Skip to main content

Trojan.Autoit.ASO_049217ffa3


Trojan.Win32.Midgare.uik (Kaspersky), Trojan.Autoit.ASO (AdAware), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 049217ffa38f611ddbf98b2a2c403417

SHA1: 9a989f6d6fff341ed8d5faa12ae4e7feec25308e

SHA256: 3abcf37456d7f2bfccc4d3e55bfeaeebe6a72d53366a3253e95c073dde0f5d00

SSDeep: 98304:pQSGQolvSm8dEArGpoJnsKLd35X8x/2BXvrHH MzUDjxIcy38HX7wRAS/cNFasPf:JGP98dZgoScJX8xeBz6Dd0oX7wRAS0NB

Size: 5959678 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171

Company: Sadu

Created at: 2017-02-20 13:41:26

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3628
%original file name%.exe:3680

The Trojan injects its code into the following process(es):

csrcs.exe:140

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:3628 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Maintenance\apps\maintenance.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zx201731320187230.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ze201731320187230.tmp (724750 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zbe201731320187230.bat (153 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zb201731320187230.bat (500 bytes)

The process %original file name%.exe:3680 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD4CB.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hfebskn (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\s.cmd (161 bytes)
C:\Windows\System32\csrcs.exe (45580 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD4CB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hfebskn (0 bytes)
C:\%original file name%.exe (0 bytes)

The process csrcs.exe:140 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autFBBC.tmp (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\suexpyu (157 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autFBBC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\suexpyu (0 bytes)

Registry activity

The process %original file name%.exe:3628 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3680 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DRM\amty]
"fix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"csrcs" = "C:\Windows\system32\csrcs.exe"

[HKLM\SOFTWARE\Microsoft\DRM\amty]
"fix1" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\DRM\amty]
"ilop" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden" = "0"
"ShowSuperHidden" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe csrcs.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
94cf8d379004ad00b6b4133f251bcbb9c:\Users\"%CurrentUserName%"\AppData\Roaming\Maintenance\apps\maintenance.exe
0e01f5e4c0bc3ea322ef3b6683d740d5c:\Windows\System32\csrcs.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3628
    %original file name%.exe:3680

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Maintenance\apps\maintenance.exe (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zx201731320187230.xml (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ze201731320187230.tmp (724750 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zbe201731320187230.bat (153 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\zb201731320187230.bat (500 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autD4CB.tmp (392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hfebskn (157 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\s.cmd (161 bytes)
    C:\Windows\System32\csrcs.exe (45580 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autFBBC.tmp (392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\suexpyu (157 bytes)

  4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe csrcs.exe"

  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409630906312324.5579679f0f9d6ec290375dd6e61dab51c9cd1
.rdata36864451246083.4397e750e4ad5a7a714e49e050729dd6b665
.data450561263225601.7218229ae6f5c465816ff92576a85ca11e74e
.rsrc61440558101255813125.539782ca559fa81fe3180cee00941a02d107f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

explorer.exe_3612:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

ntdll.DLL

ntdll.DLL

KERNEL32.dll

KERNEL32.dll

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

msvcrt.dll

msvcrt.dll

SHLWAPI.dll

SHLWAPI.dll

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

EXPLORERFRAME.dll

EXPLORERFRAME.dll

UxTheme.dll

UxTheme.dll

POWRPROF.dll

POWRPROF.dll

dwmapi.dll

dwmapi.dll

slc.dll

slc.dll

gdiplus.dll

gdiplus.dll

Secur32.dll

Secur32.dll

SSPICLI.DLL

SSPICLI.DLL

RPCRT4.dll

RPCRT4.dll

PROPSYS.dll

PROPSYS.dll

QSShM

QSShM

PSSh^

PSSh^

FtPhq

FtPhq

SSSSh

SSSSh

SShxS

SShxS

PSSh,

PSSh,

QPSSSShL

QPSSSShL

t7WSSh

t7WSSh

SSShO

SSShO

tfSSh

tfSSh

Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel

Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel

kernel32.dll

kernel32.dll

t.It It

t.It It

taSSSh

taSSSh

explorer.exe

explorer.exe

FtPhO

FtPhO

SSShI

SSShI

F8SSh

F8SSh

tRSSh

tRSSh

PSSh|$

PSSh|$

PSShL$

PSShL$

t}SShV

t}SShV

tKSSSh

tKSSSh

t SSSh

t SSSh

?.ulf

?.ulf

.ue9]

.ue9]

TaskDialogIndirect

TaskDialogIndirect

TSAppCMP.DLL

TSAppCMP.DLL

SSShT

SSShT

PSSShA

PSSShA

SSSh?

SSSh?

