Win32.Expiro.Gen.4 (B) (Emsisoft), Win32.Expiro.Gen.4 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, VirusExpiro.YR (Lavasoft MAS)Behaviour: Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c78ba9cfd91fb30a09a95d46465b8637
SHA1: 4390ba60d5de3b6f8112441ff1fb1106821f11e9
SHA256: f58c63d9dde3f13b268654c64c42493b91745fb67e1d97e3853820b2a7833632
SSDeep: 12288:2Ki/GhbphjUVvbE1Tv7D2lYZ8nPtq Nr9VQnxnda/:yehbpVUVQ1HD2zlZ4a
Size: 512000 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2015-03-23 01:12:25
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
WerFault.exe:2308
FlashPlayerUpdateService.exe:2576
FlashPlayerUpdateService.exe:1820
wermgr.exe:2640
FlashPlayerInstaller.exe:1700
The Trojan injects its code into the following process(es):
%original file name%.exe:1964
rpcapd.exe:760
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process WerFault.exe:2308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\WERBA6A.tmp.WERInternalMetadata.xml (53648 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer (166906 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBAB9.tmp.hdmp (167984 bytes)
C:\Windows\Temp\WER487.tmp.WERDataCollectionFailure.txt (158 bytes)
C:\Windows\Temp\WERB663.tmp.appcompat.txt (12656 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBA6A.tmp.WERInternalMetadata.xml (3 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WER487.tmp.WERDataCollectionFailure.txt (80 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERB663.tmp.appcompat.txt (31 bytes)
C:\Windows\Temp\WERBAB9.tmp.hdmp (498066 bytes)
C:\Windows\Temp\WERE0EF.tmp.mdmp (4808 bytes)
The Trojan deletes the following file(s):
C:\Windows\Temp\WERBAB9.tmp (0 bytes)
C:\Windows\Temp\WERBA6A.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WERE0EF.tmp (0 bytes)
C:\Windows\Temp\WERBA6A.tmp (0 bytes)
C:\Windows\Temp\WER487.tmp (0 bytes)
C:\Windows\Temp\WER487.tmp.WERDataCollectionFailure.txt (0 bytes)
C:\Windows\Temp\WERB663.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WERB663.tmp (0 bytes)
C:\Windows\Temp\WERBAB9.tmp.hdmp (0 bytes)
C:\Windows\Temp\WERE0EF.tmp.mdmp (0 bytes)
The process FlashPlayerUpdateService.exe:2576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\Macromed\Flash\FlashInstall.log (892 bytes)
The process FlashPlayerUpdateService.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E}\fpi.tmp (1655206 bytes)
C:\Windows\System32\FlashPlayerInstaller.exe (11464 bytes)
The Trojan deletes the following file(s):
C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E}\fpi.tmp (0 bytes)
C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E} (0 bytes)
The process %original file name%.exe:1964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\jopmedjd.tmp (320 bytes)
%Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
C:\Windows\System32\olkelmpl.tmp (305 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\cfeecjkk.tmp (1 bytes)
C:\Windows\ehome\ehrecvr.exe (5873 bytes)
C:\Windows\ehome\qnnboobi.tmp (800 bytes)
%Program Files%\Google\Update\ghfbjkol.tmp (388 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ohefgafj.tmp (304 bytes)
C:\Windows\ehome\ehsched.exe (2105 bytes)
C:\Windows\System32\snmptrap.exe (1281 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7547 bytes)
%Program Files%\WinPcap\rpcapd.exe (2105 bytes)
C:\Windows\System32\fpohabbd.tmp (257 bytes)
C:\Windows\System32\Macromed\Flash\ljlplcmi.tmp (507 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
C:\Windows\System32\hmbgnolk.tmp (766 bytes)
C:\Windows\microsoft.net\framework\v4.0.30319\ilhblimb.tmp (274 bytes)
%Program Files%\WinPcap\iigafjee.tmp (356 bytes)
C:\Windows\System32\FXSSVC.exe (5441 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
C:\Windows\System32\alg.exe (1425 bytes)
C:\Windows\System32\msiexec.exe (1425 bytes)
C:\Windows\ehome\dadlhgbe.tmp (340 bytes)
The Trojan deletes the following file(s):
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\cfeecjkk.tmp (0 bytes)
C:\Windows\System32\jopmedjd.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\ljlplcmi.tmp (0 bytes)
%Program Files%\Google\Update\ghfbjkol.tmp (0 bytes)
C:\Windows\System32\fpohabbd.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ohefgafj.tmp (0 bytes)
C:\Windows\System32\olkelmpl.tmp (0 bytes)
C:\Windows\ehome\qnnboobi.tmp (0 bytes)
C:\Windows\System32\hmbgnolk.tmp (0 bytes)
C:\Windows\ehome\dadlhgbe.tmp (0 bytes)
C:\Windows\microsoft.net\framework\v4.0.30319\ilhblimb.tmp (0 bytes)
%Program Files%\WinPcap\iigafjee.tmp (0 bytes)
The process wermgr.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer.tmp (178224 bytes)
The process FlashPlayerInstaller.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\Macromed\Flash\FlashInstall.log (2 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (544 bytes)
C:\Windows\System32\FlashPlayerApp.exe (802 bytes)
C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126}\fpb.tmp (50 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.dll (542 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (443 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe (50 bytes)
C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_24_0_0_186.ocx (11464 bytes)
C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96}\fpb.tmp (1086 bytes)
The Trojan deletes the following file(s):
C:\Windows\System32\Macromed\Temp (0 bytes)
C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.exe (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.dll (0 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (0 bytes)
C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96} (0 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_23_0_0_185.ocx (0 bytes)
C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126} (0 bytes)
Registry activity
The process WerFault.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059B]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D4" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D4]
"14E" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000058E]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000598]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000595]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030FC" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030B1" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F2" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DC" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D7]
"151" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030B1]
"14B" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D6" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B0E]
