/avboost-installer.exe |  46.105.121.115 |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAGC+AmOouYmuRo7J4Qfua8= |  |
| hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuqL92L3tjkN67RNFF/EdvT6NEzAQUwBKyKHRoRmfpcCV0GgBFWwZ9XEQCEA7cK/Jk9VZxucRii0Q9yCY= | |
| hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c | |
| hxxp://cs10.wpc.v0cdn.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | 68.232.34.200 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAGC+AmOouYmuRo7J4Qfua8= | 93.184.220.29 |
| hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuqL92L3tjkN67RNFF/EdvT6NEzAQUwBKyKHRoRmfpcCV0GgBFWwZ9XEQCEA7cK/Jk9VZxucRii0Q9yCY= | 93.184.220.29 |
| hxxp://apps.identrust.com/roots/dstrootcax3.p7c | 192.35.177.64 |
| s3-eu-west-1.amazonaws.com | 54.231.134.83 |
| pc.mainmarketingswarm.com |  149.202.91.53 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY PE EXE or DLL Windows file download HTTP
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
booster.tmp:2228
NewSysMapper.exe:2996
220825.exe:196
booster.exe:2808
booster.exe:3220
%original file name%.exe:2052
2e89cb01463e4de6dd3ab54885870ba5.tmp:2600 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\is-HJ2TC.tmp (1 bytes)
%Program Files%\Game\220825.exe (5216 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\is-1737K.tmp (4545 bytes)
%Program Files%\Game\220825.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MQ0I6.tmp\PlaneEN.exe.config (1 bytes)
C:\Windows\System32\drivers\etc\hosts (260003 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7054.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7044.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar85BB.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7043.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1710 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (1544 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (1544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab85BA.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7055.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8FKEJ.tmp\booster.tmp (1429 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-TEHGV.tmp\2e89cb01463e4de6dd3ab54885870ba5.tmp (1448 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_A2E7FF7CFBC6B9BF06CE29B23F0D7A5A (1624 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4128.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\booster.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4129.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874 (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\idp.dll (1502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\NewSysMapper.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-B19SC.tmp\itdownload.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E698CCB2C296D265AC1A253974E09FD_A2E7FF7CFBC6B9BF06CE29B23F0D7A5A (471 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