SSShB

SSShB

t.Ht%Ht

t.Ht%Ht

SSSShD

SSSShD

WINMM.dll

WINMM.dll

CFGMGR32.dll

CFGMGR32.dll

WINSTA.dll

WINSTA.dll

OLEACC.dll

OLEACC.dll

WINBRAND.dll

WINBRAND.dll

DUI70.dll

DUI70.dll

SndVolSSO.DLL

SndVolSSO.DLL

netutils.dll

netutils.dll

wkscli.dll

wkscli.dll

NetGetJoinInformation

NetGetJoinInformation

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegCreateKeyW

RegCreateKeyW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

RegDeleteKeyExW

RegDeleteKeyExW

RegOpenKeyW

RegOpenKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

CreateIoCompletionPort

CreateIoCompletionPort

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

SetProcessShutdownParameters

SetProcessShutdownParameters

OffsetViewportOrgEx

OffsetViewportOrgEx

GetViewportOrgEx

GetViewportOrgEx

SetViewportOrgEx

SetViewportOrgEx

EnumChildWindows

EnumChildWindows

GetKeyboardLayout

GetKeyboardLayout

ActivateKeyboardLayout

ActivateKeyboardLayout

GetProcessWindowStation

GetProcessWindowStation

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjectsEx

TileWindows

TileWindows

CascadeWindows

CascadeWindows

EnumWindows

EnumWindows

UnregisterHotKey

UnregisterHotKey

RegisterHotKey

RegisterHotKey

GetAsyncKeyState

GetAsyncKeyState

GetKeyState

GetKeyState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

ExitWindowsEx

ExitWindowsEx

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

SHDeleteKeyW

SHDeleteKeyW

SHQueryInfoKeyW

SHQueryInfoKeyW

AssocQueryKeyW

AssocQueryKeyW

ShellExecuteExW

ShellExecuteExW

ShellExecuteW

ShellExecuteW

SHFileOperationW

SHFileOperationW

SLGetWindowsInformationDWORD

SLGetWindowsInformationDWORD

GdiplusShutdown

GdiplusShutdown

explorer.pdb

explorer.pdb

name="Microsoft.Windows.Shell.explorer"

name="Microsoft.Windows.Shell.explorer"

version="5.1.0.0"

version="5.1.0.0"

Windows Shell

Windows Shell

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

true

true

{;;;;{;;

{;;;;{;;

I51111111111111.1.1.B

I51111111111111.1.1.B

46464444

46464444

*,,.,,.,'/'....'/

*,,.,,.,'/'....'/

1888661

1888661

A1..=||wwwwpggb_a`X.?0......Tmmkj__.

A1..=||wwwwpggb_a`X.?0......Tmmkj__.

k}??F.o

k}??F.o

Ja(%F

Ja(%F

uz.In

uz.In

#-.12220 *!

#-.12220 *!

(-12220

(-12220

Knmhe.HH

Knmhe.HH

%Mgr.RhY4RfE5Qd:d

%Mgr.RhY4RfE5Qd:d

2

2

&$%Uooqkezs

&$%Uooqkezs

['$$#%&(4

['$$#%&(4

5>^666^.>66^6>>>

5>^666^.>66^6>>>

>>^6^.>^6>

>>^6^.>^6>

5^66^6>66

5^66^6>66

6>>6^6^>=>>6>6>

6>>6^6^>=>>6>6>

>>^66>6>^6^6^6

>>^66>6>^6^6^6

>=>>^6>>=

>=>>^6>>=

=_>>7>_6_>>>>

=_>>7>_6_>>>>

>^.>^.6^'

>^.>^.6^'

=6^66^66>>

=6^66^66>>

7''''))

7''''))

3'')))33.

3'')))33.

.mnnw

.mnnw

4444444444

4444444444

288888888882

288888888882

911111111119

911111111119

,Cÿ>I

,Cÿ>I

..--11///06

..--11///06

%F|aD

%F|aD

%XX^^

%XX^^

%XXX^

%XXX^

%UXXX

%UXXX

!$$$$'$$#$!!"

!$$$$'$$#$!!"

6****,@=

6****,@=

!!1.WN

!!1.WN

!..WKA@?

!..WKA@?

::8240-)%2/

::8240-)%2/

,-(%(-(%%*%**17

,-(%(-(%%*%**17

!#)'&4,-

!#)'&4,-

=$.VP^

=$.VP^

0.rJ)I

0.rJ)I

\.gh.v(sO

\.gh.v(sO

W%3UI

W%3UI

0.aT@

0.aT@

%D&PJ

%D&PJ

1.JV2

1.JV2

t4%CU

t4%CU

uvm%s|

uvm%s|

Ep.SU0

Ep.SU0

kq.kV

kq.kV

njW%c

njW%c

!/.!375

!/.!375

@$@:'&%:

@$@:'&%:

(*),,,0001

(*),,,0001

!!! ###%%$

!!! ###%%$

n.2.Ýdddddddd

n.2.Ýdddddddd

*.UGA

*.UGA

%u}} mtt

%u}} mtt

&PQMSornurl[

&PQMSornurl[

%XR8]

%XR8]

....raK

....raK

***.sdR

***.sdR

,-il}

,-il}

%%%ÃŒccr`H

%%%ÃŒccr`H

./".LMBNmnPPa

./".LMBNmnPPa

.jkL^

.jkL^

45 .WX]n

45 .WX]n

$$$$!!!!

$$$$!!!!