"154" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E3]
"159" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F3" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000596]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D6]
"150" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000598]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DC]
"153" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059D]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030FC]
"158" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059A]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"15A" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059F]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B11" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D7" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000594]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000593]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000591]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000594]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000591]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B11]
"155" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059E]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000593]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059A]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D3]
"14D" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000592]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DB" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059C]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\00000000000005A0]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000597]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059B]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000596]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059D]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000302F]
"14C" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DB]
"152" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\00000000000005A0]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F2]
"156" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D3" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000599]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "4D 4F 43 E0 01 00 00 00 00 00 00 00 6F D3 33 75"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D5]
"14F" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D5" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000305C]
"14A" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E3" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000305C" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000599]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000302F" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F3]
"157" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059C]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000058E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059F]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000595]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_Usn_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B0E" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000592]
"ObjectId" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_FileId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
The process FlashPlayerUpdateService.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"
The process FlashPlayerUpdateService.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"UpdateAttempts" = "1"
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"
The process wermgr.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"
[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"
The process FlashPlayerInstaller.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\ShockwaveFlash.ShockwaveFlash.22]
"(Default)" = "Shockwave Flash Object"
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
"(Default)" = "FlashBroker"
[HKCR\ShockwaveFlash.ShockwaveFlash.24]
"(Default)" = "Shockwave Flash Object"
[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe,-17"
[HKCR\MIME\Database\Content Type\application/futuresplash]
"Extension" = ".spl"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayName" = "Adobe Flash Player 24 ActiveX"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe]
"DisableExceptionChainValidation" = "0"
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
"(Default)" = "Macromedia Flash Paper"
[HKCR\ShockwaveFlash.ShockwaveFlash]
"(Default)" = "Shockwave Flash Object"
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"LocalizedString" = "@C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe,-101"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"18.0" = "4294967295"
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Macromedia Flash Factory Object"
[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.24"
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"16.0" = "4294967295"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.24"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"
[HKCR\ShockwaveFlash.ShockwaveFlash.19]
"(Default)" = "Shockwave Flash Object"
[HKCR\ShockwaveFlash.ShockwaveFlash.1]
"(Default)" = "Shockwave Flash Object"
[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isScriptDebugger" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"Publisher" = "Adobe Systems Incorporated"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"6.0" = "4294967295"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "FlashFactory.FlashFactory"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoRepair" = "1"
"NoModify" = "1"
"EstimatedSize" = "19364"
[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
"(Default)" = "IFlashBroker6"
[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\System.ControlPanel.Category\C:\Windows\system32]
"FlashPlayerCPLApp.cpl" = "10"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMajor" = "24"
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"PlayerPath" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"7.0" = "4294967295"
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"
[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
"(Default)" = ""
[HKCR\FlashFactory.FlashFactory.1]
"(Default)" = "Macromedia Flash Factory Object"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"15.0" = "4294967295"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "FlashFactory.FlashFactory.1"
[HKCR\ShockwaveFlash.ShockwaveFlash.8]
"(Default)" = "Shockwave Flash Object"
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"22.0" = "4294967295"
