YHB.EXE is Trojan Artemis

Detected by UnHackMe:

YHB.EXE
Default location: %Common Appdata%\yhb\yhb.exe

Removal Results: Success
Number of reboot: 1

YHB.EXE is known as:

Trojan.Artemis

YHB.EXE hash:

• MD5: d1831950c4ddf4af6aee649a62fd7e74

Registry:

• HKLM\Software\Classes\CLSID\{D2E1E807-380C-48E6-B39E-226945AE6364}\InprocServer32\: “%Common Appdata%\yhb\yhb32.dll”
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run\yhb: “”%Common Appdata%\yhb\yhb_run.exe” start”
• HKLM\System\CurrentControlSet\Services\yhbUpdate\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
• HKLM\System\CurrentControlSet\Services\yhbUpdate\Type: 0×00000110
• HKLM\System\CurrentControlSet\Services\yhbUpdate\Start: 0×00000002
• HKLM\System\CurrentControlSet\Services\yhbUpdate\ErrorControl: 0×00000001
• HKLM\System\CurrentControlSet\Services\yhbUpdate\ImagePath: “%Common Appdata%\yhb\yhb.exe”
• HKLM\System\CurrentControlSet\Services\yhbUpdate\DisplayName: “yhb Server”
• HKLM\System\CurrentControlSet\Services\yhbUpdate\ObjectName: “LocalSystem”

Folders:

• %Common Appdata%\yhb

Files:

• %Temp%\~st2.bin
• %Common Appdata%\yhb\config.ini
• %Common Appdata%\yhb\CoreIo.dll
• %Common Appdata%\yhb\SE_P100.dll
• %Common Appdata%\yhb\so_core.dll
• %Common Appdata%\yhb\ToolOper.dll
• %Common Appdata%\yhb\Update_uni.exe
• %Common Appdata%\yhb\yhb.exe
• %Common Appdata%\yhb\yhb32.dll
• %Common Appdata%\yhb\yhb64.dll
• %Common Appdata%\yhb\yhb_core.dll
• %Common Appdata%\yhb\yhb_run.exe