%%%%$$$$!!!!

%%%%$$$$!!!!

&&&&%%%%$$$$!!!!

&&&&%%%%$$$$!!!!

@6'~@6'~

@6'~@6'~

=4$|=4$|

=4$|=4$|

$$$$""""

$$$$""""

%%%%$$$$""""

%%%%$$$$""""

&&&&%%%%$$$$""""

&&&&%%%%$$$$""""

;2${;2${=4$}

;2${;2${=4$}

####!!!!

####!!!!

$$$$####!!!!

$$$$####!!!!

%%%%$$$$####!!!!

%%%%$$$$####!!!!

&&&&%%%%$$$$####!!!!

&&&&%%%%$$$$####!!!!

####""""

####""""

$$$$####""""

$$$$####""""

%%%%$$$$####""""

%%%%$$$$####""""

4 4$4(4,4

4 4$4(4,4

;#

;#

; ;(;0;8;

; ;(;0;8;

1 1$1(1,1014181

1 1$1(1,1014181

3"3)30373>3

3"3)30373>3

70767

70767

%0,090?0

%0,090?0

=0>9>?>[>

=0>9>?>[>

5 5&565

5 5&565

; ;$;(;,;0;4;8;

; ;$;(;,;0;4;8;

5#5)5:5@5]5

5#5)5:5@5]5

= >(>8>>>

= >(>8>>>

; ;$;(;,;0;4;

; ;$;(;,;0;4;

323d3m3

323d3m3

3 3%3:3|3

3 3%3:3|3

0 1$1(1,10141

0 1$1(1,10141

9 9$9(9,9

9 9$9(9,9

9(:,:0:4:8:<:>

9(:,:0:4:8:<:>

1 2$2(2,20242

1 2$2(2,20242

: :$:(:,:

: :$:(:,:

:(;,;0;4;8;

:(;,;0;4;8;

2 3$3(3,30343

2 3$3(3,30343

; ;$;(;,;

; ;$;(;,;

;(

;(

9":,:^:{:

9":,:^:{:

0$0*01070?0

0$0*01070?0

:$: :1:7:

:$: :1:7:

5"5=5{5=6

5"5=5{5=6

UseExecutableForTaskbarGroupIcon

UseExecutableForTaskbarGroupIcon

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Software\Microsoft\Windows\CurrentVersion\Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage

{59031a47-3f72-44a7-89c5-5595fe6b30ee}

{59031a47-3f72-44a7-89c5-5595fe6b30ee}

imageres.dll

imageres.dll

::{E44E5D18-0652-4508-A4E2-8A090067BCB0}

::{E44E5D18-0652-4508-A4E2-8A090067BCB0}

::{26EE0668-A00A-44D7-9371-BEB064C98683}\5\::{D20EA4E1-3957-11d2-A40B-0C5020524153}

::{26EE0668-A00A-44D7-9371-BEB064C98683}\5\::{D20EA4E1-3957-11d2-A40B-0C5020524153}

::{26EE0668-A00A-44D7-9371-BEB064C98683}\0\::{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}

::{26EE0668-A00A-44D7-9371-BEB064C98683}\0\::{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}

::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions

shell:::{e345f35f-9397-435c-8f95-4e922c26259e}

shell:::{e345f35f-9397-435c-8f95-4e922c26259e}

shell:::{daf95313-e44d-46af-be1b-cbacea2c3065}

shell:::{daf95313-e44d-46af-be1b-cbacea2c3065}

%s\%s

%s\%s

user.bmp

user.bmp

%s\%s\%s

%s\%s\%s

%s::%s

%s::%s

{A1965210-3A9D-4bca-822B-433645B3F5A2}

{A1965210-3A9D-4bca-822B-433645B3F5A2}

%LocalAppData%\Microsoft\Windows\Explorer

%LocalAppData%\Microsoft\Windows\Explorer

Local\ExplorerIsShellMutex

Local\ExplorerIsShellMutex

Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{EF87B4CB-F2CE-4785-8658-4CA6C63E38C6}\TopViews\{00000000-0000-0000-0000-000000000000}

Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{EF87B4CB-F2CE-4785-8658-4CA6C63E38C6}\TopViews\{00000000-0000-0000-0000-000000000000}