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\FlashFactory.FlashFactory\CurVer]
"(Default)" = "FlashFactory.FlashFactory.1"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"8.0" = "4294967295"
[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType]
"Release" = "1"
[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"currentVersion" = "24,0,0,186"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"20.0" = "4294967295"
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"
[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"13.0" = "4294967295"
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
"(Default)" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"11.0" = "4294967295"
[HKCR\ShockwaveFlash.ShockwaveFlash.6]
"(Default)" = "Shockwave Flash Object"
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"
[HKCR\.mfp]
"(Default)" = "MacromediaFlashPaper.MacromediaFlashPaper"
[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"Version" = "24.0.0.186"
[HKCR\ShockwaveFlash.ShockwaveFlash.21]
"(Default)" = "Shockwave Flash Object"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\ShockwaveFlash.ShockwaveFlash.14]
"(Default)" = "Shockwave Flash Object"
[HKCR\.swf]
"Content Type" = "application/x-shockwave-flash"
[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.18]
"(Default)" = "Shockwave Flash Object"
[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.15]
"(Default)" = "Shockwave Flash Object"
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe -nohome %1"
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"(Default)" = "Shockwave Flash"
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Shockwave Flash Object"
[HKCR\.spl]
"Content Type" = "application/futuresplash"
[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags" = "65536"
[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"
[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"Policy" = "3"
[HKCR\FlashFactory.FlashFactory.1\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"9.0" = "4294967295"
[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLInfoAbout" = "http://www.adobe.com"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"14.0" = "4294967295"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppPath" = "C:\Windows\system32\Macromed\Flash"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"21.0" = "4294967295"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMinor" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash" = ""
[HKCR\ShockwaveFlash.ShockwaveFlash.3]
"(Default)" = "Shockwave Flash Object"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags" = "0"
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"
[HKCR\ShockwaveFlash.ShockwaveFlash.7]
"(Default)" = "Shockwave Flash Object"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"10.0" = "4294967295"
[HKCR\ShockwaveFlash.ShockwaveFlash.11]
"(Default)" = "Shockwave Flash Object"
[HKCR\ShockwaveFlash.ShockwaveFlash.23]
"(Default)" = "Shockwave Flash Object"
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled" = "1"
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"UninstallString" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe -maintain activex"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"
[HKCR\FlashFactory.FlashFactory]
"(Default)" = "Macromedia Flash Factory Object"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"
[HKCR\ShockwaveFlash.ShockwaveFlash.5]
"(Default)" = "Shockwave Flash Object"
[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.20]
"(Default)" = "Shockwave Flash Object"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx, 1"
[HKCR\ShockwaveFlash.ShockwaveFlash.9]
"(Default)" = "Shockwave Flash Object"
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"Version" = "1.0"
[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"12.0" = "4294967295"
[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\.sol]
"Content Type" = "text/plain"
[HKCR\ShockwaveFlash.ShockwaveFlash.16]
"(Default)" = "Shockwave Flash Object"
[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"Extension" = ".swf"
[HKCR\ShockwaveFlash.ShockwaveFlash.13]
"(Default)" = "Shockwave Flash Object"
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayVersion" = "24.0.0.186"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppName" = "FlashUtil32_24_0_0_186_ActiveX.exe"
[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx, 1"
[HKCR\.sor]
"Content Type" = "text/plain"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash" = ""
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"19.0" = "4294967295"
[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"UninstallerPath" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"24.0" = "186"
[HKCR\.swf]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"
[HKCR\.spl]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"
[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"17.0" = "4294967295"
"23.0" = "4294967295"
[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.4]
"(Default)" = "Shockwave Flash Object"
[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_24_0_0_186_ActiveX.exe]
"DisableExceptionChainValidation" = "0"
[HKCR\.mfp]
"Content Type" = "application/x-shockwave-flash"
[HKCR\ShockwaveFlash.ShockwaveFlash.24\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayIcon" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"
[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"RequiresIESysFile" = "4.70.0.1155"
[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"
[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isESR" = "0"
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.10]
"(Default)" = "Shockwave Flash Object"
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"(Default)" = "FlashBroker"
[HKCR\ShockwaveFlash.ShockwaveFlash.17]
"(Default)" = "Shockwave Flash Object"
[HKCR\FlashFactory.FlashFactory\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.12]
"(Default)" = "Shockwave Flash Object"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_23_0_0_185_ActiveX.exe]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.4]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
[HKCR\FlashFactory.FlashFactory.1]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF}]
[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\ShockwaveFlash.ShockwaveFlash.21]
[HKCR\ShockwaveFlash.ShockwaveFlash.20]
[HKCR\ShockwaveFlash.ShockwaveFlash.23]
[HKCR\ShockwaveFlash.ShockwaveFlash.22]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\FlashFactory.FlashFactory\CurVer]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\.mfp]
