Susp_Dropper (Kaspersky), Gen:Variant.Adware.Symmi.41092 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 45be0ba90bed9769996964b9ab65df22
SHA1: 51cac1c297c2ba71f70db4c1c34acc6de715e1b3
SHA256: 0546c136bd33f1db43906c662aebc7052398ae77db408d46b5911492c2823349
SSDeep: 12288:hChNaPG4GjeZHkwuPikQ7lKH5p5H9x1teZHkwuXiZQblKh5pDxXTd8zb0:hChNUG4GjeZEXi37l6Br1teZEviObl2J
Size: 649741 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3800
chrome.exe:3928
chrome.exe:1808
regsvr32.exe:2496
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\default\MediaWatchV1home7445_32.png (10 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll (1438 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ch\MediaWatchV1home7445.crx (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (13747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome.manifest (149 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll (19321 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe (11397 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (424 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445.js (747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\overlay.xul (344 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\install.rdf (788 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445ffaction.js (678 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\Thumbs.db (564 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE67.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp (0 bytes)
The process chrome.exe:3928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\manifest.json (535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\ffMediaWatchV1home7445chaction.js (834 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_64.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_IMAGES (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_MESSAGE_CATALOGS (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (5 bytes)
The process chrome.exe:1808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\B72E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\manifest.json (969 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\D940.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log (69 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_XNFbplNQia974aj (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\temp-index (456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (3286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e2042f2bac3c4012_0 (1188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (596 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA7B.tmp (326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (1768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214 (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\MediaWatchV1home7445.crx (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3C.tmp (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0V1D2EDSBRU76AHZJFWR.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (2753 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (4692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (10985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\1963.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (5378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (3450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (33745 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B73E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA8C.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor (1374 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies (78 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_12F2a5PPplkvI0f (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3B.tmp (160 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences~RF15da47.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\B72E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF1631ba.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF15b347.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RF15fe5b.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF15c255.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF16195a.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp\scoped_dir_1808_17872 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\280F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old~RF15cafc.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF160fd8.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity~RF15da86.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_IMAGES (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld\2820.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\the-real-index~RF15c1e7.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\MediaWatchV1home7445.crx (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG.old~RF15b9ec.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Persistent State~RF15da86.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Local State~RF15d94e.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B73E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\JumpListIconsOld (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF15da38.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir\the-real-index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF15b663.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_MESSAGE_CATALOGS (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\03df6d6f-8e2a-4489-bd5a-64f29c423fdf\index-dir (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extensions\Temp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Last Session (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG.old~RF15c763.TMP (0 bytes)
The process regsvr32.exe:2496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll (90 bytes)
Registry activity
The process %original file name%.exe:3800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"UninstallString" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe"
[HKCU\Software\Microsoft\Internet Explorer\Approved Extensions]
"{6f02327d-af8c-4e89-bfb0-f085f2f27df9}" = "51 66 7A 6C 4C 1D 3B 1B 6D 2B 13 74 B2 FE E5 0B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1" = "koikkkbidedbdhpibnldmifjfiiapajf"
[HKLM\SOFTWARE\MediaWatchV1\Media Watch]
"Installed" = "1"