Software\Policies\Microsoft\Windows\Explorer

Software\Policies\Microsoft\Windows\Explorer

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

DisabledHotkeys

DisabledHotkeys

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DelayedApps

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DelayedApps

Software\Microsoft\Windows NT\CurrentVersion\Windows,Load

Software\Microsoft\Windows NT\CurrentVersion\Windows,Load

Software\Microsoft\Windows NT\CurrentVersion\Windows

Software\Microsoft\Windows NT\CurrentVersion\Windows

UserChosenExecuteHandlers\%s

UserChosenExecuteHandlers\%s

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

Software\Microsoft\Windows\CurrentVersion\ThemeManager

Software\Microsoft\Windows\CurrentVersion\ThemeManager

USER32.DLL

USER32.DLL

Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband

Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband

comctl32.dll

comctl32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel

Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

Software\Microsoft\Windows\CurrentVersion\Themes

Software\Microsoft\Windows\CurrentVersion\Themes

Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Software\Microsoft\Windows\CurrentVersion\RunOnceEx

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

system.ini

system.ini

::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}

::{26EE0668-A00A-44D7-9371-BEB064C98683}\2\::{A8A91A66-3A7D-4424-8D24-04E180695C7A}

::{26EE0668-A00A-44D7-9371-BEB064C98683}\2\::{A8A91A66-3A7D-4424-8D24-04E180695C7A}

{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}

{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}

::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}

::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}

{20D04FE0-3AEA-1069-A2D8-08002B30309D}

{20D04FE0-3AEA-1069-A2D8-08002B30309D}

::{0c39a5cf-1a7a-40c8-ba74-8900e6df5fcd}

::{0c39a5cf-1a7a-40c8-ba74-8900e6df5fcd}

Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites

Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites

SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Shell\ResponseMonitor

SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Shell\ResponseMonitor

Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify

Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

AppEvents\Schemes\Apps\%s\%s\.current

AppEvents\Schemes\Apps\%s\%s\.current

.Default

.Default

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS

control.exe

control.exe

{A4756F80-4AE7-4A1F-A776-F5E9D9B04406}

{A4756F80-4AE7-4A1F-A776-F5E9D9B04406}

Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

Software\Microsoft\Windows\DWM

Software\Microsoft\Windows\DWM

Microsoft-Windows-DesktopWindowManager-Core-LivePreviewAllowed

Microsoft-Windows-DesktopWindowManager-Core-LivePreviewAllowed

Microsoft.Windows.ControlPanel.Taskbar

Microsoft.Windows.ControlPanel.Taskbar

%systemRoot%\system32\rundll32.exe %systemRoot%\system32\shell32.dll,Options_RunDLL 1

%systemRoot%\system32\rundll32.exe %systemRoot%\system32\shell32.dll,Options_RunDLL 1

shell32.dll,-40

shell32.dll,-40

@explorer.exe,-810

@explorer.exe,-810

Microsoft.NotificationAreaIcons

Microsoft.NotificationAreaIcons

timedate.cpl

timedate.cpl

Software\Microsoft\Windows\CurrentVersion\Policies\System

Software\Microsoft\Windows\CurrentVersion\Policies\System

Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations\

Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations\

HELP_ENTRY_ID_START_MENU_HELP_AND_SUPPORT

HELP_ENTRY_ID_START_MENU_HELP_AND_SUPPORT

WindowsLogon

WindowsLogon

WindowsLogoff

WindowsLogoff

*PIDx

*PIDx

Windows

Windows

SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel

SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel

install.exe

install.exe

@themeui.dll,-853

@themeui.dll,-853

@themeui.dll,-852

@themeui.dll,-852

@themeui.dll,-851

@themeui.dll,-851

@themeui.dll,-850

@themeui.dll,-850

runonce.exe

runonce.exe

NoDataExecutionPrevention

NoDataExecutionPrevention

UpdateURL

UpdateURL

WindowsUpdate

WindowsUpdate

Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationCustomization

Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationCustomization

Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d

Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d

Software\Microsoft\Windows NT\CurrentVersion\Windows,Run

Software\Microsoft\Windows NT\CurrentVersion\Windows,Run

Software\Microsoft\Windows\CurrentVersion\OOBE

Software\Microsoft\Windows\CurrentVersion\OOBE

Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts

Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts

shell32.dll

shell32.dll

Microsoft.UserAccounts

Microsoft.UserAccounts

Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage

Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage

NewExeName

NewExeName

desk.cpl

desk.cpl

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder

Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRULegacy

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRULegacy

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSavePidlMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSavePidlMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Software\Microsoft\Internet Explorer\TypedURLs