[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl]
[HKCR\FlashFactory.FlashFactory]
[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open]
[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.3]
[HKCR\ShockwaveFlash.ShockwaveFlash.1]
[HKCR\ShockwaveFlash.ShockwaveFlash.6]
[HKCR\ShockwaveFlash.ShockwaveFlash.7]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
[HKCR\ShockwaveFlash.ShockwaveFlash.5]
[HKCR\ShockwaveFlash.ShockwaveFlash.8]
[HKCR\ShockwaveFlash.ShockwaveFlash.9]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
[HKCR\ShockwaveFlash.ShockwaveFlash.10]
[HKCR\ShockwaveFlash.ShockwaveFlash.11]
[HKCR\ShockwaveFlash.ShockwaveFlash.12]
[HKCR\ShockwaveFlash.ShockwaveFlash.13]
[HKCR\ShockwaveFlash.ShockwaveFlash.14]
[HKCR\ShockwaveFlash.ShockwaveFlash.15]
[HKCR\ShockwaveFlash.ShockwaveFlash.16]
[HKCR\ShockwaveFlash.ShockwaveFlash.17]
[HKCR\ShockwaveFlash.ShockwaveFlash.18]
[HKCR\ShockwaveFlash.ShockwaveFlash.19]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\.spl]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
[HKCR\FlashFactory.FlashFactory\CLSID]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\FlashFactory.FlashFactory.1\CLSID]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"CurrentVersion"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"
[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash"
[HKCR\.sol]
"Content Type"
[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCR\.sor]
"Content Type"
Dropped PE files
| MD5 | File path |
|---|---|
| 800f88b199abbcafb7051124dff1cefd | c:\Windows\System32\Macromed\Flash\Flash32_24_0_0_186.ocx |
| 22407f4f761e98bc6ad4ffa85754e789 | c:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.dll |
| afcdf06dbdacb2c58045cac3a924e46b | c:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WerFault.exe:2308
FlashPlayerUpdateService.exe:2576
FlashPlayerUpdateService.exe:1820
wermgr.exe:2640
FlashPlayerInstaller.exe:1700 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\Temp\WERBA6A.tmp.WERInternalMetadata.xml (53648 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer (166906 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBAB9.tmp.hdmp (167984 bytes)
C:\Windows\Temp\WER487.tmp.WERDataCollectionFailure.txt (158 bytes)
C:\Windows\Temp\WERB663.tmp.appcompat.txt (12656 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBA6A.tmp.WERInternalMetadata.xml (3 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WER487.tmp.WERDataCollectionFailure.txt (80 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERB663.tmp.appcompat.txt (31 bytes)
C:\Windows\Temp\WERBAB9.tmp.hdmp (498066 bytes)
C:\Windows\Temp\WERE0EF.tmp.mdmp (4808 bytes)
C:\Windows\System32\Macromed\Flash\FlashInstall.log (892 bytes)
C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E}\fpi.tmp (1655206 bytes)
C:\Windows\System32\FlashPlayerInstaller.exe (11464 bytes)
C:\Windows\System32\jopmedjd.tmp (320 bytes)
%Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
C:\Windows\System32\olkelmpl.tmp (305 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\cfeecjkk.tmp (1 bytes)
C:\Windows\ehome\ehrecvr.exe (5873 bytes)
C:\Windows\ehome\qnnboobi.tmp (800 bytes)
%Program Files%\Google\Update\ghfbjkol.tmp (388 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ohefgafj.tmp (304 bytes)
C:\Windows\ehome\ehsched.exe (2105 bytes)
C:\Windows\System32\snmptrap.exe (1281 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7547 bytes)
%Program Files%\WinPcap\rpcapd.exe (2105 bytes)
C:\Windows\System32\fpohabbd.tmp (257 bytes)
C:\Windows\System32\Macromed\Flash\ljlplcmi.tmp (507 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
C:\Windows\System32\hmbgnolk.tmp (766 bytes)
C:\Windows\microsoft.net\framework\v4.0.30319\ilhblimb.tmp (274 bytes)
%Program Files%\WinPcap\iigafjee.tmp (356 bytes)
C:\Windows\System32\FXSSVC.exe (5441 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
C:\Windows\System32\alg.exe (1425 bytes)
C:\Windows\System32\msiexec.exe (1425 bytes)
C:\Windows\ehome\dadlhgbe.tmp (340 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer.tmp (178224 bytes)
C:\Windows\System32\FlashPlayerApp.exe (802 bytes)
C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126}\fpb.tmp (50 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.dll (542 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (443 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe (50 bytes)
C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_24_0_0_186.ocx (11464 bytes)
C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96}\fpb.tmp (1086 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Oracle Corporation
Product Name: Java(TM) Platform SE 8 U45
Product Version: 8.0.450.15
Legal Copyright: Copyright (c) 2015
Legal Trademarks:
Original Filename: javaws.exe
Internal Name: Java(TM) Web Start Launcher
File Version: 11.45.2.15
File Description: Java(TM) Web Start Launcher
Comments:
Language: Japanese (Japan)
Company Name: Oracle CorporationProduct Name: Java(TM) Platform SE 8 U45Product Version: 8.0.450.15Legal Copyright: Copyright (c) 2015Legal Trademarks: Original Filename: javaws.exeInternal Name: Java(TM) Web Start LauncherFile Version: 11.45.2.15File Description: Java(TM) Web Start LauncherComments: Language: Japanese (Japan)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 161516 | 161792 | 4.5952 | f2c4ce65eec17c03b7c200bfbff8ad4e |
| .rdata | 167936 | 24540 | 24576 | 3.30206 | 4755585d4da43d579320150225175fd5 |
| .data | 192512 | 126872 | 33280 | 2.62812 | 54c45ec744e1b2bdf667fa3dc63b440b |
| .rsrc | 319488 | 32896 | 33280 | 4.10399 | f1b687dd25bd88ddf34a7ea2e09c3949 |
| .reloc | 356352 | 421888 | 258048 | 5.44606 | b7106950a556979601167fa8f084d6f0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a1293.d.akamai.net/pub/flashplayer/update/current/sau/23/install/install_all_win_ax_sgn.z | |
| hxxp://a1293.d.akamai.net/get/flashplayer/update/current/install/version.xml24.0.0.186~installVector=9&previousVersion=23.0.0.185&lang=en&cpuWordLength=32&playerType=ax&os=win&osVer=13 | |
| hxxp://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml24.0.0.186~installVector=9&previousVersion=23.0.0.185&lang=en&cpuWordLength=32&playerType=ax&os=win&osVer=13 | 212.30.134.174 |
| hxxp://fpdownload2.macromedia.com/pub/flashplayer/update/current/sau/23/install/install_all_win_ax_sgn.z | 212.30.134.174 |
| fpdownload.macromedia.com | 2.16.66.8 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /get/flashplayer/update/current/install/version.xml24.0.0.186~installVector=9&previousVersion=23.0.0.185&lang=en&cpuWordLength=32&playerType=ax&os=win&osVer=13 HTTP/1.1
User-Agent: Adobe Flash Player
