Susp_Dropper (Kaspersky), Gen:Variant.Strictor.56226 (B) (Emsisoft), Gen:Variant.Strictor.56226 (AdAware), Backdoor.Win32.Farfli.FD, Backdoor.Win32.PcClient.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Backdoor, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a94d2f12989f70a719e0faf02ae6df38
SHA1: 05d39d94d45945aaa025bf0787cdc768e39fce24
SHA256: a8d3d287aef2b40164bf21d8989eb80282be01efa9b8b7efdb008633fc6de56b
SSDeep: 393216:Wf5L0u192l IIl7R/I59EEbpcVLepMRt19hxG37kTdaSv:W7192l pleDEEb2eCRQmHv
Size: 15527772 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
taskkill.exe:1140
taskkill.exe:1232
taskkill.exe:624
taskkill.exe:1932
taskkill.exe:476
taskkill.exe:1376
taskkill.exe:232
WScript.exe:540
WScript.exe:1776
RegSvcs.exe:1896
%original file name%.exe:1620
Server.exe:1788
Server.exe:1164
Server.exe:744
Server.exe:1312
Server.exe:636
Server.exe:1504
Server.exe:500
rundll32.exe:1984
fanmonitor32.com:272
fanmonitor32.com:1740
mshta.exe:1236
mshta.exe:776
mshta.exe:580
mshta.exe:1528
mshta.exe:1476
mshta.exe:1936
mshta.exe:1376
mshta.exe:1380
The Backdoor injects its code into the following process(es):
svchost.exe:1856
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process WScript.exe:1776 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\DC2135CED98D8A4D7C0CEE202BB0B810 (693 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\DC2135CED98D8A4D7C0CEE202BB0B810 (172 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\F5A17C00E427F919C4A49EEF5AD0EE53 (196 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\F5A17C00E427F919C4A49EEF5AD0EE53 (522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
The process RegSvcs.exe:1896 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.nfo (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.dat (394 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.svr (1647 bytes)
%WinDir%\InstallDir\Server.exe (32 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.svr (0 bytes)
The process %original file name%.exe:1620 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\wjgnj\65487.WCG (166 bytes)
%Documents and Settings%\%current user%\wjgnj\7185.NLP (2321 bytes)
%Documents and Settings%\%current user%\wjgnj\6897233.vbe (64 bytes)
%Documents and Settings%\%current user%\wjgnj\fanmonitor32.com (15361 bytes)
%Documents and Settings%\%current user%\wjgnj\6023107.YBP (46348 bytes)
%Documents and Settings%\%current user%\wjgnj\Hotgirlwanttohavesexwithherboss.rar (110244 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\wjgnj\__tmp_rar_sfx_access_check_1140140 (0 bytes)
The process fanmonitor32.com:1740 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\wjgnj\start.cmd (72 bytes)
%Documents and Settings%\%current user%\wjgnj\start.vbs (189 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (411 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (0 bytes)
Registry activity
The process taskkill.exe:1140 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E F5 F8 CB 28 B5 C6 A5 C3 BB 9A A7 84 08 A3 F3"
The process taskkill.exe:1232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 0B 11 2C 29 4D 52 E2 1E 8D 34 AC AB 3D 76 31"
The process taskkill.exe:624 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 86 9A 3E A2 3A 52 F0 75 36 96 BF 89 0D D7 1B"
The process taskkill.exe:1932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F E1 7D DA AB 57 96 97 FC 08 48 A0 93 A0 25 F8"
The process taskkill.exe:476 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 54 B1 7D 05 07 FC 22 94 2B 30 87 67 07 C3 22"
The process taskkill.exe:1376 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 DF 35 57 19 76 31 BC A6 D1 F9 60 94 F1 15 0B"
The process taskkill.exe:232 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 98 DF A5 0A 45 09 87 48 1D C9 BF 9D AA 19 29"
The process WScript.exe:540 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 A0 A6 F8 CA DD 02 30 90 EB BF 70 B2 51 05 DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process WScript.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 70 76 19 F1 E0 FA D5 9A 98 03 C4 7F 1A FC 0D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\wjgnj]