[HKLM\SOFTWARE\Google\Chrome\Extensions\koikkkbidedbdhpibnldmifjfiiapajf]
"Version" = "1.1"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}]
"(Default)" = "Media Watch"
[HKLM\SOFTWARE\MediaWatchV1home7445\Components]
"ff" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"DisplayIcon" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe"
"NoModify" = "1"
[HKLM\SOFTWARE\Mozilla\Firefox\extensions]
"ext@MediaWatchV1home7445.net" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"URLInfoAbout" = ""
"NoRepair" = "1"
[HKLM\SOFTWARE\Google\Chrome\Extensions\koikkkbidedbdhpibnldmifjfiiapajf]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ch\MediaWatchV1home7445.crx"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\MediaWatchV1home7445\Components]
"CH" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"DisplayVersion" = "1.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\MediaWatchV1home7445\Components]
"ie" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaWatchV1home7445]
"Publisher" = "Media Watch"
"DisplayName" = "Media Watch"
[HKLM\SOFTWARE\MediaWatchV1home7445]
"Path" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{604AF983-D85F-42B1-8A88-C340353ECD43}Machine\Software]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process chrome.exe:1808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid_enableddate" = "0"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "0"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"metricsid" = ""
"metricsid_installdate" = "0"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"aggregate" = "sum()"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"usagestats" = "0"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumAccounts]
"S-1-5-21-732923889-1296844034-1208581001-1000" = "1"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"lastrun" = "13126666546371223"
[HKCU\Software\Google\Chrome\BLBeacon]
"failed_count" = "0"
[HKCU\Software\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"dr" = "1"
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_NumSignedIn]
"aggregate" = "sum()"
[HKCU\Software\Google\Chrome\StabilityMetrics]
"user_experience_metrics.stability.exited_cleanly" = "0"
[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"
[HKCU\Software\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"dr" = "1"
[HKCU\Software\Google\Chrome]
"UsageStatsInSample" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Google\Chrome\PreReadFieldTrial]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"experiment_labels"
The process regsvr32.exe:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}\TypeLib]
"Version" = "1.1"
"(Default)" = "{157E0954-7BEC-49A3-846B-47AD2A4D2717}"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\InprocServer32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll"
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}]
"(Default)" = "IMediaWatchV1home7445BHO"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1\HELPDIR]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}]
"(Default)" = "MediaWatchV1home7445"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1\0\win32]
"(Default)" = "%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll"
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{157E0954-7BEC-49A3-846B-47AD2A4D2717}\1.1]
"(Default)" = "MediaWatchV1home7445Lib"
[HKCR\Interface\{5929BA57-A9DF-4F89-BCDE-2233A23BDA90}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\TypeLib]
"(Default)" = "{157e0954-7bec-49a3-846b-47ad2a4d2717}"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\Version]
"(Default)" = "1.1"
[HKCR\CLSID\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}\InprocServer32]
"ThreadingModel" = "Apartment"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6f02327d-af8c-4e89-bfb0-f085f2f27df9}]
"(Default)" = "MediaWatchV1home7445"
"NoExplorer" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| fa9e10bad193c53a078cda885e0f4cb9 | c:\Program Files\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll |
| ac1361b2741f858b1817e00a81738a65 | c:\Program Files\MediaWatchV1\MediaWatchV1home7445\uninstall.exe |
| 51ba1095f0ae45a2d444bea506cb9ad4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3800
chrome.exe:3928
chrome.exe:1808
regsvr32.exe:2496 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\default\MediaWatchV1home7445_32.png (10 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ie\MediaWatchV1home7445.dll (1438 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ch\MediaWatchV1home7445.crx (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (13747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome.manifest (149 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll (19321 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\uninstall.exe (11397 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (424 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445.js (747 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\overlay.xul (344 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\install.rdf (788 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\ffMediaWatchV1home7445ffaction.js (678 bytes)
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff\chrome\content\icons\Thumbs.db (564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_16.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\manifest.json (535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\ffMediaWatchV1home7445chaction.js (834 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_64.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_128.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\images\MediaWatchV1home7445_48.png (392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_IMAGES (80 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\DECODED_MESSAGE_CATALOGS (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\CRX_INSTALL\icon.ico (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\B72E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\D940.