Host: fpdownload2.macromedia.com
Cache-Control: no-cache
HTTP/1.1 404 Not Found
Server: Apache
Content-Length: 380
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 15 Dec 2016 22:15:05 GMT
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /get/flashplayer/update/current/install/version.xml24.0.0.186~installV..
GET /pub/flashplayer/update/current/sau/23/install/install_all_win_ax_sgn.z HTTP/1.1
Connection: Keep-Alive
User-Agent: Download Flash Player Installer/1.0
Host: fpdownload2.macromedia.com
HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 13 Dec 2016 09:36:52 GMT
ETag: "12e9b1c-54386f5d34ce6"
Accept-Ranges: bytes
Content-Length: 19831580
Content-Encoding: x-compress
Date: Thu, 15 Dec 2016 22:14:15 GMT
Connection: keep-alive
0.......*.H............0........1.0... ......0....o..*.H...........^.....XMZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M..],..],..],..C~P.Y,...cB.X,..TTA.E,..z...Y,..z...R,..],...,..TTP..,..TTW..,..C~@.\,..],C.\,..TTE.\,..Rich],..........................PE..L...w.LX.....................B ......0.......@....@.................................`.....@.................................<........`....*..........t..X........#...C..............................(...@............@..l............................text...),.......................... ..`.rdata.......@.......2..............@..@.data....4... ......................@....rsrc.....*..`....*.."..............@..@.reloc...4.......6...>..............@..B........................................................................................................................................................................................................................................................................................................................."...V.t$..D6.......P.3...Y.p..@...@.......^.... ..`......L$......I..H.....t..........t..@. A..3......t..I..DH..3..VW.|$...................;.~.2.. .B........LA..G....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..0.j....J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V..........%...;.^u..t$..8.....t.3.@..3....SV....W..t..@...3. F.@..W..........F.Y...TB.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1964:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
f9.tW
f9.tW
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
deploy.dll
deploy.dll
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
GetProcessWindowStation
GetProcessWindowStation
operator
operator
SHLWAPI.dll
SHLWAPI.dll
c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u45\3627\build\windows-i586\deploy\jre-image\bin\javaws.pdb
c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u45\3627\build\windows-i586\deploy\jre-image\bin\javaws.pdb
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyW
RegEnumKeyW
RegCreateKeyExW
RegCreateKeyExW
ShellExecuteW
ShellExecuteW
CreatePipe
CreatePipe
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
WSOCK32.dll
WSOCK32.dll
PeekNamedPipe
PeekNamedPipe
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
total cmdline length: %d
total cmdline length: %d
total arguments: : %d
total arguments: : %d
PROP (%s, %s)
PROP (%s, %s)
127.0.0.1
127.0.0.1
osName: , osArch, quoteWholeProperty: %d
osName: , osArch, quoteWholeProperty: %d
zcÃ
zcÃ
name="javaws.exe"
name="javaws.exe"
Java Web Start Launcher
Java Web Start Launcher
3333333333330
3333333333330
333333333307
333333333307
PP%d(jjjjj
PP%d(jjjjj
0)000;0`0
0)000;0`0
2%3-343>3
2%3-343>3
8*9094989
8*9094989
.data
.data
.idata
.idata
.reloc
.reloc
.edata
.edata
Q\,.sg
Q\,.sg
\@V}77F[p[miGmG5)'%XOSMx/=
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux
zGu~L)Wux
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT459DKhTz|WuPtu%u
IT41=N@cMdj
IT41=N@cMdj
CRTDLL.DLL
CRTDLL.DLL
3$33393@3
3$33393@3
;"; ;5;;;
;"; ;5;;;
4$4-4;4`4
4$4-4;4`4
4H4d4m4v4
4H4d4m4v4
kkqvx_.dll
kkqvx_.dll
.rdata
.rdata
.pdata
.pdata
@.idata
@.idata
oovBlK7%2XJi
oovBlK7%2XJi
kkqvx_64.dll
kkqvx_64.dll
22EnumDesktopWindows
22EnumDesktopWindows
user32.dll
user32.dll
%s_mtx%u
%s_mtx%u
48CreatePipe
48CreatePipe
47PeekNamedPipe
47PeekNamedPipe
09WinExec
09WinExec
d.tmp
d.tmp
zrundll32.exe
zrundll32.exe
)rsvp.exe
)rsvp.exe
dchrome.exe
dchrome.exe
consent.exe
consent.exe
sfc_os.dll
sfc_os.dll
|sfc_os.dll
|sfc_os.dll
.SysFreeString
.SysFreeString
oleaut32.dll
oleaut32.dll
crtdll.dll
crtdll.dll
Qsfc.dll
Qsfc.dll
sfc.dll
sfc.dll
shell32.dll
shell32.dll
{shell32.dll
{shell32.dll
%s_mtx1
%s_mtx1
$.exe
$.exe
25RegEnumKeyExA
25RegEnumKeyExA
04RegCloseKey
04RegCloseKey
00RegOpenKeyExA
00RegOpenKeyExA
02RegCreateKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
26RegSetKeySecurity
3advapi32.dll
3advapi32.dll
Load failed in %s at function %s
Load failed in %s at function %s
11.45.2
11.45.2
Load failed in %s at function order:%d
Load failed in %s at function order:%d
11.0.0
11.0.0
\system32\javaws.exe
\system32\javaws.exe
\sysWow64\javaws.exe
\sysWow64\javaws.exe
Error:x in SHGetFolderPathEx(FOLDERID_LocalAppDataLow, 0, NULL, pPath, MAX_PATH)
Error:x in SHGetFolderPathEx(FOLDERID_LocalAppDataLow, 0, NULL, pPath, MAX_PATH)
COM Error:x %s
COM Error:x %s
Error:x in SHGetFolderPathW(NULL, CSIDL_APPDATA, NULL, 0, pPath)
Error:x in SHGetFolderPathW(NULL, CSIDL_APPDATA, NULL, 0, pPath)
Error:x in SHGetSpecialFolderPathW(NULL, pPath, CSIDL_APPDATA, TRUE)
Error:x in SHGetSpecialFolderPathW(NULL, pPath, CSIDL_APPDATA, TRUE)
Error:x in GetUserPathW(szPath)
Error:x in GetUserPathW(szPath)
Error:x in SHGetFolderPathEx(FOLDERID_LocalAppDataLow, 0, NULL, szPath, MAX_PATH)
Error:x in SHGetFolderPathEx(FOLDERID_LocalAppDataLow, 0, NULL, szPath, MAX_PATH)
Error:x in ::SHGetFolderPathW(0, CSIDL_COMMON_APPDATA, NULL, SHGFP_TYPE_CURRENT, szPath)
Error:x in ::SHGetFolderPathW(0, CSIDL_COMMON_APPDATA, NULL, SHGFP_TYPE_CURRENT, szPath)
%s\Oracle\Java\java.settings.cfg
%s\Oracle\Java\java.settings.cfg
%s\%s
%s\%s
bin\java.exe
bin\java.exe
bin\client\jvm.dll
bin\client\jvm.dll
bin\server\jvm.dll
bin\server\jvm.dll
-ABCDEFFEDCBA}
-ABCDEFFEDCBA}
%sd-d-d%s
%sd-d-d%s
-ABCDEFFEDCBB}
-ABCDEFFEDCBB}
-ABCDEFFEDCBC}
-ABCDEFFEDCBC}
{E19F9331-3110-11D4-991C-005004D3B3DB}
{E19F9331-3110-11D4-991C-005004D3B3DB}
SOFTWARE\Classes\CLSID\%s\InprocServer32
SOFTWARE\Classes\CLSID\%s\InprocServer32
Mozilla
Mozilla
Mozilla Firefox
Mozilla Firefox
mozilla.org
mozilla.org
Advapi32.dll
Advapi32.dll
IDispatch error #%d
IDispatch error #%d
%b %d %H:%M:%S
%b %d %H:%M:%S
.d
.d
[x]
[x]
P:d T:d %s%s
P:d T:d %s%s
deployment.expiration.check.enabled
deployment.expiration.check.enabled
\bin\msvcr100.dll
\bin\msvcr100.dll
\bin\deploy.dll
\bin\deploy.dll
hXXp://java.com/inst-dl-redirect