"fanmonitor32.com" = "AutoIt v3 Script"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 6F 7E 74 A3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 A8 23 B4 A2"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"B1BC968BD4F49D622AA89A81F2150152A41D829C"
The process RegSvcs.exe:1896 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\fPwB93jxDhZs]
"ServerStarted" = "9/13/2016 11:45:01 AM"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\fPwB93jxDhZs]
"InstalledServer" = "%WinDir%\InstallDir\Server.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 2F 05 10 53 79 B7 49 04 F9 01 1B C4 AE 55 4D"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\InstallDir]
"server.exe" = "Microsoft .NET Services Installation Utility"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\Server.exe"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\Server.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1620 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 22 FD 0D 6F 50 E2 4A 0E FA DF F8 72 09 DB 6E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shell32.dll" = "Windows Shell Common Dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Server.exe:1788 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 4B A2 77 D4 C0 64 DA 58 10 57 46 D0 47 AC 72"
The process Server.exe:1164 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 E1 4C 38 26 A3 0D 89 AE 49 92 24 AA C3 99 FB"
The process Server.exe:744 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 41 BE E4 A7 42 A2 10 56 78 69 41 8B 2B 9F BC"
The process Server.exe:1312 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 D0 BB 69 44 F0 73 5A D7 B9 38 38 CD 85 9E 75"
The process Server.exe:636 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E F3 AF 61 27 31 0A C7 90 B3 E9 D0 80 7B 74 CF"
The process Server.exe:1504 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 32 66 A6 46 6F C5 D1 F4 D5 24 4D 0B FB B0 BC"
The process Server.exe:500 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 CC C1 21 6D A5 B0 DE 46 67 98 5B CB E6 26 D0"
The process rundll32.exe:1984 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 9C D1 64 20 18 7A BE 36 F1 81 C0 6A 69 49 93"
The process fanmonitor32.com:272 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 AF 63 81 FE 53 5E 43 84 25 94 3B B9 FE 8B 5C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process fanmonitor32.com:1740 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"mshta.exe" = "Microsoft (R) HTML Application host"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 3F 19 9E 87 A1 DB 61 95 4D 89 2A C9 F7 E5 EC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"wjgnj" = "C:\DOCUME~1\"%CurrentUserName%"\wjgnj\start.vbs"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process mshta.exe:1236 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 39 1A 73 E9 67 BD CD D4 00 1A 46 E5 44 D3 D3"
The process mshta.exe:776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 80 68 17 A1 0F 88 CD F6 81 CC 4C 66 EA 2F 4D"
The process mshta.exe:580 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 2A F0 EE 07 89 28 88 7A 4B 1D E3 3C F5 A5 A1"
The process mshta.exe:1528 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 0D 47 D2 1D 30 16 56 F2 D3 FA C3 B4 13 0F 89"
The process mshta.exe:1476 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C DF B7 95 1B 3F 07 CB AF 13 B8 0E 14 F2 38 52"
The process mshta.exe:1936 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 FE F6 AC EA 61 15 64 22 94 EE 85 A5 E0 BD A0"
The process mshta.exe:1376 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 D5 B2 74 08 29 81 12 8F 41 16 65 52 A6 E4 E1"
The process mshta.exe:1380 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 9E 1D 65 6A 95 CF C0 45 2A 27 D2 54 4B 65 5C"
Dropped PE files
MD5 | File path |
---|---|
71d8f6d5dc35517275bc38ebcc815f9f | c:\Documents and Settings\"%CurrentUserName%"\wjgnj\fanmonitor32.com |
d78037c554f59e29727541f1f39100a9 | c:\WINDOWS\InstallDir\Server.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:1140
taskkill.exe:1232
taskkill.exe:624
taskkill.exe:1932
taskkill.exe:476
taskkill.exe:1376
taskkill.exe:232
WScript.exe:540
WScript.exe:1776
RegSvcs.exe:1896
%original file name%.exe:1620
Server.exe:1788
Server.exe:1164
Server.exe:744
Server.exe:1312
Server.exe:636