Software\Microsoft\Internet Explorer\TypedURLs

mshelp://windows/?id=c45acd5d-98b5-4245-8ce6-1f7bba654767

mshelp://windows/?id=c45acd5d-98b5-4245-8ce6-1f7bba654767

System.StructuredQueryType.AllBitsSet

System.StructuredQueryType.AllBitsSet

System.StructuredQueryType.AnyBitsSet

System.StructuredQueryType.AnyBitsSet

System.StructuredQueryType.SortKeyDescription

System.StructuredQueryType.SortKeyDescription

Accessories\Windows PowerShell\Windows PowerShell.lnk

Accessories\Windows PowerShell\Windows PowerShell.lnk

Administrative Tools\Server Manager.lnk

Administrative Tools\Server Manager.lnk

Windows Media Player.lnk

Windows Media Player.lnk

Accessories\Windows Explorer.lnk

Accessories\Windows Explorer.lnk

Internet Explorer.lnk

Internet Explorer.lnk

Accessories\Notepad.lnk

Accessories\Notepad.lnk

Accessories\Command Prompt.lnk

Accessories\Command Prompt.lnk

Windows Fax and Scan.lnk

Windows Fax and Scan.lnk

XPS Viewer.lnk

XPS Viewer.lnk

Accessories\displayswitch.lnk

Accessories\displayswitch.lnk

Accessories\Wordpad.lnk

Accessories\Wordpad.lnk

Windows Anytime Upgrade.lnk

Windows Anytime Upgrade.lnk

{00D8862B-6453-4957-A821-3D98D74C76BE}

{00D8862B-6453-4957-A821-3D98D74C76BE}

Accessories\Accessibility\Magnify.lnk

Accessories\Accessibility\Magnify.lnk

Accessories\Remote Desktop Connection.lnk

Accessories\Remote Desktop Connection.lnk

Accessories\Paint.lnk

Accessories\Paint.lnk

Accessories\Snipping Tool.lnk

Accessories\Snipping Tool.lnk

Accessories\Sticky Notes.lnk

Accessories\Sticky Notes.lnk

Accessories\Calculator.lnk

Accessories\Calculator.lnk

Media Center.lnk

Media Center.lnk

Accessories\Welcome Center.lnk

Accessories\Welcome Center.lnk

Microsoft.Windows.ControlPanel

Microsoft.Windows.ControlPanel

CLSID\%s\ShellExplorerRoot

CLSID\%s\ShellExplorerRoot

AlwaysShowMenus

AlwaysShowMenus

WebView

WebView

AltTab_KeyHookWnd

AltTab_KeyHookWnd

/globalhotkey

/globalhotkey

"%systemroot%\system32\magnify.exe"

"%systemroot%\system32\magnify.exe"

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system

shell32.dll,WaitForExplorerRestart "

shell32.dll,WaitForExplorerRestart "

"%systemroot%\system32\rundll32.exe"

"%systemroot%\system32\rundll32.exe"

%s%d%s

%s%d%s

%s, %s, %s

%s, %s, %s

Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon2

Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon2

Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon1

Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon1

?guid=%s&hwnd=%lu&id=%lu&ecrc=%lu

?guid=%s&hwnd=%lu&id=%lu&ecrc=%lu

{00000000-0000-0000-0000-000000000000}

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\Volume

mshelp://windows/?id=5de7c31f-1b8b-4431-9d3d-c0994939b186

mshelp://windows/?id=5de7c31f-1b8b-4431-9d3d-c0994939b186

\\?\UNC\

\\?\UNC\

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

taskmgr.exe

taskmgr.exe

ShellExecute

ShellExecute

Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d

Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d

AppEvents\Schemes\Apps\.Default\%ws\.Current

AppEvents\Schemes\Apps\.Default\%ws\.Current

D:(A;;GA;;;SY)(A;;0x%x;;;%s)

D:(A;;GA;;;SY)(A;;0x%x;;;%s)

D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)

D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)

%s%I64u%s

%s%I64u%s

%s%g%s

%s%g%s

%s%I64d%s

%s%I64d%s

RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s

RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s

RunDLL32.EXE

RunDLL32.EXE

SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ControlPanel\NameSpace\{5ea4f148-308c-46d7-98a9-49041b1dd468}

SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ControlPanel\NameSpace\{5ea4f148-308c-46d7-98a9-49041b1dd468}

