Home » Virus List
Adware-Adwin
Risk Level 1
 
File Size : 2392944 KB
File Type : Portable Executable file Win32 EXE
File Name

setup_22006.exe

MD5

397958872c311e9c678e5ffbe1dbb8dd

SHA1

f0e47f97319b8298ade1e9040ca4b8675516b987

SHA256

7cd96ac766a2e717717ec294bd50621613244f2c923dd6638f

General information:

* File name: C:\Users\vmware\Desktop\report\setup_22006.exe

Changes to registry :

* Creates value "KpPopupDlg.exe=00001B58" in key HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\hmrl_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DisplayName=BB00A800C300A800C800D500C000FA000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\»¨Ã¨ÈÕÀú
* Creates value "UninstallString=C:\Program Files\hmrl\uninst.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\»¨Ã¨ÈÕÀú
binary data=43003A005C00500072006F006700720061006D002000460069006C00650073005C0068006D0072006C005C0075006E0069006E00730074002E006500780065000000
* Creates value "DisplayVersion=V1.0" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\»¨Ã¨ÈÕÀú
binary data=560031002E0030000000

Changes to filesystem:

* Creates file C:\Program Files\hmrl\Help360Safe.exe
* Creates file C:\Program Files\hmrl\HmClockDate32.dll
* Creates file C:\Program Files\hmrl\HmClockDate32.exe
* Creates file C:\Program Files\hmrl\HmClockDate64.dll
* Creates file C:\Program Files\hmrl\HmClockDate64.exe
* Creates file C:\Program Files\hmrl\hmrl.exe
* Creates file C:\Program Files\hmrl\hook.dll
* Creates file C:\Program Files\hmrl\KpPopupDlg.exe
* Creates file C:\Program Files\hmrl\riliupdate.exe
* Creates file C:\Program Files\hmrl\RlDateSet.exe
* Creates file C:\Program Files\hmrl\rlimage\cebianback.png
* Creates file C:\Program Files\hmrl\rlimage\leftbtn.png
* Creates file C:\Program Files\hmrl\rlimage\onlineupdate.png
* Creates file C:\Program Files\hmrl\rlimage\rightbtn.png
* Creates file C:\Program Files\hmrl\rlimage\riliamuse.png
* Creates file C:\Program Files\hmrl\rlimage\riliback.png
* Creates file C:\Program Files\hmrl\rlimage\riliclose.png
* Creates file C:\Program Files\hmrl\rlimage\riligame.png
* Creates file C:\Program Files\hmrl\rlimage\riliheath.png
* Creates file C:\Program Files\hmrl\rlimage\rilinoval.png
* Creates file C:\Program Files\hmrl\rlimage\rilisel.jpg
* Creates file C:\Program Files\hmrl\rlimage\rilivideo.png
* Creates file C:\Program Files\hmrl\rlimage\riliweb.png
* Creates file C:\Program Files\hmrl\rlimage\updateback.png
* Creates file C:\Program Files\hmrl\rlimage\updatecheck.png
* Creates file C:\Program Files\hmrl\rlimage\updateknown.png
* Creates file C:\Program Files\hmrl\rlimage\updateuncheck.png
* Creates file C:\Program Files\hmrl\RlPopupDlg.exe
* Creates file C:\Program Files\hmrl\Uninst.exe
* Creates file C:\Program Files\hmrl\weather\0.gif
* Creates file C:\Program Files\hmrl\weather\1.gif
* Creates file C:\Program Files\hmrl\weather\10.gif
* Creates file C:\Program Files\hmrl\weather\11.gif
* Creates file C:\Program Files\hmrl\weather\12.gif
* Creates file C:\Program Files\hmrl\weather\13.gif
* Creates file C:\Program Files\hmrl\weather\14.gif
* Creates file C:\Program Files\hmrl\weather\15.gif
* Creates file C:\Program Files\hmrl\weather\16.gif
* Creates file C:\Program Files\hmrl\weather\17.gif
* Creates file C:\Program Files\hmrl\weather\18.gif
* Creates file C:\Program Files\hmrl\weather\19.gif
* Creates file C:\Program Files\hmrl\weather\2.gif
* Creates file C:\Program Files\hmrl\weather\20.gif
* Creates file C:\Program Files\hmrl\weather\21.gif
* Creates file C:\Program Files\hmrl\weather\22.gif
* Creates file C:\Program Files\hmrl\weather\23.gif
* Creates file C:\Program Files\hmrl\weather\24.gif
* Creates file C:\Program Files\hmrl\weather\25.gif
* Creates file C:\Program Files\hmrl\weather\26.gif
* Creates file C:\Program Files\hmrl\weather\27.gif
* Creates file C:\Program Files\hmrl\weather\28.gif
* Creates file C:\Program Files\hmrl\weather\29.gif
* Creates file C:\Program Files\hmrl\weather\3.gif
* Creates file C:\Program Files\hmrl\weather\30.gif
* Creates file C:\Program Files\hmrl\weather\31.gif
* Creates file C:\Program Files\hmrl\weather\4.gif
* Creates file C:\Program Files\hmrl\weather\5.gif
* Creates file C:\Program Files\hmrl\weather\6.gif
* Creates file C:\Program Files\hmrl\weather\7.gif
* Creates file C:\Program Files\hmrl\weather\8.gif
* Creates file C:\Program Files\hmrl\weather\9.gif
* Creates file C:\Program Files\hmrl\weather\nothing.gif
* Creates file C:\Program Files\hmrl\weather\wsdy.gif
* Creates file C:\Program Files\hmrl\weather\wslzy.gif
* Creates file C:\Program Files\hmrl\weather\wsq.gif
* Creates file C:\Program Files\hmrl\weather\wsw.gif
* Creates file C:\Program Files\hmrl\weather\wsy.gif
* Creates file C:\Program Files\hmrl\weather\wszx.gif
* Creates file C:\Program Files\hmrl\weather\wszy.gif
* Creates file C:\Program Files\hmrl\XLDownload.dll
* Creates file C:\Program Files\hmrl\zlib1.dll
* Creates file C:\ProgramData\572311.ico
* Creates file C:\ProgramData\kpzm.ico
* Creates file C:\ProgramData\wzdq.ico
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\98QV99O4\ips1388[1].htm
* Modifies file (hidden) C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\vmware\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZFK0SX85\hmrlconfig[1].htm
* Creates file C:\Users\vmware\AppData\Roaming\hmrl\hmrlconfig.ini
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\»¨Ã¨ÈÕÀú.lnk
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\»¨Ã¨ÈÕÀú\»¨Ã¨ÈÕÀú.lnk
* Creates file C:\Users\vmware\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\»¨Ã¨ÈÕÀú\жÔØÈí¼þ.lnk
* Creates file C:\Users\vmware\Desktop\»¨Ã¨ÈÕÀú.lnk