Server.exe:1504
Server.exe:500
rundll32.exe:1984
fanmonitor32.com:272
fanmonitor32.com:1740
mshta.exe:1236
mshta.exe:776
mshta.exe:580
mshta.exe:1528
mshta.exe:1476
mshta.exe:1936
mshta.exe:1376
mshta.exe:1380 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\DC2135CED98D8A4D7C0CEE202BB0B810 (693 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (49 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\DC2135CED98D8A4D7C0CEE202BB0B810 (172 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\F5A17C00E427F919C4A49EEF5AD0EE53 (196 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\F5A17C00E427F919C4A49EEF5AD0EE53 (522 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.nfo (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.dat (394 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.svr (1647 bytes)
%WinDir%\InstallDir\Server.exe (32 bytes)
%Documents and Settings%\%current user%\wjgnj\65487.WCG (166 bytes)
%Documents and Settings%\%current user%\wjgnj\7185.NLP (2321 bytes)
%Documents and Settings%\%current user%\wjgnj\6897233.vbe (64 bytes)
%Documents and Settings%\%current user%\wjgnj\fanmonitor32.com (15361 bytes)
%Documents and Settings%\%current user%\wjgnj\6023107.YBP (46348 bytes)
%Documents and Settings%\%current user%\wjgnj\Hotgirlwanttohavesexwithherboss.rar (110244 bytes)
%Documents and Settings%\%current user%\wjgnj\start.cmd (72 bytes)
%Documents and Settings%\%current user%\wjgnj\start.vbs (189 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\start.lnk (411 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\Server.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\Server.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"wjgnj" = "C:\DOCUME~1\"%CurrentUserName%"\wjgnj\start.vbs" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 74526 | 74752 | 4.54396 | a8692f5ba740240ef0f9a827376f76f9 |
.rdata | 81920 | 7445 | 7680 | 3.46159 | d4f36accffde0bf520f52486679ccf0d |
.data | 90112 | 96036 | 512 | 2.46008 | b6c7edb5b7fec47a37a622cc5d71f3f4 |
.CRT | 188416 | 32 | 512 | 0.273198 | 439411041ee0b8261668525c5c132cd9 |
.rsrc | 192512 | 22144 | 22528 | 3.47896 | caacb5beb649a87594b64b11df0f5130 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 5
b26c2ff1d5f114fe16ffffc981648eeb
3ae35c17ca6b8b8b192fe0ba73cfaf85
de691015e088eaffa3d69a14f1b94fb0
5fc3d546bdc1e77c5140ee59a4b53f7e
d680144a836ff76db462b31783294b7d
Network Activity
URLs
URL | IP |
---|---|
hxxp://fg.download.windowsupdate.com.c.footprint.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
hxxp://fg.download.windowsupdate.com.c.footprint.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://crl.globalsign.net/Root.crl | 198.41.215.186 |
hxxp://crl.globalsign.net/primobject.crl | 198.41.215.186 |
hxxp://crl.globalsign.net/ObjectSign.crl | 198.41.215.186 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | 8.254.200.174 |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 8.254.200.174 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /Root.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.globalsign.net
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 08:43:59 GMT
Content-Type: application/pkix-crl
Content-Length: 693
Connection: keep-alive
Set-Cookie: __cfduid=d4762767704e91d58ae87ac3690c6db221473756239; expires=Wed, 13-Sep-17 08:43:59 GMT; path=/; domain=.globalsign.net; HttpOnly
Last-Modified: Thu, 07 Jul 2016 00:00:00 GMT
ETag: 35
Expires: Sat, 15 Oct 2016 00:00:00 GMT
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 2e1a509204b1290e-OTP
0...0......0...*.H........0W1.0...U....BE1.0...U....GlobalSign nv-sa1.0...U....Root CA1.0...U....GlobalSign Root CA..160707000000Z..161015000000Z0..0*.........D.....141125000000Z0.0...U.......0*........)E.....141125000000Z0.0...U.......0*........ ...h..141125000000Z0.0...U.......0*........,^.....141125000000Z0.0...U.......0*.........KZ....160107000000Z0.0...U......../0-0...U......50...U.#..0...`{f.E....P/}..4....K0...*.H...............P.`R5...j(b..... .L.Y....'..Y. E. ."G.e.!.'..%B.....,...uKM..E........;..H....I...rJ..OEU.ti3.(.|....A8 ...D.A............f.K..z..R..3...6..<....G....R.y.}%E..i..A1\..V.~>.................[qJC..t.-..]k..a..E|_>Z;>.g..^i.Y......3.....i_....7.3........'y......