Software\Microsoft\Windows\CurrentVersion\SMDEn

Software\Microsoft\Windows\CurrentVersion\SMDEn

SOFTWARE\Microsoft\Windows\Tablet PC

SOFTWARE\Microsoft\Windows\Tablet PC

OEM%d

OEM%d

%s %s

%s %s

%SystemRoot%\system32\GettingStarted.exe

%SystemRoot%\system32\GettingStarted.exe

Microsoft.Windows.GettingStarted

Microsoft.Windows.GettingStarted

SBOEM%d

SBOEM%d

Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn

Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn

Software\Microsoft\Windows\CurrentVersion\Explorer\OEMWC

Software\Microsoft\Windows\CurrentVersion\Explorer\OEMWC

Accessories\Mobility Center.lnk

Accessories\Mobility Center.lnk

@%s,%d

@%s,%d

WCOEM%d

WCOEM%d

Software\Microsoft\Windows\CurrentVersion\Explorer\WCDEn

Software\Microsoft\Windows\CurrentVersion\Explorer\WCDEn

{00021401-0000-0000-C000-000000000046}

{00021401-0000-0000-C000-000000000046}

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

StartMenuKeyBoard

StartMenuKeyBoard

StartMenuKeyBoardComposited

StartMenuKeyBoardComposited

201ef99a-7fa0-444c-9399-19ba84f12a1a

201ef99a-7fa0-444c-9399-19ba84f12a1a

%WINDOWS_LONG%

%WINDOWS_LONG%

mshelp://windows/?id=83f968d5-844e-408c-a7c4-69ff50f0ff54

mshelp://windows/?id=83f968d5-844e-408c-a7c4-69ff50f0ff54

@tzres.dll,

@tzres.dll,

\tzres.dll

\tzres.dll

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s.mui

.\%s\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s\%s.mui

guest.bmp

guest.bmp

"? %s"

"? %s"

hXXps://

hXXps://

hXXp://

hXXp://

Windows Explorer

Windows Explorer

6.1.7601.17567 (win7sp1_gdr.110224-1502)

6.1.7601.17567 (win7sp1_gdr.110224-1502)

EXPLORER.EXE

EXPLORER.EXE

Windows

Windows

Operating System

Operating System

6.1.7601.17567

6.1.7601.17567

csrcs.exe_140:

`.rsrc

`.rsrc

tc.Jl

tc.Jl

t.HHt

t.HHt

PSSht

PSSht

t*9\$ t.Wj

t*9\$ t.Wj

|$(;|$,~

|$(;|$,~

t=Ot.Ot

t=Ot.Ot

t%f=O

t%f=O

t.Ht Ht

t.Ht Ht

!!!!!!""#$%&'(((((())* ,-.DDDDDDDD//01234555676789:;<:>?@ABC

!!!!!!""#$%&'(((((())* ,-.DDDDDDDD//01234555676789:;<:>?@ABC

.VVVVVSRSSj

.VVVVVSRSSj

tGHt.Ht&

tGHt.Ht&

.Jw3;Jw

.Jw3;Jw

operand of unlimited repeat could match the empty string

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

POSIX named classes are supported only within a class

erroffset passed as NULL

erroffset passed as NULL

POSIX collating elements are not supported

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

(*VERB) with an argument is not supported

mscoree.dll

mscoree.dll

.mixcrt

.mixcrt

KERNEL32.DLL

KERNEL32.DLL

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

USER32.DLL

USER32.DLL

operator

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

uxtheme.dll

user32.dll

user32.dll

Advapi32.dll

Advapi32.dll

GetProcessWindowStation

GetProcessWindowStation

SetProcessWindowStation

SetProcessWindowStation

CloseWindowStation

CloseWindowStation

userenv.dll

userenv.dll

OpenWindowStationW

OpenWindowStationW

kernel32.dll

kernel32.dll

APPSKEY

APPSKEY

ASC 0%d

ASC 0%d

Psapi.dll

Psapi.dll

shell32.dll

shell32.dll

Wininet.dll

Wininet.dll

FtpGetFileSize

FtpGetFileSize

ICMP.DLL

ICMP.DLL

InternetOpenUrlW

InternetOpenUrlW

HttpOpenRequestW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestW

HttpQueryInfoW

HttpQueryInfoW

FtpOpenFileW

FtpOpenFileW

InternetCrackUrlW

InternetCrackUrlW

zcÁ

zcÁ

CreatePipe

CreatePipe

GetWindowsDirectoryW

GetWindowsDirectoryW

GetCPInfo

GetCPInfo

GetProcessHeap

GetProcessHeap

GetConsoleOutputCP

GetConsoleOutputCP

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyExW

RegCreateKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

SetViewportOrgEx

SetViewportOrgEx

ShellExecuteExW

ShellExecuteExW

SHFileOperationW

SHFileOperationW

ShellExecuteW

ShellExecuteW

EnumThreadWindows

EnumThreadWindows

GetAsyncKeyState

GetAsyncKeyState

SetKeyboardState

SetKeyboardState

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

GetKeyboardLayoutNameA

GetKeyboardLayoutNameA

EnumWindows

EnumWindows

EnumChildWindows

EnumChildWindows

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayoutNameW

GetKeyboardLayoutNameW

RegisterHotKey

RegisterHotKey

VkKeyScanA

VkKeyScanA

UnregisterHotKey

UnregisterHotKey

keybd_event

keybd_event

ExitWindowsEx

ExitWindowsEx

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

;.zie

;.zie

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

comdlg32.dll

comdlg32.dll

GDI32.dll

GDI32.dll

MPR.dll

MPR.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

VERSION.dll

VERSION.dll

WINMM.dll

WINMM.dll

WSOCK32.dll

WSOCK32.dll

CMDLINERAW

CMDLINERAW

CMDLINE

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

%s (%d) : ==> %s.:

