Trojan-Dropper.Win32.Injector.pbuu (Kaspersky), Win32.Madangel.DIA (B) (Emsisoft), Win32.Madangel.DIA (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6074c83922f7a481fd8b07c54a9dcd59
SHA1: 114b1d0b894021a30b9771edadc63b7f50f00b38
SHA256: b765a67d42018f3d24245be1641b536107784c737d0449720046b2a92f07a997
SSDeep: 6144:MltPsuG7z1kQBmabEsTBiv3YC7vGIbR6MHHUSppSwTaQZtsQUoatf:m1suGv1kQBjbEsTwv3Lm
Size: 334124 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-11 07:16:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1152
The Trojan injects its code into the following process(es):
%original file name%.exe:348
Explorer.EXE:888
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Adobe\Reader 9.0\Reader\ACROTEXTEXTRACTOR.EXE (100 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBEUPDATERINSTALLMGR.EXE (100 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (1188 bytes)
C:\totalcmd\TCUNINST.EXE (1300 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\ADBERDR950_EN_US.EXE (1124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (1044 bytes)
%Program Files%\WinPcap\rpcapd.exe (1588 bytes)
%Program Files%\Common Files\Java\Java Update\jaureg.exe (1556 bytes)
%Program Files%\Outlook Express\oemig50.exe (1652 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\READERUPDATER.EXE (356 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACRORD32INFO.EXE (1604 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\msnsusii.exe (658 bytes)
C:\totalcmd\TOTALCMD64.EXE (1510 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DW20.EXE (548 bytes)
%Program Files%\Messenger\msmsgs.exe (1428 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACROBROKER.EXE (52 bytes)
%Program Files%\Common Files\Java\Java Update\jucheck.exe (436 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe (1428 bytes)
C:\totalcmd\NOCLOSE.EXE (1764 bytes)
%System%\Serverx.exe (1504347 bytes)
%Program Files%\Outlook Express\wabmig.exe (1236 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (692 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (996 bytes)
%Program Files%\NetMeeting\conf.exe (108 bytes)
%Program Files%\Common Files\Java\Java Update\jaucheck.exe (1300 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe (110 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwrmind.exe (116 bytes)
%Program Files%\NetMeeting\cb32.exe (1540 bytes)
%Program Files%\Outlook Express\setup50.exe (1252 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBE_UPDATER.EXE (1046 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32.exe (1236 bytes)
%Program Files%\Internet Explorer\iedw.exe (1684 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ADOBECOLLABSYNC.EXE (340 bytes)
%Program Files%\Outlook Express\wab.exe (980 bytes)
%Program Files%\NetMeeting\wb32.exe (1540 bytes)
C:\totalcmd\NOCLOSE64.EXE (1220 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (532 bytes)
%Program Files%\Microsoft Office\Office14\PPTVIEW.EXE (1840 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (708 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ACROBATUPDATER.EXE (356 bytes)
C:\totalcmd\TCMDX64.EXE (1252 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\LOGTRANSPORT2.EXE (1060 bytes)
%Program Files%\Movie Maker\moviemk.exe (1156 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (1876 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Eula.exe (1556 bytes)
C:\totalcmd\TCUNIN64.EXE (1908 bytes)
%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\Setup.exe (1044 bytes)
C:\totalcmd\TCMADMIN.EXE (1940 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\A3DUTILITY.EXE (596 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ADOBEARMHELPER.EXE (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\PDFPREVHNDLRSHIM.EXE (340 bytes)
C:\totalcmd\TCMDX32.EXE (1684 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (692 bytes)
%Program Files%\Outlook Express\msimn.exe (1652 bytes)
C:\totalcmd\TcUsbRun.exe (1764 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwtutor.exe (420 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (1316 bytes)
C:\totalcmd\TCMADM64.EXE (356 bytes)
C:\totalcmd\TOTALCMD.EXE (1592 bytes)
%Program Files%\WinPcap\UNINSTALL.EXE (1552 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (1732 bytes)
Registry activity
The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Serverx" = "%System%\Serverx.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | ZieF.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1152
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\Adobe\Reader 9.0\Reader\ACROTEXTEXTRACTOR.EXE (100 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBEUPDATERINSTALLMGR.EXE (100 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (1188 bytes)