GET /primobject.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.globalsign.net
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 08:43:59 GMT
Content-Type: application/pkix-crl
Content-Length: 522
Connection: keep-alive
Set-Cookie: __cfduid=d4762767704e91d58ae87ac3690c6db221473756239; expires=Wed, 13-Sep-17 08:43:59 GMT; path=/; domain=.globalsign.net; HttpOnly
Last-Modified: Tue, 26 Aug 2014 06:00:00 GMT
ETag: <NONE>
Expires: Sat, 26 Aug 2034 06:00:00 GMT
Cache-Control: public, no-transform, must-revalidate
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare-nginx
CF-RAY: 2e1a509294ba290e-OTP
0...0..0...*.H........0..1.0...U....BE1.0...U....GlobalSign nv-sa1%0#..U....Primary Object Publishing CA100...U...'GlobalSign Primary Object Publishing CA..140826060000Z..340826060000Z0<0..........D.....140826060000Z0.........#...$..140826060000Z0...*.H.............U/......w..J'S..V...4.......l.v.z,.8...rP..K.;U'....'.5Y.I-.4.xt{..P...3..h....^.(...!.(.]I...{K...I.I|<-..X>.......h....S&..].....e...\..q>./'......&.Dl...g<P.n.NB.m....L......y..c....Z.*_J..e.j .{.......HP.9.......m.bYR.*y.=.^..._@C5....Ax...v....w..L.l.....
GET /ObjectSign.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.globalsign.net
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 404 Not Found
Date: Tue, 13 Sep 2016 08:43:59 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d4762767704e91d58ae87ac3690c6db221473756239; expires=Wed, 13-Sep-17 08:43:59 GMT; path=/; domain=.globalsign.net; HttpOnly
CF-Cache-Status: HIT
Server: cloudflare-nginx
CF-RAY: 2e1a509314c4290e-OTP
d4..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /ObjectSign.crl was not found on this server.</p>.</body></html>...0..HTTP/1.1 404 Not Found..Date: Tue, 13 Sep 2016 08:43:59 GMT..Content-Type: text/html; charset=iso-8859-1..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d4762767704e91d58ae87ac3690c6db221473756239; expires=Wed, 13-Sep-17 08:43:59 GMT; path=/; domain=.globalsign.net; HttpOnly..CF-Cache-Status: HIT..Server: cloudflare-nginx..CF-RAY: 2e1a509314c4290e-OTP..d4..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /ObjectSign.crl was not found on this server.</p>.</body></html>...0..
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 08:11:04 GMT
Content-Type: text/plain
Content-Length: 18
Connection: keep-alive
Cache-Control: max-age=604800
ETag: "8095d7df9b96d11:0"
Last-Modified: Thu, 14 Apr 2016 22:20:39 GMT
Server: Footprint Distributor V4.11
x-ccc: DE
x-cid: 3
X-Powered-By: ASP.NET,ASP.NET
Expires: Thu, 15 Sep 2016 14:10:46 GMT
MSRegion: EMEA
Age: 1975
Accept-Ranges: bytes
1401D1969BE01E11A6....
