not-a-virus:AdWare.Win32.Fiseria.t (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: cf53d6c75e28713ff002a4a6990f6726
SHA1: bf5a6a4bfbdd54c3496c4bbfbf5858d553f65173
SHA256: eca10da8d6d43b5523139efe4437a42d812d0647217f32eb1360d3b581f1a5ff
SSDeep: 6144:NsaocyLCD7i9XTGr09aLmwV/aLLTyerQ6OI:NtobM7kGr09aLmwFwnm6OI
Size: 243800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-19 17:01:49
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsFE00.tmp:3684
%original file name%.exe:452
The Trojan injects its code into the following process(es):
5204846c-d8f1-11e2-a752-00259033c1da.exe:2224
install.exe:2124
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsFE00.tmp:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe (188 bytes)
The process 5204846c-d8f1-11e2-a752-00259033c1da.exe:2224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarCFAE.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabCFAD.tmp (51 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarCFAE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabCFAD.tmp (0 bytes)
The process install.exe:2124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFFE2.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3AC2.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFFE1.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar22.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8434.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8433.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab21.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\5204846c-d8f1-11e2-a752-00259033c1da.exe (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B (448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3AC3.tmp (2712 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFFE2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3AC2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFFE1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar22.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8434.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8433.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab21.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3AC3.tmp (0 bytes)
The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsFE00.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFDA0.tmp (8720 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFD9F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp (0 bytes)
Registry activity
The process 5204846c-d8f1-11e2-a752-00259033c1da.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\WBEM\CIMOM]
"Logging" = "0"
The process install.exe:2124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 85 FE F1 1B"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"91C6D6EE3E8AC86384E548C299295C756C817B81"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 7764bda340016cc3e52b3536240e7bf6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\5204846c-d8f1-11e2-a752-00259033c1da.exe |
| 184a43e8f2ea6b1b919fb3348a2bc281 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe |
| 249ae678f0dac4c625c6de6aca53823a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll |
| b565839cf1216d8d7e3dd3bccb018e5a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsFE00.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsFE00.tmp:3684
%original file name%.exe:452 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe (188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarCFAE.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabCFAD.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFFE2.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3AC2.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFFE1.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar22.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8434.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8433.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab21.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\5204846c-d8f1-11e2-a752-00259033c1da.exe (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B (448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3AC3.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsFE00.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFDA0.tmp (8720 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: FLVMPlayer
Product Version:
Legal Copyright: AppInstaller 2013 (131782022)
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.0.13.0