C:\totalcmd\TCUNINST.EXE (1300 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\ADBERDR950_EN_US.EXE (1124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (1044 bytes)
%Program Files%\WinPcap\rpcapd.exe (1588 bytes)
%Program Files%\Common Files\Java\Java Update\jaureg.exe (1556 bytes)
%Program Files%\Outlook Express\oemig50.exe (1652 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\READERUPDATER.EXE (356 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACRORD32INFO.EXE (1604 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\msnsusii.exe (658 bytes)
C:\totalcmd\TOTALCMD64.EXE (1510 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DW20.EXE (548 bytes)
%Program Files%\Messenger\msmsgs.exe (1428 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACROBROKER.EXE (52 bytes)
%Program Files%\Common Files\Java\Java Update\jucheck.exe (436 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe (1428 bytes)
C:\totalcmd\NOCLOSE.EXE (1764 bytes)
%System%\Serverx.exe (1504347 bytes)
%Program Files%\Outlook Express\wabmig.exe (1236 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (692 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (996 bytes)
%Program Files%\NetMeeting\conf.exe (108 bytes)
%Program Files%\Common Files\Java\Java Update\jaucheck.exe (1300 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe (110 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwrmind.exe (116 bytes)
%Program Files%\NetMeeting\cb32.exe (1540 bytes)
%Program Files%\Outlook Express\setup50.exe (1252 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBE_UPDATER.EXE (1046 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32.exe (1236 bytes)
%Program Files%\Internet Explorer\iedw.exe (1684 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ADOBECOLLABSYNC.EXE (340 bytes)
%Program Files%\Outlook Express\wab.exe (980 bytes)
%Program Files%\NetMeeting\wb32.exe (1540 bytes)
C:\totalcmd\NOCLOSE64.EXE (1220 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (532 bytes)
%Program Files%\Microsoft Office\Office14\PPTVIEW.EXE (1840 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (708 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ACROBATUPDATER.EXE (356 bytes)
C:\totalcmd\TCMDX64.EXE (1252 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\LOGTRANSPORT2.EXE (1060 bytes)
%Program Files%\Movie Maker\moviemk.exe (1156 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (1876 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Eula.exe (1556 bytes)
C:\totalcmd\TCUNIN64.EXE (1908 bytes)
%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\Setup.exe (1044 bytes)
C:\totalcmd\TCMADMIN.EXE (1940 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\A3DUTILITY.EXE (596 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ADOBEARMHELPER.EXE (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\PDFPREVHNDLRSHIM.EXE (340 bytes)
C:\totalcmd\TCMDX32.EXE (1684 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (692 bytes)
%Program Files%\Outlook Express\msimn.exe (1652 bytes)
C:\totalcmd\TcUsbRun.exe (1764 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwtutor.exe (420 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (1316 bytes)
C:\totalcmd\TCMADM64.EXE (356 bytes)
C:\totalcmd\TOTALCMD.EXE (1592 bytes)
%Program Files%\WinPcap\UNINSTALL.EXE (1552 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (1732 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Serverx" = "%System%\Serverx.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Oracle Corporation
Product Name: Java(TM) Platform SE 8
Product Version: 8.0.40.25
Legal Copyright: Copyright (c) 2015
Legal Trademarks:
Original Filename: java.exe
Internal Name: java
File Version: 8.0.40.25
File Description: Java(TM) Platform SE binary
Comments:
Language: Language Neutral
Company Name: Oracle CorporationProduct Name: Java(TM) Platform SE 8Product Version: 8.0.40.25Legal Copyright: Copyright (c) 2015Legal Trademarks: Original Filename: java.exeInternal Name: javaFile Version: 8.0.40.25File Description: Java(TM) Platform SE binaryComments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 107966 | 108032 | 4.62622 | e737892dafba196f5517192a47b4d843 |
| .rdata | 114688 | 29656 | 29696 | 4.4583 | 2aa9d8184737734f8a35c6a9358f11e8 |
| .data | 147456 | 13504 | 5632 | 2.2278 | fff6823adbeba8b906a283898eeb89b0 |
| .rsrc | 163840 | 33112 | 33280 | 4.17222 | a25eeb76d2171a8d55dfb485f18f6d5a |
| .reloc | 200704 | 156460 | 156460 | 4.52662 | 13adba8540b19c50cf9851e94b43fbcd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| irc.zief.pl | 148.81.111.121 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
NICK aziqrnej.USER n020501 . . :#a8a67a25e Service Pack 3.JOIN #.364.
:irc 001 aziqrnej :Hi virtu.:irc 376 aziqrnej :End of /MOTD command.:irc 001 aziqrnej :Hi virtu.:irc 376 aziqrnej :End of /MOTD command..:aziqrnej JOIN #.364..:aziqrnej JOIN #.364.