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Tue, 13 Sep 2016 08:10:45 GMT
Content-Type: application/octet-stream
Content-Length: 49640
Connection: keep-alive
Cache-Control: max-age=604800
ETag: "0c730803b97d11:0"
Last-Modified: Fri, 15 Apr 2016 17:23:18 GMT
Server: Footprint Distributor V4.11
x-ccc: DE
x-cid: 3
X-Powered-By: ASP.NET,ARR/2.5,ASP.NET
Expires: Thu, 15 Sep 2016 14:10:34 GMT
MSRegion: EMEA
Age: 1994
Accept-Ranges: bytes
MSCF............,...................I..................HaR .authroot.stl.%.u3S8..CK...<T.......4v.e.3h.......l...kICY*7-viS.ZH{i.."QY...H.T$!..L..g......k^.w.s..y?..}....4.......d.4...0....)...0..@.......D. 0Y......#p.&;..,..L....._.....ppSf^.....\x....PSSC........4..Apw..:..*....."(..6..............".3..6#.*9..yx>.w..aX....U..:.*G?..3......wY.Z=G..^...J.......Qt.U.xiD2..o....1f.a.9...&...T..\.X<u.WU/.]=./8. .sK.......(.<.A$H.............5...y......"...\...IP..A(y....]..fc`.r)Y.$..<.V.............'....f..X.Y.<......R...zq.5nfO,..NE.....*/ud.7.=.".3..........%.. ....F.......,.e.3.e..... ..T...=x.BD.........R.0..3D.....W......v<\{...Oj>.$YT)LQ..........{.......s=.vs..........dY].<.v..<..w[.{.Z..qV.............= ......5.5........tm... ...SZ.....e-1e<.rX..K3>..~]{b#..&......b.e......;...?......7...!W......e\..a>!{....t.....r...TV...h....4...........Bx...aBp...............F....kx. V.q....g.?.q\.z.?h>V..ORz.....t...%.{w...4..(.......m.|..X\,./.4w.6?M$.q;q.............x?...Auip.... 8..".4...a}E.98T..*...N...7]p<G.&I.........7....@.Q.#.%.:..TE7....d..b. .E.V...-.=1.........j.)t...Z &.e.o..m..L.s.2.\...j4.d..............4.....9...3...03...-2c)L.."..y.7.|... !O.1.....i:....J.:.P..5...6.W...XP..J..^.....u.v....|..U..-..Q..CF.r ..........`.V~.C...=.=.m...6N.,..OV.Z...d.K.-....".D.8.V,}X.P.D..X"8.....;DD."../x.(M..O........1V6R./.3|I...9,........eh..........k...W.....t.*...K..a.....x.0#.t..F.!...7Vk ........7....X......2.t!...AB..b...1.&..S.`G...1@.f.I."...vl.g.}Rs....y.z}....}.
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1984:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s
svchost.exe_1856:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_1856_rwx_00150000_0006F000:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
kernel32.dll
kernel32.dll
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
789:;
789:;
user32.dll
user32.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
Shell32.dll
Shell32.dll
lsass.exe
lsass.exe
svchost.exe
svchost.exe
GetProcessHeap
GetProcessHeap
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
GetWindowsDirectoryW
GetWindowsDirectoryW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
SHDeleteKeyW
SHDeleteKeyW
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
URLDownloadToFileW
URLDownloadToFileW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
1 1$1(1,1
1 1$1(1,1
v%D-g\d
v%D-g\d
.byEk-
.byEk-
T6Y-.POY
T6Y-.POY
j%X@ *
j%X@ *
%FXq_&"
%FXq_&"
kL.hg
kL.hg
YZ%FH
YZ%FH
Ae.dg
Ae.dg
%ud&S
%ud&S
%uszc
%uszc
.mg}'I
.mg}'I
'.S.JLK
'.S.JLK
7F.nxU
7F.nxU
*P~.Xr
*P~.Xr
.aFx\
.aFx\
Ê[&
Ê[&
().tdI9
().tdI9
FtPQI
FtPQI
0 ^%U
0 ^%U
-M%S7
-M%S7
%X;Wj
%X;Wj
V|.Vq6
V|.Vq6
.rf^oQq
.rf^oQq
KWindows
KWindows
Cm_Keylogger
Cm_Keylogger
x.html
x.html
explorer.exe
explorer.exe
%USECRYPTERSETTINGS%
%USECRYPTERSETTINGS%