File Description: FLVMPlayer AppInstaller
Comments:
Language: English (United States)
Company Name: Product Name: FLVMPlayerProduct Version: Legal Copyright: AppInstaller 2013 (131782022)Legal Trademarks: Original Filename: Internal Name: File Version: 3.0.13.0File Description: FLVMPlayer AppInstallerComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 34884 | 35328 | 4.14077 | 49b0a05e59cfe2eb146863465a7f35bb |
| .data | 40960 | 140 | 512 | 0.818128 | df0ef3a0da7e22c790a62c5869d70520 |
| .rdata | 45056 | 9108 | 9216 | 4.08895 | 91271e59f4470886a512444b74613d7b |
| .bss | 57344 | 109520 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 167936 | 4868 | 5120 | 3.63012 | 5f39890d9696ebf98517ebe318287e41 |
| .ndata | 176128 | 36864 | 1024 | 0 | 0f343b0931126a20f133d67c2b018a3b |
| .rsrc | 212992 | 17824 | 17920 | 2.90265 | 2f56f5cb3d4cec1e226096b3431f1284 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 41
20bd8bed24dc29feaa71fa7ab44e24db
0a39eea60f00f52b3ddaf38ee1a8a988
9c78bac38b2374f13c69fc8654f8100d
53fc4b006cd203dfddd02379555c584e
749374fd149858aaced09cd54b5ee3b4
fa0931cfb76056ac3e540044f71edcaa
042b4f143a7033157dadcf39e5b9ccf7
36fec2320b9fa8e4b245b9243258b3a0
2ae7525c754df3d4d9f3bbd415ede981
b7d9b01ae381be0fc27c4aeff008445c
9586577538c04fd68e5e4d876253ef4b
db3211dbb5e4d8189e4723b41deb00c4
55815bb65808fa4b0f26b59e6f6169a4
36f610511bd98de71a8b6e69e533ad81
facf909c4d137078f19775871f3f02d9
63f77013365d6b4c54e6255a3d978158
0142b328673bb401dbc2f850f5def53d
aa4c31ee798a7f9bb25e4442425d84dc
f19da4116d3ee1be79cfe478a4af27d5
6daf0a003d0bdf076bcc27961d6eface
ef8e2285d5a4ca77f63625c8e7d19a54
560bb3b34b334052d1c539d8aea1dc07
cd8de293dbc9e5606c5adc60c428301f
8e36c6d81faf38073c4bcee073164a6e
2f7a51b74c0cad2471aeafe4193df016
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://e6845.dscb1.akamaiedge.net/ThawtePCA.crl | |
| hxxp://crl.thawte.com/ThawtePCA.crl | 23.43.133.163 |
| dns.msftncsi.com | |
| ocsp.thawte.com | |
| cs-g2-crl.thawte.com | |
| www.download.windowsupdate.com | |
| time.windows.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ThawtePCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.thawte.com
HTTP/1.1 200 OK
Server: Apache
ETag: "84b5919583c6a74d4407f67543ca4c35:1474920014"
Last-Modified: Mon, 26 Sep 2016 20:00:14 GMT
Date: Tue, 20 Dec 2016 07:01:35 GMT
Content-Length: 537
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....thawte, Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 thawte, Inc. - For authorized use only1.0...U....thawte Primary Root CA..160922000000Z..161231235959Z0#0!.."Gc.6.\k.....;....160630172515Z0...*.H.............5B..(........L.<.:..F.. ....E.....KS..@..T..k....Ai-`a.\.w..f.n;Q..k... f.g.MP3....;...L. )....n.X...D..k.].}.6g{|.t.{m... ."..." ..U..P...xO...,.a..!.M.W?^...w...eI...M?.XxL.(.v.w%...@.....dT.0..fu0..._..|.R(&...%R......\....t.!...K~@...&..o.Ii<.`.....Z.:HTTP/1.1 200 OK..Server: Apache..ETag: "84b5919583c6a74d4407f67543ca4c35:1474920014"..Last-Modified: Mon, 26 Sep 2016 20:00:14 GMT..Date: Tue, 20 Dec 2016 07:01:35 GMT..Content-Length: 537..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....thawte, Inc.1(0&..U....Certification Services Division1806..U.../(c) 2006 thawte, Inc. - For authorized use only1.0...U....thawte Primary Root CA..160922000000Z..161231235959Z0#0!.."Gc.6.\k.....;....160630172515Z0...*.H.............5B..(........L.<.:..F.. ....E.....KS..@..T..k....Ai-`a.\.w..f.n;Q..k... f.g.MP3....;...L. )....n.X...D..k.].}.6g{|.t.{m... ."..." ..U..P...xO...,.a..!.M.W?^...w...eI...M?.XxL.(.v.w%...@.....dT.0..fu0..._..|.R(&...%R......\....t.!...K~@...&..o.Ii<.`.....Z.:..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_452:
.text
.text
0`.data
0`.data
.rdata
.rdata
0@.bss
0@.bss
.idata
.idata
.ndata
.ndata
.rsrc
.rsrc
unpacking data: %d%%
unpacking data: %d%%
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
*?|/":
*?|/":
%s=%s
%s=%s
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
ers\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll
ers\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll
5204846c-d8f1-11e2-a752-00259033c1da.exe /u5204846c-d8f1-11e2-a752-00259033c1da /e9040787 /dT131782022S1021db70a8d1b11e016bcfd7fa0339 /t1021db70a8d1b11e016bcfd7fa0339
5204846c-d8f1-11e2-a752-00259033c1da.exe /u5204846c-d8f1-11e2-a752-00259033c1da /e9040787 /dT131782022S1021db70a8d1b11e016bcfd7fa0339 /t1021db70a8d1b11e016bcfd7fa0339
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp
(.lM!
(.lM!