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_348:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
FTPQ
FTPQ
1.8.0_40-b25
1.8.0_40-b25
wwwd_args[%d] = %s
wwwd_args[%d] = %s
Windows original main args:
Windows original main args:
-Djava.class.path=%s
-Djava.class.path=%s
TRACER_MARKER: NativeMemoryTracking: got value %s
TRACER_MARKER: NativeMemoryTracking: got value %s
TRACER_MARKER: NativeMemoryTracking: putenv arg %s
TRACER_MARKER: NativeMemoryTracking: putenv arg %s
TRACER_MARKER: NativeMemoryTracking: env var is %s
TRACER_MARKER: NativeMemoryTracking: env var is %s
%s%d=%s
%s%d=%s
option[-] = '%s'
option[-] = '%s'
ignoreUnrecognized is %s,
ignoreUnrecognized is %s,
----%s----
----%s----
-Djava.class.path=
-Djava.class.path=
-Dapplication.home=%s
-Dapplication.home=%s
-Denv.class.path=%s
-Denv.class.path=%s
-Dsun.java.command=
-Dsun.java.command=
-Dsun.java.launcher=SUN_STANDARD
-Dsun.java.launcher=SUN_STANDARD
dotversion:%s
dotversion:%s
fullversion:%s
fullversion:%s
javaw:%s
javaw:%s
launcher name:%s
launcher name:%s
program name:%s
program name:%s
javargs:%s
javargs:%s
debug:%s
debug:%s
argv[-] = '%s'
argv[-] = '%s'
App's argc is %d
App's argc is %d
%s is '%s'
%s is '%s'
Warning: %s VM not supported; %s VM will be used
Warning: %s VM not supported; %s VM will be used
Error: %s VM not supported
Error: %s VM not supported
Error: Unable to resolve VM alias %s
Error: Unable to resolve VM alias %s
Error: Corrupt jvm.cfg file; cycle in alias list.
Error: Corrupt jvm.cfg file; cycle in alias list.
Default VM: %s
Default VM: %s
Error: main-class: attribute exceeds system limits of %d bytes
Error: main-class: attribute exceeds system limits of %d bytes
Error: Unable to locate JRE meeting specification "%s"
Error: Unable to locate JRE meeting specification "%s"
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s
Error: Syntax error in version specification "%s"
Error: Syntax error in version specification "%s"
Error: Invalid or corrupt jarfile %s
Error: Invalid or corrupt jarfile %s
Error: Unable to access jarfile %s
Error: Unable to access jarfile %s
-Djava.awt.headless=
-Djava.awt.headless=
-Djava.awt.headless=true
-Djava.awt.headless=true
Error: %s requires class path specification
Error: %s requires class path specification
%s full version "%s"
%s full version "%s"
Error: %s requires jar file specification
Error: %s requires jar file specification
Warning: %s option is no longer supported.
Warning: %s option is no longer supported.
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=java.prof
-Xrunhprof:cpu=old,file=%s
-Xrunhprof:cpu=old,file=%s
-Dsun.java.launcher.diag=true
-Dsun.java.launcher.diag=true
%ld micro seconds to parse jvm.cfg
%ld micro seconds to parse jvm.cfg
name: %s vmType: %s alias: %s
name: %s vmType: %s alias: %s
name: %s vmType: %s server_class: %s
name: %s vmType: %s server_class: %s
jvm.cfg[%d] = ->%s
jvm.cfg[%d] = ->%s
Warning: Unknown VM type on line %d of `%s'
Warning: Unknown VM type on line %d of `%s'
Warning: Missing server class VM on line %d of `%s'
Warning: Missing server class VM on line %d of `%s'
Warning: Missing VM type on line %d of `%s'
Warning: Missing VM type on line %d of `%s'
Warning: No leading - on line %d of `%s'
Warning: No leading - on line %d of `%s'
Error: could not open `%s'
Error: could not open `%s'
argv[%d] = %s
argv[%d] = %s
\bin\splashscreen.dll
\bin\splashscreen.dll
Error: Unable to resolve %s
Error: Unable to resolve %s
Error: CreateProcess(%s, ...) failed:
Error: CreateProcess(%s, ...) failed:
ReExec Args: %s
ReExec Args: %s
ReExec Command: %s (%s)
ReExec Command: %s (%s)
%s\bin\%s.exe
%s\bin\%s.exe
ExecJRE: new: %s
ExecJRE: new: %s
ExecJRE: old: %s
ExecJRE: old: %s
Error: loading: %s
Error: loading: %s
jvm.dll
jvm.dll
passing arguments as-is
passing arguments as-is
passing arguments as-is.
passing arguments as-is.