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
BINDERPASS
BINDERPASS
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
CyberGateKeylogger
CyberGateKeylogger
explorer.exe
explorer.exe
hXXp://
hXXp://
.functions
.functions
ÞFAULTBROWSER%
ÞFAULTBROWSER%
%USECRYPTER%
%USECRYPTER%
SETTINGSPASS
SETTINGSPASS
\Microsoft\Windows\
\Microsoft\Windows\
CYBERGATEPASS
CYBERGATEPASS
minertracker.servePTF.com
minertracker.servePTF.com
C:\User
C:\User
Server.exe
Server.exe
2.0.2.3
2.0.2.3
ePTF.com
ePTF.com
C:\Users\ChrfPwB93jxDhZsPERSIST
C:\Users\ChrfPwB93jxDhZsPERSIST
C:\Users\Chris
C:\Users\Chris
PTF.ftpserver.com
PTF.ftpserver.com
ftpuser
ftpuser
ftppass
ftppass
calc.exe
calc.exe
notepad.exe
notepad.exe
hXXp://VVV.myserver.com/serverplugin.srv
hXXp://VVV.myserver.com/serverplugin.srv
hXXp://VVV.somehosting.com/tagger.php
hXXp://VVV.somehosting.com/tagger.php
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu
C:\Users\Chris\AppData\Local\Microsoft\Windows\Burn\Burn
C:\Users\Chris\AppData\Local\Microsoft\Windows\Burn\Burn
C:\Users\Chris\AppData\Local\Microsoft\Windows Sidebar?id=%ID%&name=%Username% @ %PCName%&version=%Version%
C:\Users\Chris\AppData\Local\Microsoft\Windows Sidebar?id=%ID%&name=%Username% @ %PCName%&version=%Version%
{0.0.0.00000000}.{85c3e77d-29d9-4866-811b-61e2517e0d41}
{0.0.0.00000000}.{85c3e77d-29d9-4866-811b-61e2517e0d41}
example@email.com
example@email.com
C:\Us
C:\Us
%WinDir%\InstallDir\Server.exe
%WinDir%\InstallDir\Server.exe
%WinDir%\InstallDir\
%WinDir%\InstallDir\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.nfo
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\fPwB93jxDhZs\fPwB93jxDhZs.nfo
fanmonitor32.com_272:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
s%j.Zf
s%j.Zf
8crtsu
8crtsu
:crts
:crts
crts
crts
GetProcessWindowStation
GetProcessWindowStation
operator
operator
uxtheme.dll
uxtheme.dll
kernel32.dll
kernel32.dll
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
this version of PCRE is not compiled with PCRE_UCP support
ICMP.DLL
ICMP.DLL
advapi32.dll
advapi32.dll
RegDeleteKeyExW
RegDeleteKeyExW
Error text not found (please report)
Error text not found (please report)
WSOCK32.dll
WSOCK32.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
COMCTL32.dll
COMCTL32.dll
MPR.dll
MPR.dll
InternetCrackUrlW
InternetCrackUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
FtpOpenFileW
FtpOpenFileW
FtpGetFileSize
FtpGetFileSize
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
PSAPI.DLL
PSAPI.DLL
USERENV.dll
USERENV.dll
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
CloseWindowStation
CloseWindowStation
MapVirtualKeyW
MapVirtualKeyW
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
VkKeyScanW
VkKeyScanW
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
SetKeyboardState
SetKeyboardState
GetAsyncKeyState
GetAsyncKeyState
keybd_event
keybd_event
EnumThreadWindows
EnumThreadWindows
ExitWindowsEx
ExitWindowsEx
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
L.aVFY)
L.aVFY)
.ijjrc
.ijjrc
g%D`-
g%D`-
sssh6
sssh6
uW.MW
uW.MW
3.3/464(5,5054585
3.3/464(5,5054585
8 8$8(8,808
8 8$8(8,808
= =$=(=,=0=4=8=
= =$=(=,=0=4=8=
0 0$0(0,0004080
0 0$0(0,0004080
:*;3;?;|;
:*;3;?;|;
11
11
2 323[3.5
2 323[3.5
? ?@?`?