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log (69 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\67a473248953641b_1 (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG (618 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data (744 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG (519 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_XNFbplNQia974aj (172 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager (1066 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\index-dir\temp-index (456 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage (3286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\9cfa0dda3968329980b7e40c251f29bfef877f68\39899567-a7df-4e61-bae6-748369b36961\e2042f2bac3c4012_0 (1188 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA7B.tmp (326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Current Session (1768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scoped_dir_1808_27214\MediaWatchV1home7445.crx (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3C.tmp (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0V1D2EDSBRU76AHZJFWR.temp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal (2753 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (4692 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Network Action Predictor-journal (10985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\1963.tmp (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal (5378 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal (3450 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal (33745 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\B73E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA8C.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (984 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_12F2a5PPplkvI0f (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal (6985 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG (495 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG (534 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\DA3B.tmp (160 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Media Watch
Product Name: Media Watch home 7445
Product Version: 1.1
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1
File Description:
Comments:
Language: Language Neutral
Company Name: Media WatchProduct Name: Media Watch home 7445Product Version: 1.1Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1File Description: Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 45056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 237568 | 3120 | 3584 | 2.92202 | 76cf3ba7b2975156ad03518cde724eff |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 76
f21ecd224a4a852c898ee1ec51c517aa
464e228e017335f2601c0f2ebf88af6d
c55abf6b18f8cc58695482cf83aa7ac3
f5cce1fa300129316bbcb5b7c641bb93
39f22d82d1e182ff17043275cec7f045
5c4b9d3f58cae635ce073e8f3a5a6125
eee365627ac509f2595ea1046d407a6c
f0cdf4d68adaf67754ccf36dc3517d44
8a25860c33a7b04a9615bb91adb7669d
3ce9ff5cc74119e8fce35396c7b49975
744f068187516b7d8fd2f55303134f03
6ceb526d605c1eaaebd66c726bb9e7e7
419a06f84869e926929753a0b23a6c33
a3fc321598cebcc3515c493d61479172
162194818bda609562ebd75c64d2ed3d
a6949f382f6b5a5851854b339e20e098
efcdd3d80b3953d0a7cb5bd9178d5d6b
2f224b1c8d3787996ed4432f58c4363c
4cf8dd829001d9281424e5badc8f0553
0f90be30512d37c0c675d09a0dc7034e
e63c2c05b5e18fcd0ac1a665fc1e33a6
6d4f0ae75ae178b4dcbbf507dcd971bb
e576282be32bd81637cd7cd24ae0c30b
94c8092017b2b2e0893ba9ab8173d449
08e3867d1ce13fbdd28bb9ec2e0660a6
Network Activity
URLs
| URL | IP |
|---|---|
| www.gstatic.com | 172.217.20.195 |
| www.google.com.ua | |
| chrome.google.com | |
| shavar.services.mozilla.com | |
| translate.googleapis.com | |
| dns.msftncsi.com | |
| www.googleapis.com | |
| ssl.gstatic.com | |
| self-repair.mozilla.org | |
| search.services.mozilla.com | |
| clients4.google.com | |
| apis.google.com | |
| tiles.services.mozilla.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3800:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
rs\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll
rs\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll
rome\content\icons\default\MediaWatchV1home7445_32.png
rome\content\icons\default\MediaWatchV1home7445_32.png
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp\aminsis.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdAE68.tmp
me7445\uninstall.exe
me7445\uninstall.exe
1home7445.crx
1home7445.crx
\.ORf
\.ORf
/?$?*?.?%?
/?$?*?.?%?
C4Kc.dVg]Gt
C4Kc.dVg]Gt
f.BjV
f.BjV
o!.wSs
o!.wSs
.dC(z
.dC(z
images/MediaWatchV1home7445_48.png
images/MediaWatchV1home7445_48.png
k1V}%F
k1V}%F
.ry~;8
.ry~;8
nsdAE68.tmp
nsdAE68.tmp
5.dll" /s
5.dll" /s
0ba90bed9769996964b9ab65df22.exe
0ba90bed9769996964b9ab65df22.exe
c:\%original file name%.exe
c:\%original file name%.exe
%Program Files%\MediaWatchV1\MediaWatchV1home7445
%Program Files%\MediaWatchV1\MediaWatchV1home7445
chrome\content\icons\default
chrome\content\icons\default
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsdAE67.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nsdAE67.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff
%Program Files%\MediaWatchV1\MediaWatchV1home7445\ff
Nullsoft Install System v2.46
Nullsoft Install System v2.46
CompanyWebsite
CompanyWebsite
firefox.exe_2172:
.text
.text
`.rdata
`.rdata
@.data
@.data
.gfids
.gfids
@.rsrc
@.rsrc
@.reloc
@.reloc
xul.dll
xul.dll
USER32.dll
USER32.dll
WINMM.dll
WINMM.dll
Could not find the Mozilla runtime.
Could not find the Mozilla runtime.
.thunks
.thunks
.syzygy
.syzygy
\dependentlibs.list
\dependentlibs.list
Mozilla
Mozilla
Firefox
Firefox
firefox
firefox
49.0.1
49.0.1
20160922113459
20160922113459
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
hXXps://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=49.0.1&buildid=20160922113459
hXXps://crash-reports.mozilla.com/submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=49.0.1&buildid=20160922113459
Invalid path found: '%s'
Invalid path found: '%s'
Incorrect number of arguments passed to -app
Incorrect number of arguments passed to -app
application.ini path not recognized: '%s'
application.ini path not recognized: '%s'
XUL_APP_FILE=%s
XUL_APP_FILE=%s
Couldn't set %s.
Couldn't set %s.
Couldn't read application.ini
Couldn't read application.ini
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/base/win/scoped_handle.cc
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/base/win/scoped_handle.cc
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc
Check failed: name.second.
Check failed: name.second.