Line %d:

Line %d:

Line %d (File "%s"):

Line %d (File "%s"):

%s (%d) : ==> %s:

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

*.au3;*.a3x

All files (*.*)

All files (*.*)

04090000

04090000

%u.%u.%u.%u

%u.%u.%u.%u

0.0.0.0

0.0.0.0

Mddddd

Mddddd

FTPSETPROXY

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLRECVMSG

GUICTRLSENDMSG

GUICTRLSENDMSG

GUIGETMSG

GUIGETMSG

GUIREGISTERMSG

GUIREGISTERMSG

HOTKEYSET

HOTKEYSET

HTTPSETPROXY

HTTPSETPROXY

ISKEYWORD

ISKEYWORD

MSGBOX

MSGBOX

REGENUMKEY

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTE

SHELLEXECUTEWAIT

SHELLEXECUTEWAIT

TCPACCEPT

TCPACCEPT

TCPCLOSESOCKET

TCPCLOSESOCKET

TCPCONNECT

TCPCONNECT

TCPLISTEN

TCPLISTEN

TCPNAMETOIP

TCPNAMETOIP

TCPRECV

TCPRECV

TCPSEND

TCPSEND

TCPSHUTDOWN

TCPSHUTDOWN

TCPSTARTUP

TCPSTARTUP

TRAYGETMSG

TRAYGETMSG

UDPBIND

UDPBIND

UDPCLOSESOCKET

UDPCLOSESOCKET

UDPOPEN

UDPOPEN

UDPRECV

UDPRECV

UDPSEND

UDPSEND

UDPSHUTDOWN

UDPSHUTDOWN

UDPSTARTUP

UDPSTARTUP

URLDOWNLOADTOFILE

URLDOWNLOADTOFILE

%s (%d) : ==> %s:

%s (%d) : ==> %s:

\??\%s

\??\%s

GUI_RUNDEFMSG

GUI_RUNDEFMSG

FtpBinaryMode

FtpBinaryMode

SendKeyDelay

SendKeyDelay

SendKeyDownDelay

SendKeyDownDelay

TCPTimeout

TCPTimeout

AUTOITCALLVARIABLE%d

AUTOITCALLVARIABLE%d

Keyword

Keyword

AutoIt.Error

AutoIt.Error

Null Object assignment in FOR..IN loop

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

HOTKEYPRESSED

AUTOITEXE

AUTOITEXE

WINDOWSDIR

WINDOWSDIR

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

UNKN%d

UNKN%d

WIN32_WINDOWS

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

.DEFAULT\Control Panel\Desktop\ResourceLocale

3, 2, 12, 1

3, 2, 12, 1

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

%d/d/d

%d/d/d

C:\Windows\System32\csrcs.exe

C:\Windows\System32\csrcs.exe

7.9.0.5

7.9.0.5

csrcs.exe_140_rwx_00401000_0008F000:

t.HHt

t.HHt

PSSht

PSSht

t*9\$ t.Wj

t*9\$ t.Wj

|$(;|$,~

|$(;|$,~

t=Ot.Ot

t=Ot.Ot

t%f=O

t%f=O

t.Ht Ht

t.Ht Ht

!!!!!!""#$%&'(((((())* ,-.DDDDDDDD//01234555676789:;<:>?@ABC

!!!!!!""#$%&'(((((())* ,-.DDDDDDDD//01234555676789:;<:>?@ABC

.VVVVVSRSSj

.VVVVVSRSSj

tGHt.Ht&

tGHt.Ht&

.Jw3;Jw

.Jw3;Jw

operand of unlimited repeat could match the empty string

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

POSIX named classes are supported only within a class

erroffset passed as NULL

erroffset passed as NULL

POSIX collating elements are not supported

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

(*VERB) with an argument is not supported

mscoree.dll

mscoree.dll

.mixcrt

.mixcrt

KERNEL32.DLL

KERNEL32.DLL

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

USER32.DLL

USER32.DLL

operator

operator

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.