? ?@?`?
= =$=(=,=0=4=
= =$=(=,=0=4=
5 5$5(5,5054585
5 5$5(5,5054585
CADjD%D
CADjD%D
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
CMDLINERAW
CMDLINERAW
CMDLINE
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
/AutoIt3ExecuteScript
%s (%d) : ==> %s.:
%s (%d) : ==> %s.:
Line %d:
Line %d:
Line %d (File "%s"):
Line %d (File "%s"):
%s (%d) : ==> %s:
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
*.au3;*.a3x
All files (*.*)
All files (*.*)
#NoAutoIt3Execute
#NoAutoIt3Execute
APPSKEY
APPSKEY
Line %d:
Line %d:
04090000
04090000
%u.%u.%u.%u
%u.%u.%u.%u
0.0.0.0
0.0.0.0
Mddddd
Mddddd
%s (%d) : ==> %s:
%s (%d) : ==> %s:
UDPSTARTUP
UDPSTARTUP
UDPSHUTDOWN
UDPSHUTDOWN
UDPSEND
UDPSEND
UDPRECV
UDPRECV
UDPOPEN
UDPOPEN
UDPCLOSESOCKET
UDPCLOSESOCKET
UDPBIND
UDPBIND
TRAYGETMSG
TRAYGETMSG
TCPSTARTUP
TCPSTARTUP
TCPSHUTDOWN
TCPSHUTDOWN
TCPSEND
TCPSEND
TCPRECV
TCPRECV
TCPNAMETOIP
TCPNAMETOIP
TCPLISTEN
TCPLISTEN
TCPCONNECT
TCPCONNECT
TCPCLOSESOCKET
TCPCLOSESOCKET
TCPACCEPT
TCPACCEPT
SHELLEXECUTEWAIT
SHELLEXECUTEWAIT
SHELLEXECUTE
SHELLEXECUTE
REGENUMKEY
REGENUMKEY
MSGBOX
MSGBOX
ISKEYWORD
ISKEYWORD
HTTPSETUSERAGENT
HTTPSETUSERAGENT
HTTPSETPROXY
HTTPSETPROXY
HOTKEYSET
HOTKEYSET
GUIREGISTERMSG
GUIREGISTERMSG
GUIGETMSG
GUIGETMSG
GUICTRLSENDMSG
GUICTRLSENDMSG
GUICTRLRECVMSG
GUICTRLRECVMSG
FTPSETPROXY
FTPSETPROXY
\??\%s
\??\%s
GUI_RUNDEFMSG
GUI_RUNDEFMSG
SendKeyDelay
SendKeyDelay
SendKeyDownDelay
SendKeyDownDelay
TCPTimeout
TCPTimeout
AUTOITCALLVARIABLE%d
AUTOITCALLVARIABLE%d
255.255.255.255
255.255.255.255
Keyword
Keyword
AutoIt.Error
AutoIt.Error
Null Object assignment in FOR..IN loop
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
Incorrect Object type in FOR..IN loop
HOTKEYPRESSED
HOTKEYPRESSED
AUTOITEXE
AUTOITEXE
WINDOWSDIR
WINDOWSDIR
3, 3, 8, 1
3, 3, 8, 1
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
%d/d/d
%d/d/d
%Documents and Settings%\%current user%\wjgnj\fanmonitor32.com
%Documents and Settings%\%current user%\wjgnj\fanmonitor32.com
:%Documents and Settings%\%current user%\wjgnj\6023107.YBP
:%Documents and Settings%\%current user%\wjgnj\6023107.YBP
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
hXXp://VVV.autoitscript.com/autoit3/
hXXp://VVV.autoitscript.com/autoit3/
AutoIt3.exe
AutoIt3.exe