Warning: app args is larger than the original, %d %d
Warning: app args is larger than the original, %d %d
%s\jvm.dll
%s\jvm.dll
%s\bin\%s\jvm.dll
%s\bin\%s\jvm.dll
Version major.minor.micro = %s.%s
Version major.minor.micro = %s.%s
Failed reading value of registry key:
Failed reading value of registry key:
%s\%s\JavaHome
%s\%s\JavaHome
Error: Registry key '%s'\CurrentVersion'
Error: Registry key '%s'\CurrentVersion'
has value '%s', but '%s' is required.
has value '%s', but '%s' is required.
Error: Failed reading value of registry key:
Error: Failed reading value of registry key:
%s\CurrentVersion
%s\CurrentVersion
Error: opening registry key '%s'
Error: opening registry key '%s'
Error: could not find java.dll
Error: could not find java.dll
%s\jre\bin\java.dll
%s\jre\bin\java.dll
JRE path is %s
JRE path is %s
%s\bin\java.dll
%s\bin\java.dll
-Dsun.java2d.opengl
-Dsun.java2d.opengl
-Dsun.java2d.d3d
-Dsun.java2d.d3d
-Dsun.java2d.noddraw
-Dsun.java2d.noddraw
-Dsun.awt.warmup
-Dsun.awt.warmup
Error: missing `%s' JVM at `%s'.
Error: missing `%s' JVM at `%s'.
Error: no known VMs. (check for corrupt jvm.cfg file)
Error: no known VMs. (check for corrupt jvm.cfg file)
%s%slib%s%s%sjvm.cfg
%s%slib%s%s%sjvm.cfg
Error: This Java instance does not support a %d-bit JVM.
Error: This Java instance does not support a %d-bit JVM.
CRT path is %s
CRT path is %s
\bin\msvcr100.dll
\bin\msvcr100.dll
msvcr100.dll
msvcr100.dll
Error: can't find JNI interfaces in: %s
Error: can't find JNI interfaces in: %s
JVM path is %s
JVM path is %s
\bin\awt.dll
\bin\awt.dll
\bin\java.dll
\bin\java.dll
\bin\verify.dll
\bin\verify.dll
before: "%s"
before: "%s"
after : "%s"
after : "%s"
META-INF/MANIFEST.MF
META-INF/MANIFEST.MF
1.2.8
1.2.8
inflate 1.2.8 Copyright 1995-2013 Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
GetProcessWindowStation
GetProcessWindowStation
d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\java_objs\java.pdb
d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\java_objs\java.pdb
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
COMCTL32.dll
COMCTL32.dll
PeekNamedPipe
PeekNamedPipe
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
zcÃ
zcÃ
3333333333330
3333333333330
333333333307
333333333307
PP%d(jjjjj
PP%d(jjjjj
3"3 353@3{3
3"3 353@3{3
6 6$6(6,6
6 6$6(6,6
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
USER32.DLL
USER32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
MPR.DLL
MPR.DLL
WSOCK32.DLL
WSOCK32.DLL
SHELL32.DLL
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
hXXp://vguarder.bravehost.com/user.htm
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
WinExec
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyA
ShellExecuteA
ShellExecuteA
\setupx.exe
\setupx.exe
\updatex.exe
\updatex.exe
\Serverx.exe
\Serverx.exe
=.exet
=.exet
=.scrt
=.scrt
.idata
.idata
.reloc
.reloc
.Uby[#
.Uby[#
mscoree.dll
mscoree.dll
.KERNEL32.DLL
.KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
8.0.40.25
8.0.40.25
java.exe
java.exe
.Java SE Development Ki
.Java SE Development Ki
%original file name%.exe_348_rwx_00456000_00002000:
KERNEL32.dll
KERNEL32.dll
USER32.DLL
USER32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
MPR.DLL
MPR.DLL
WSOCK32.DLL
WSOCK32.DLL
SHELL32.DLL
SHELL32.DLL
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.91i.net/user.htm
hXXp://vguarder.bravehost.com/user.htm
hXXp://vguarder.bravehost.com/user.htm
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinExec
WinExec
RegNotifyChangeKeyValue
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyA
ShellExecuteA
ShellExecuteA
\setupx.exe
\setupx.exe
\updatex.exe
\updatex.exe
\Serverx.exe
\Serverx.exe
=.exet
=.exet
=.scrt
=.scrt
.idata
.idata
.reloc
.reloc
Explorer.EXE_888_rwx_00FF0000_00001000:
%System%\Serverx.exe
%System%\Serverx.exe