hXXp://java.com/inst-dl-redirect
\bin\javaw.exe
\bin\javaw.exe
\lib\deploy.jar"
\lib\deploy.jar"
com.sun.deploy.panel.ControlPanel -userConfig "
com.sun.deploy.panel.ControlPanel -userConfig "
deployment.modified.timestamp
deployment.modified.timestamp
deployment.expiration.decision
deployment.expiration.decision
deployment.expiration.decision.timestamp
deployment.expiration.decision.timestamp
deployment.expiration.decision.suppression
deployment.expiration.decision.suppression
deployment.expiration.decision.ttl
deployment.expiration.decision.ttl
DeploymentRuleSet.jar
DeploymentRuleSet.jar
%s\Sun\Java\Deployment\%s
%s\Sun\Java\Deployment\%s
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
%s%c%s
%s%c%s
com.sun.javaws.Main
com.sun.javaws.Main
-Djnlpx.vmargs=%s
-Djnlpx.vmargs=%s
-Djavaplugin.user.profile=%s
-Djavaplugin.user.profile=%s
-Djnlp.start.time=%lld
-Djnlp.start.time=%lld
-Dsun.perflog%s
-Dsun.perflog%s
-Djnlp.launchTime%s
-Djnlp.launchTime%s
plugin.jar
plugin.jar
deploy.jar
deploy.jar
javaws.jar
javaws.jar
%s%c%s%c%s%c%s%c%s%c%s
%s%c%s%c%s%c%s%c%s%c%s
-Xbootclasspath/a:%s
-Xbootclasspath/a:%s
-Xbootclasspath/p:%s
-Xbootclasspath/p:%s
-Djava.ext.dirs=%s%c%s%c%s%c%s
-Djava.ext.dirs=%s%c%s%c%s%c%s
-Djnlpx.home=%s
-Djnlpx.home=%s
-Djnlpx.home=%s%c%s
-Djnlpx.home=%s%c%s
-Djnlpx.splashport=%d
-Djnlpx.splashport=%d
-splash:%s
-splash:%s
-Djnlpx.jvm=%s
-Djnlpx.jvm=%s
-Djnlpx.remove=%s
-Djnlpx.remove=%s
-Djava.security.policy=file:%s%cjavaws.policy
-Djava.security.policy=file:%s%cjavaws.policy
-Djava.awt.headless=true
-Djava.awt.headless=true
MOZILLA_HOME
MOZILLA_HOME
-Djava.security.manager
-Djava.security.manager
-Xms%s
-Xms%s
-Xmx%s
-Xmx%s
-Djnlpx.heapsize=%s,%s
-Djnlpx.heapsize=%s,%s
javaws.singleinstance.init
javaws.singleinstance.init
javaws.singleinstance.ack
javaws.singleinstance.ack
javaws.singleinstance.init.openprint
javaws.singleinstance.init.openprint
deployment.webjava.enabled
deployment.webjava.enabled
deployment.expired.version
deployment.expired.version
%d/%d/%d
%d/%d/%d
08/14/2015
08/14/2015
-import
-import
-Djnlpx.origFilenameArg=
-Djnlpx.origFilenameArg=
-Djnlp.fx=
-Djnlp.fx=
-Djnlp.fx=%s
-Djnlp.fx=%s
-Djnlp.tk=jfx
-Djnlp.tk=jfx
-Dsun.awt.warmup=true
-Dsun.awt.warmup=true
%s%c%s%c%s
%s%c%s%c%s
-notWebJava
-notWebJava
msvcr100.dll
msvcr100.dll
PATH=%s;"%s"
PATH=%s;"%s"
PATH="%s"
PATH="%s"
1.8.0_45
1.8.0_45
eula.dll
eula.dll
deployment.properties
deployment.properties
LoadCfgFile: %s
LoadCfgFile: %s
com.sun.deploy.panel.JreLocator
com.sun.deploy.panel.JreLocator
hXXp://java.sun.com/products/autodl/j2se
hXXp://java.sun.com/products/autodl/j2se
Windows
Windows
test %d: path: regPath match
test %d: path: regPath match
test %d: osname: regOsname match
test %d: osname: regOsname match
test %d: osarch: regOsarch match
test %d: osarch: regOsarch match
test %d: productV: regProductV match
test %d: productV: regProductV match
test %d: productV: regProductV doesn't match
test %d: productV: regProductV doesn't match
test %d: osarch: regOsarch doesn't match
test %d: osarch: regOsarch doesn't match
test %d: osname: regOsname doesn't match
test %d: osname: regOsname doesn't match
test %d: path: regPath doesn't match
test %d: path: regPath doesn't match
test add new %d: regPath, registered: %d
test add new %d: regPath, registered: %d
deployment.javaws.jre.
deployment.javaws.jre.
%s%d%s
%s%d%s
.platform
.platform
.product
.product
.location
.location
.path
.path
.osname
.osname
.osarch
.osarch
.enabled
.enabled
.registered
.registered
DetermineVersion best match: %d: %s
DetermineVersion best match: %d: %s
laterVersion platver nil>%s(*) - %s
laterVersion platver nil>%s(*) - %s
laterVersion platver %s(*)>%s - %s
laterVersion platver %s(*)>%s - %s
laterVersion platver %s
laterVersion platver %s
laterVersion prodver %s(*)>%s - %s
laterVersion prodver %s(*)>%s - %s
laterVersion prodver %s==%s(*) - %s (nonRegisteredSystemJRE)
laterVersion prodver %s==%s(*) - %s (nonRegisteredSystemJRE)
laterVersion prodver %s(*)==%s - %s
laterVersion prodver %s(*)==%s - %s
laterVersion prodver %s
laterVersion prodver %s
isCurrentVersion: %s - %s
isCurrentVersion: %s - %s
deployment.javaws.showSplashScreen
deployment.javaws.showSplashScreen
deployment.javaws.splash.index
deployment.javaws.splash.index
deployment.javaws.appicon.index
deployment.javaws.appicon.index
deployment.javaws.secure.properties
deployment.javaws.secure.properties
deployment.security.use.insecure.launcher
deployment.security.use.insecure.launcher
adding secure arg:
adding secure arg:
http:
http:
-D%s=%s
-D%s=%s
add secure props:
add secure props:
%s>
%s>
%s="%s"
%s="%s"
%s%c%s%c%s%c%s
%s%c%s%c%s%c%s
.native
.native
JavaWebStart native start: %d
JavaWebStart native start: %d
JavaWebStart native end: %d
JavaWebStart native end: %d
Startup time - Native Code (ms): = %d
Startup time - Native Code (ms): = %d
Java(TM) Web Start 11.45.2.15-fcs
Java(TM) Web Start 11.45.2.15-fcs
%s %d
%s %d
ws2_32.dll
ws2_32.dll
wsock32.dll
wsock32.dll
JP2LReadyEvent_%d
JP2LReadyEvent_%d
%s%c%s.dll
%s%c%s.dll
Software\JavaSoft\Java Web Start\
Software\JavaSoft\Java Web Start\
javaw.exe
javaw.exe
%s\bin
%s\bin
bin\javaws.exe
bin\javaws.exe
%s\bin\javaw.exe
%s\bin\javaw.exe
jp2launcher.exe
jp2launcher.exe
%s\bin\jp2launcher.exe
%s\bin\jp2launcher.exe
javaws.exe
javaws.exe
deployment.browser.vm.iexplorer
deployment.browser.vm.iexplorer
deployment.browser.vm.mozilla
deployment.browser.vm.mozilla
java.quick.starter
java.quick.starter
deployment.jpi.mode.new
deployment.jpi.mode.new
deployment.javafx.mode.enabled
deployment.javafx.mode.enabled
%s\Sun\Java\Deployment
%s\Sun\Java\Deployment
%s%c%s%c%s%c%s%c
%s%c%s%c%s%c%s%c
%sËin%csplashscreen.dll
%sËin%csplashscreen.dll
%sËin%cmsvcr*
%sËin%cmsvcr*
%sËin%c%s
%sËin%c%s
error.internal.badmsg
error.internal.badmsg
error.launch.sysexec
error.launch.sysexec
error.badinst.nocfg
error.badinst.nocfg
Bad installation. Could not located javaws.cfg file
Bad installation. Could not located javaws.cfg file
error.badinst.nojre
error.badinst.nojre
error.launch.execv
error.launch.execv
Error encountered while invoking Java Web Start (execv)
Error encountered while invoking Java Web Start (execv)
Error encountered while invoking Java Web Start (SysExec)
Error encountered while invoking Java Web Start (SysExec)
error.listener.failed
error.listener.failed
error.accept.failed
error.accept.failed
error.recv.failed
error.recv.failed
error.invalid.port
error.invalid.port
Splash: didn't revive a valid port
Splash: didn't revive a valid port
error.read
error.read
error.xmlparsing
error.xmlparsing
error.splash.exit
error.splash.exit
Java Web Start splash screen process exiting ...