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/interception.cc
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/interception.cc
CreateNamedPipeW
CreateNamedPipeW
_TargetCreateNamedPipeW@36
_TargetCreateNamedPipeW@36
c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\security\sandbox\chromium\base/numerics/safe_conversions.h
c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\security\sandbox\chromium\base/numerics/safe_conversions.h
kernel32.dll
kernel32.dll
NtCreateKey
NtCreateKey
_TargetNtCreateKey@32
_TargetNtCreateKey@32
NtOpenKey
NtOpenKey
_TargetNtOpenKey@16
_TargetNtOpenKey@16
NtOpenKeyEx
NtOpenKeyEx
_TargetNtOpenKeyEx@20
_TargetNtOpenKeyEx@20
NtOpenKey[Ex]
NtOpenKey[Ex]
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
dependentlibs.list
dependentlibs.list
.gtest
.gtest
c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\browser\app\firefox.pdb
c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\browser\app\firefox.pdb
.text$di
.text$di
.text$lp00firefox
.text$lp00firefox
.text$mn
.text$mn
.text$np
.text$np
.text$x
.text$x
.text$yd
.text$yd
.text$zy
.text$zy
.text$zz
.text$zz
.idata$5
.idata$5
.CRT$XCA
.CRT$XCA
.CRT$XCAA
.CRT$XCAA
.CRT$XCL
.CRT$XCL
.CRT$XCU
.CRT$XCU
.CRT$XCZ
.CRT$XCZ
.CRT$XIA
.CRT$XIA
.CRT$XIAA
.CRT$XIAA
.CRT$XIAC
.CRT$XIAC
.CRT$XIZ
.CRT$XIZ
.CRT$XPA
.CRT$XPA
.CRT$XPZ
.CRT$XPZ
.CRT$XTA
.CRT$XTA
.CRT$XTZ
.CRT$XTZ
.rdata
.rdata
.rdata$00
.rdata$00
.rdata$r
.rdata$r
.rdata$sxdata
.rdata$sxdata
.rdata$zz
.rdata$zz
.rdata$zzzdbg
.rdata$zzzdbg
.rtc$IAA
.rtc$IAA
.rtc$IZZ
.rtc$IZZ
.rtc$TAA
.rtc$TAA
.rtc$TZZ
.rtc$TZZ
.xdata$x
.xdata$x
.didat$2
.didat$2
.didat$3
.didat$3
.didat$4
.didat$4
.didat$6
.didat$6
.didat$7
.didat$7
.edata
.edata
.idata$2
.idata$2
.idata$3
.idata$3
.idata$4
.idata$4
.idata$6
.idata$6
.data
.data
.data$r
.data$r
.data$zz
.data$zz
.didat$5
.didat$5
.bss$00
.bss$00
.bss$dk00
.bss$dk00
.bss$pr00
.bss$pr00
.bss$zz
.bss$zz
.gfids$y
.gfids$y
.rsrc$01
.rsrc$01
.rsrc$02
.rsrc$02
CloseWindowStation
CloseWindowStation
CreateWindowStationW
CreateWindowStationW
GetProcessWindowStation
GetProcessWindowStation
SetProcessWindowStation
SetProcessWindowStation
firefox.exe
firefox.exe
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z
mozglue.dll
mozglue.dll
CreateIoCompletionPort
CreateIoCompletionPort
GetProcessHandleCount
GetProcessHandleCount
KERNEL32.dll
KERNEL32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
MSVCP140.dll
MSVCP140.dll
VCRUNTIME140.dll
VCRUNTIME140.dll
_seh_filter_exe
_seh_filter_exe
_register_thread_local_exe_atexit_callback
_register_thread_local_exe_atexit_callback
_crt_atexit
_crt_atexit
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-string-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-utility-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll
version="1.0.0.0"
version="1.0.0.0"
name="Firefox"
name="Firefox"
Firefox
Firefox
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
f^.mHuQ8
f^.mHuQ8
.KscP
.KscP
yy.QG
yy.QG
c"=Ãp
c"=Ãp
.CE&I8
.CE&I8
%d>ZZ
%d>ZZ
\LMQ!)%C
\LMQ!)%C
0(2U2
0(2U2
?'?4?]?
?'?4?]?
: :$:8:<:>
: :$:8:<:>
2 2(20282@2
2 2(20282@2
7 7
7 7
KERNEL32.DLL
KERNEL32.DLL
user32.dll
user32.dll
WFirefox
WFirefox
kernelbase.dll
kernelbase.dll
ntdll.dll
ntdll.dll
wow_helper.exe"
wow_helper.exe"
gdi32.dll
gdi32.dll
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_TEXT
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
pipe\
pipe\
Firefox and Mozilla Developers; available under the MPL 2 license.
Firefox and Mozilla Developers; available under the MPL 2 license.
Mozilla Corporation
Mozilla Corporation
Firefox is a Trademark of The Mozilla Foundation.
Firefox is a Trademark of The Mozilla Foundation.