Network services:

* Looks for an Internet connection.
* Queries DNS "khit.cn".
* Queries DNS "resolver1.qheal.ctmail.com".
* Queries DNS "resolver2.qheal.ctmail.com".
* Queries DNS "resolver3.qheal.ctmail.com".
* Queries DNS "resolver4.qheal.ctmail.com".
* Queries DNS "webres1.qheal.ctmail.com".
* Queries DNS "webres2.qheal.ctmail.com".
* Queries DNS "webres3.qheal.ctmail.com".
* Queries DNS "webres5.qheal.ctmail.com".
* Queries DNS "webres4.qheal.ctmail.com".
* Queries DNS "ip.dnsexit.com".
* Queries DNS "www.ip138.com".
* Queries DNS "webservice.webxml.com.cn".
* Queries DNS "teredo.ipv6.microsoft.com".
* C:\Users\vmware\Desktop\report\setup_22006.exe Connects to "220.243.228.73" on port 80 (TCP - HTTP).
* Downloads file from "maxdriverupdater.com/afterinstall.html?newmaxdu=1&utm_content=AfterInstall&utm_term=Setup&page=install&utm_source=39018&affiliate=39018&utm_campaign=39018&utm_medium=39018&affiliateid=39018&LangID=en".
* Downloads file from "maxdriverupdater.com/favicon.ico".
* Downloads file from "khit.cn/soft/azbconfig.ini".
* Downloads file from "khit.cn/soft/kp1configuration.ini".
* Downloads file from "khit.cn/hmrlconfig.ini".
* Opens next URLs:
http://ip.dnsexit.com/
http://www.ip138.com/ips1388.asp?ip=

Process/window/string information:

* Gets user name information.
* Gets input locale identifiers.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Deletes activity traces.
* Enumerates running processes.
* Creates process "null, C:\Program Files\hmrl\hmrl.exe, null".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\drive\C\Program Files\hmrl\hmrl.exe".
* Enables privilege SeShutdownPrivilege.
* Creates a mutex "OnlyOnehuamaoriliInstance".
* Creates a mutex "Local\!IETld!Mutex".
* Opens a service named "rasman".
* Opens a service named "Sens".
* Enables privilege SeAuditPrivilege.
* Creates a mutex "IESQMMUTEX_0_208".
* Creates process "C:\Program Files\hmrl\HmClockDate32.exe, "C:\Program Files\hmrl\HmClockDate32.exe" , C:\Program Files\hmrl".
* Injects code into process "C:\Sandbox\vmware\DefaultBox\drive\C\Program Files\hmrl\HmClockDate32.exe".
* Creates a mutex "OnlyOneHMRLInstance".
* Enables process privileges.
* Sleeps 110 seconds.

Additional Information:

How To Remove setup_22006.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where setup_22006.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top