dR%fN
dR%fN
.zsg3
.zsg3
0`.rdata
0`.rdata
.edata
.edata
0@.idata
0@.idata
.reloc
.reloc
nsExec.dll
nsExec.dll
CreatePipe
CreatePipe
PeekNamedPipe
PeekNamedPipe
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
installer.exe
installer.exe
kernel32.dll
kernel32.dll
user32.dll
user32.dll
System.CodeDom.Compiler
System.CodeDom.Compiler
System.Collections.Generic
System.Collections.Generic
System.Collections
System.Collections
System.ComponentModel
System.ComponentModel
System.Diagnostics
System.Diagnostics
System.Globalization
System.Globalization
System.IO
System.IO
System.IO.Compression
System.IO.Compression
NotSupportedException
NotSupportedException
System.Reflection
System.Reflection
System.Reflection.Emit
System.Reflection.Emit
OperandType
OperandType
System.Resources
System.Resources
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Security.Cryptography
System.Text
System.Text
System.Threading
System.Threading
.cctor
.cctor
.ctor
.ctor
ProcessHandle
ProcessHandle
debugPort
debugPort
set_Key
set_Key
GetExecutingAssembly
GetExecutingAssembly
get_OperandType
get_OperandType
3System.Resources.Tools.StronglyTypedResourceBuilder
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
4.0.0.0
$F0C56B8E-65DE-4C4A-B2C3-3426E107DF0B
$F0C56B8E-65DE-4C4A-B2C3-3426E107DF0B
3.0.13
3.0.13
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
*hXXp://cs-g2-crl.thawte.com/ThawteCSG2.crl0
*hXXp://cs-g2-crl.thawte.com/ThawteCSG2.crl0
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
Certification Services Division1806
Certification Services Division1806
#hXXp://crl.thawte.com/ThawtePCA.crl0
#hXXp://crl.thawte.com/ThawtePCA.crl0
nsnFDB1.tmp
nsnFDB1.tmp
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
GetWindowsDirectoryA
GetWindowsDirectoryA
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
ExitWindowsEx
ExitWindowsEx
COMCTL32.DLL
COMCTL32.DLL
GDI32.dll
GDI32.dll
ole32.dll
ole32.dll
SHELL32.DLL
SHELL32.DLL
VERSION.dll
VERSION.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe 5204846c-d8f1-11e2-a752-00259033c1da.exe /u5204846c-d8f1-11e2-a752-00259033c1da /e9040787 /dT131782022S1021db70a8d1b11e016bcfd7fa0339 /t1021db70a8d1b11e016bcfd7fa0339
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe 5204846c-d8f1-11e2-a752-00259033c1da.exe /u5204846c-d8f1-11e2-a752-00259033c1da /e9040787 /dT131782022S1021db70a8d1b11e016bcfd7fa0339 /t1021db70a8d1b11e016bcfd7fa0339
8112.16421
8112.16421
/u5204846c-d8f1-11e2-a752-00259033c1da
/u5204846c-d8f1-11e2-a752-00259033c1da
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsxFD9F.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsxFD9F.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
Nullsoft Install System v2.46-7
Nullsoft Install System v2.46-7
"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98DA2#
"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98DA2#
PublicKeyToken=
PublicKeyToken=
publickeytoken=
publickeytoken=
dynamic method does not support fault clause
dynamic method does not support fault clause
unexpected OperandType
unexpected OperandType
3.0.13.0
3.0.13.0
nsFE00.tmp_3684:
.text
.text
0`.rdata
0`.rdata
0@.bss
0@.bss
.edata
.edata
0@.idata
0@.idata
.reloc
.reloc
nsExec.dll
nsExec.dll
CreatePipe
CreatePipe
PeekNamedPipe
PeekNamedPipe
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
conhost.exe_2452:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
IMM32.dll
IMM32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
Cannot allocate 0n%d bytes
|%SWj
|%SWj
O.fBf;
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
FTPh
\>.Sj
\>.Sj
GetKeyboardLayout
GetKeyboardLayout
MapVirtualKeyW
MapVirtualKeyW
VkKeyScanW
VkKeyScanW
GetKeyboardState
GetKeyboardState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
GetKeyState
GetKeyState
ActivateKeyboardLayout
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
_amsg_exit
_amsg_exit
_acmdln
_acmdln
ShipAssert
ShipAssert
NtReplyWaitReceivePort
NtReplyWaitReceivePort
NtCreatePort
NtCreatePort
NtEnumerateValueKey
NtEnumerateValueKey
NtQueryValueKey
NtQueryValueKey
NtOpenKey
NtOpenKey
NtAcceptConnectPort
NtAcceptConnectPort
NtReplyPort
NtReplyPort
SetProcessShutdownParameters
SetProcessShutdownParameters
GetCPInfo
GetCPInfo
conhost.pdb
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%$%a%b%V%U%c%Q%W%]%\%[%
%
%
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
name="Microsoft.Windows.ConsoleHost"
name="Microsoft.Windows.ConsoleHost.SystemDefault"
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
:>@>
:>@>
2%2X2
2%2X2
%SystemRoot%
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
WindowSize
ColorTableu
ColorTableu
ExtendedEditkeyCustom
ExtendedEditkeyCustom
ExtendedEditKey
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
\ !:=/.;|&
\ !:=/.;|&
%d/%d
%d/%d
cmd.exe
cmd.exe
desktop.ini
desktop.ini
\console.dll
\console.dll
%d/%d
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
CONHOST.EXE
Windows
Windows
Operating System
Operating System
6.1.7601.17641
6.1.7601.17641
5204846c-d8f1-11e2-a752-00259033c1da.exe_2224_rwx_006F0000_00010000:
.hP9)h
.hP9)h