Java Web Start splash screen process exiting ...
error.winsock
error.winsock
error.winsock.load
error.winsock.load
Couldn't load winsock.dll
Couldn't load winsock.dll
error.winsock.star
error.winsock.star
error.badinst.nohome
error.badinst.nohome
error.splash.noimage
error.splash.noimage
error.splash.socket
error.splash.socket
error.splash.cmnd
error.splash.cmnd
error.splash.port
error.splash.port
Splash: port not specified
Splash: port not specified
error.splash.send
error.splash.send
error.splash.timer
error.splash.timer
error.splash.x11.open
error.splash.x11.open
error.splash.x11.connect
error.splash.x11.connect
message.javaws.usage
message.javaws.usage
-import [import-options]
-import [import-options]
import the application to the cache
import the application to the cache
import-options include:
import-options include:
import silently (with no user interface)
import silently (with no user interface)
import application into the system cache
import application into the system cache
-codebase
-codebase
.properties
.properties
%s%c%s%s%s
%s%c%s%s%s
messages.properties
messages.properties
%s%c%s%s
%s%c%s%s
%s%cwebStartAppIcon.icns
%s%cwebStartAppIcon.icns
sun.java2d.noddraw
sun.java2d.noddraw
javaws.cfg.jauthenticator
javaws.cfg.jauthenticator
swing.useSystemFontSettings
swing.useSystemFontSettings
swing.metalTheme
swing.metalTheme
http.agent
http.agent
http.keepAlive
http.keepAlive
sun.awt.noerasebackground
sun.awt.noerasebackground
sun.java2d.opengl
sun.java2d.opengl
sun.java2d.d3d
sun.java2d.d3d
java.awt.syncLWRequests
java.awt.syncLWRequests
java.awt.Window.locationByPlatform
java.awt.Window.locationByPlatform
sun.awt.erasebackgroundonresize
sun.awt.erasebackgroundonresize
sun.awt.keepWorkingSetOnMinimize
sun.awt.keepWorkingSetOnMinimize
swing.noxp
swing.noxp
swing.boldMetal
swing.boldMetal
awt.useSystemAAFontSettings
awt.useSystemAAFontSettings
sun.java2d.dpiaware
sun.java2d.dpiaware
sun.awt.disableMixing
sun.awt.disableMixing
sun.lang.ClassLoader.allowArraySyntax
sun.lang.ClassLoader.allowArraySyntax
java.awt.smartInvalidate
java.awt.smartInvalidate
apple.laf.useScreenMenuBar
apple.laf.useScreenMenuBar
java.net.preferIPv4Stack
java.net.preferIPv4Stack
java.util.Arrays.useLegacyMergeSort
java.util.Arrays.useLegacyMergeSort
sun.locale.formatasdefault
sun.locale.formatasdefault
sun.awt.enableExtraMouseButtons
sun.awt.enableExtraMouseButtons
com.sun.management.jmxremote.local.only
com.sun.management.jmxremote.local.only
sun.nio.ch.bugLevel
sun.nio.ch.bugLevel
sun.nio.ch.disableSystemWideOverlappingFileLockCheck
sun.nio.ch.disableSystemWideOverlappingFileLockCheck
jdk.map.althashing.threshold
jdk.map.althashing.threshold
%Program Files%\Java\jre6\lib\deploy
%Program Files%\Java\jre6\lib\deploy
%Program Files%\Java\jre6\lib
%Program Files%\Java\jre6\lib
%Program Files%\Java\jre6\bin
%Program Files%\Java\jre6\bin
8637.exe
8637.exe
%original file name%.exe
%original file name%.exe
Software\JavaSoft\Java Web Start\11.45.2
Software\JavaSoft\Java Web Start\11.45.2
c:\%original file name%.exe
c:\%original file name%.exe
Java(TM) Web Start Launcher
Java(TM) Web Start Launcher
11.45.2.15
11.45.2.15
8.0.450.15
8.0.450.15
%original file name%.exe_1964_rwx_0109A000_00064000:
.text
.text
.data
.data
.idata
.idata
.reloc
.reloc
.edata
.edata
Q\,.sg
Q\,.sg
\@V}77F[p[miGmG5)'%XOSMx/=
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux
zGu~L)Wux
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT459DKhTz|WuPtu%u
IT41=N@cMdj
IT41=N@cMdj
KERNEL32.dll
KERNEL32.dll
CRTDLL.DLL
CRTDLL.DLL
3$33393@3
3$33393@3
;"; ;5;;;
;"; ;5;;;
4$4-4;4`4
4$4-4;4`4
4H4d4m4v4
4H4d4m4v4
kkqvx_.dll
kkqvx_.dll
.rdata
.rdata
@.data
@.data
.pdata
.pdata
@.idata
@.idata
oovBlK7%2XJi
oovBlK7%2XJi
kkqvx_64.dll
kkqvx_64.dll
22EnumDesktopWindows
22EnumDesktopWindows
user32.dll
user32.dll
%s_mtx%u
%s_mtx%u
48CreatePipe
48CreatePipe
47PeekNamedPipe
47PeekNamedPipe
09WinExec
09WinExec
d.tmp
d.tmp
zrundll32.exe
zrundll32.exe
)rsvp.exe
)rsvp.exe
dchrome.exe
dchrome.exe
consent.exe
consent.exe
sfc_os.dll
sfc_os.dll
|sfc_os.dll
|sfc_os.dll
.SysFreeString
.SysFreeString
oleaut32.dll
oleaut32.dll
crtdll.dll
crtdll.dll
Qsfc.dll
Qsfc.dll
sfc.dll
sfc.dll
shell32.dll
shell32.dll
{shell32.dll
{shell32.dll
%s_mtx1
%s_mtx1
ole32.dll
ole32.dll
$.exe
$.exe
25RegEnumKeyExA
25RegEnumKeyExA
04RegCloseKey
04RegCloseKey
00RegOpenKeyExA
00RegOpenKeyExA
02RegCreateKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
26RegSetKeySecurity
3advapi32.dll
3advapi32.dll
svchost.exe_2280:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Host Process for Windows Services
Host Process for Windows Services
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
\PIPE\
Host Process for Windows Services
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