uxtheme.dll

uxtheme.dll

user32.dll

user32.dll

Advapi32.dll

Advapi32.dll

GetProcessWindowStation

GetProcessWindowStation

SetProcessWindowStation

SetProcessWindowStation

CloseWindowStation

CloseWindowStation

userenv.dll

userenv.dll

OpenWindowStationW

OpenWindowStationW

kernel32.dll

kernel32.dll

APPSKEY

APPSKEY

ASC 0%d

ASC 0%d

Psapi.dll

Psapi.dll

shell32.dll

shell32.dll

Wininet.dll

Wininet.dll

FtpGetFileSize

FtpGetFileSize

ICMP.DLL

ICMP.DLL

InternetOpenUrlW

InternetOpenUrlW

HttpOpenRequestW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestW

HttpQueryInfoW

HttpQueryInfoW

FtpOpenFileW

FtpOpenFileW

InternetCrackUrlW

InternetCrackUrlW

zcÁ

zcÁ

CreatePipe

CreatePipe

GetWindowsDirectoryW

GetWindowsDirectoryW

GetCPInfo

GetCPInfo

GetProcessHeap

GetProcessHeap

GetConsoleOutputCP

GetConsoleOutputCP

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyExW

RegCreateKeyExW

RegEnumKeyExW

RegEnumKeyExW

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

SetViewportOrgEx

SetViewportOrgEx

ShellExecuteExW

ShellExecuteExW

SHFileOperationW

SHFileOperationW

ShellExecuteW

ShellExecuteW

EnumThreadWindows

EnumThreadWindows

GetAsyncKeyState

GetAsyncKeyState

SetKeyboardState

SetKeyboardState

GetKeyboardState

GetKeyboardState

GetKeyState

GetKeyState

GetKeyboardLayoutNameA

GetKeyboardLayoutNameA

EnumWindows

EnumWindows

EnumChildWindows

EnumChildWindows

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayoutNameW

GetKeyboardLayoutNameW

RegisterHotKey

RegisterHotKey

VkKeyScanA

VkKeyScanA

UnregisterHotKey

UnregisterHotKey

keybd_event

keybd_event

ExitWindowsEx

ExitWindowsEx

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

;.zie

;.zie

CMDLINERAW

CMDLINERAW

CMDLINE

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

%s (%d) : ==> %s.:

Line %d:

Line %d:

Line %d (File "%s"):

Line %d (File "%s"):

%s (%d) : ==> %s:

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

*.au3;*.a3x

All files (*.*)

All files (*.*)

04090000

04090000

%u.%u.%u.%u

%u.%u.%u.%u

0.0.0.0

0.0.0.0

Mddddd

Mddddd

FTPSETPROXY

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLRECVMSG

GUICTRLSENDMSG

GUICTRLSENDMSG

GUIGETMSG

GUIGETMSG

GUIREGISTERMSG

GUIREGISTERMSG

HOTKEYSET

HOTKEYSET

HTTPSETPROXY

HTTPSETPROXY

ISKEYWORD

ISKEYWORD

MSGBOX

MSGBOX

REGENUMKEY

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTE

SHELLEXECUTEWAIT

SHELLEXECUTEWAIT

TCPACCEPT

TCPACCEPT

TCPCLOSESOCKET

TCPCLOSESOCKET

TCPCONNECT

TCPCONNECT

TCPLISTEN

TCPLISTEN

TCPNAMETOIP

TCPNAMETOIP

TCPRECV

TCPRECV

TCPSEND

TCPSEND

TCPSHUTDOWN

TCPSHUTDOWN

TCPSTARTUP

TCPSTARTUP

TRAYGETMSG

TRAYGETMSG

UDPBIND

UDPBIND

UDPCLOSESOCKET

UDPCLOSESOCKET

UDPOPEN

UDPOPEN

UDPRECV

UDPRECV

UDPSEND

UDPSEND

UDPSHUTDOWN

UDPSHUTDOWN

UDPSTARTUP

UDPSTARTUP

URLDOWNLOADTOFILE

URLDOWNLOADTOFILE

%s (%d) : ==> %s:

%s (%d) : ==> %s:

\??\%s

\??\%s

GUI_RUNDEFMSG

GUI_RUNDEFMSG

FtpBinaryMode

FtpBinaryMode

SendKeyDelay

SendKeyDelay

SendKeyDownDelay

SendKeyDownDelay

TCPTimeout

TCPTimeout

AUTOITCALLVARIABLE%d

AUTOITCALLVARIABLE%d

Keyword

Keyword

AutoIt.Error

AutoIt.Error

Null Object assignment in FOR..IN loop

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

HOTKEYPRESSED

AUTOITEXE

AUTOITEXE

WINDOWSDIR

WINDOWSDIR

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

UNKN%d

UNKN%d

WIN32_WINDOWS

WIN32_WINDOWS

.DEFAULT\Control Panel\Desktop\ResourceLocale

.DEFAULT\Control Panel\Desktop\ResourceLocale

3, 2, 12, 1

3, 2, 12, 1

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_USERS

HKEY_USERS

%d/d/d

%d/d/d

C:\Windows\System32\csrcs.exe

C:\Windows\System32\csrcs.exe