rpcapd.exe_760:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
tGHt.Ht&
tGHt.Ht&
mscoree.dll
mscoree.dll
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
kernel32.dll
kernel32.dll
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
malloc() failed: %s
malloc() failed: %s
Only BPF/NPF filters are currently supported
Only BPF/NPF filters are currently supported
RPCAP error: %s
RPCAP error: %s
Error reading the packets: %s
Error reading the packets: %s
PassiveClient
PassiveClient
New passive host list: %s
New passive host list: %s
# Hosts which are allowed to connect to this server (passive mode)
# Hosts which are allowed to connect to this server (passive mode)
# Format: PassiveClient =
# Format: PassiveClient =
PassiveClient = %s
PassiveClient = %s
# Format: ActiveClient = ,
# Format: ActiveClient = ,
ActiveClient = %s, %s
ActiveClient = %s, %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
%[^/]/%s
Source type not supported
Source type not supported
getaddrinfo() %s
getaddrinfo() %s
rpcapd [-b
] [-p ] [-6] [-l ] [-a ]rpcapd [-b
] [-p ] [-6] [-l ] [-a ]-p : the port to bind to. Default: it binds to port 2002
-p : the port to bind to. Default: it binds to port 2002
-a : run in active mode when connecting to 'host' on port 'port'
-a : run in active mode when connecting to 'host' on port 'port'
In case 'port' is omitted, the default port (2003) is used
In case 'port' is omitted, the default port (2003) is used
passive connections as well
passive connections as well
Connecting to host %s, port %s, using protocol %s
Connecting to host %s, port %s, using protocol %s
Error connecting to host %s, port %s, using protocol %s
Error connecting to host %s, port %s, using protocol %s
%sUnable to get the exact error message
%sUnable to get the exact error message
%s%s (code %d)
%s%s (code %d)
%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
getaddrinfo(): multicast addresses are not valid when using TCP streams
%s: illegal option -- %c
%s: illegal option -- %c
%s: option requires an argument -- %c
%s: option requires an argument -- %c
%s failed with error %d: %s
%s failed with error %d: %s
c:\releases\winpcap_4_1_3\winpcap\wpcap\libpcap\rpcapd\Release\x86\rpcapd.pdb
c:\releases\winpcap_4_1_3\winpcap\wpcap\libpcap\rpcapd\Release\x86\rpcapd.pdb
wpcap.dll
wpcap.dll
WS2_32.dll
WS2_32.dll
pthreadVC.dll
pthreadVC.dll
packet.dll
packet.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
%Program Files%\WinPcap\rpcapd.exe
%Program Files%\WinPcap\rpcapd.exe
%Program Files%\WinPcap\rpcapd.ini
%Program Files%\WinPcap\rpcapd.ini
-vWc}
-vWc}
.CWcu
.CWcu
.Vs}z
.Vs}z
.Vs~{U
.Vs~{U
vGlt.Vc
vGlt.Vc
.VsNcVc
.VsNcVc
v.NVs
v.NVs
v.NVsNlWc
v.NVsNlWc
v.NVsWG
v.NVsWG
v.NVsW
v.NVsW
BVs.NVsF
BVs.NVsF
A%U|A
A%U|A
H:\|H
H:\|H
Wc.wWc
Wc.wWc
C
C
2.hv{
2.hv{
aw.mS
aw.mS
J.Mwf&O=0
J.Mwf&O=0
>c%Sv3:V
>c%Sv3:V
%B-m}
%B-m}
S41q.AM
S41q.AM
iFd%u
iFd%u
2.NU^i
2.NU^i
~U.AO
~U.AO
7*.gm|G
7*.gm|G
IC%X_
IC%X_
Å’~5'
Å’~5'
%%XNl'
%%XNl'
N@;.vx
N@;.vx
bOh\N.mi_
bOh\N.mi_
kW.fZ
kW.fZ
u4-3}|
u4-3}|
>%UII`e
>%UII`e
I*8.vy
I*8.vy
xý`
xý`
%s_37
%s_37
Q\,.sg
Q\,.sg
22EnumDesktopWindows
22EnumDesktopWindows
user32.dll
user32.dll
\@V}77F[p[miGmG5)'%XOSMx/=
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux
zGu~L)Wux
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT459DKhTz|WuPtu%u
IT41=N@cMdj
IT41=N@cMdj
48CreatePipe
48CreatePipe
47PeekNamedPipe
47PeekNamedPipe
09WinExec
09WinExec
sfc_os.dll
sfc_os.dll
|sfc_os.dll
|sfc_os.dll
.SysFreeString
.SysFreeString
7oleaut32.dll
7oleaut32.dll
oleaut32.dll
oleaut32.dll
crtdll.dll
crtdll.dll
Qsfc.dll
Qsfc.dll
sfc.dll
sfc.dll
shell32.dll
shell32.dll
{shell32.dll
{shell32.dll
Dole32.dll
Dole32.dll
ole32.dll
ole32.dll
25RegEnumKeyExA
25RegEnumKeyExA
04RegCloseKey
04RegCloseKey
00RegOpenKeyExA
00RegOpenKeyExA
02RegCreateKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
26RegSetKeySecurity
3advapi32.dll
3advapi32.dll
4.1.0.2980
4.1.0.2980
rpcapd.exe
rpcapd.exe
rpcapd.exe_760_rwx_00475000_00027000:
%s_37
%s_37
Q\,.sg
Q\,.sg
22EnumDesktopWindows
22EnumDesktopWindows
user32.dll
user32.dll
\@V}77F[p[miGmG5)'%XOSMx/=
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux
zGu~L)Wux
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT459DKhTz|WuPtu%u
IT41=N@cMdj
IT41=N@cMdj
48CreatePipe
48CreatePipe
47PeekNamedPipe
47PeekNamedPipe
09WinExec
09WinExec
sfc_os.dll
sfc_os.dll
|sfc_os.dll
|sfc_os.dll
.SysFreeString
.SysFreeString
7oleaut32.dll
7oleaut32.dll
oleaut32.dll
oleaut32.dll
crtdll.dll
crtdll.dll
Qsfc.dll
Qsfc.dll
sfc.dll
sfc.dll
shell32.dll
shell32.dll
{shell32.dll
{shell32.dll
Dole32.dll
Dole32.dll
ole32.dll
ole32.dll
25RegEnumKeyExA
25RegEnumKeyExA
04RegCloseKey
04RegCloseKey
00RegOpenKeyExA
00RegOpenKeyExA
02RegCreateKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
26RegSetKeySecurity
3advapi32.dll
3advapi32.dll