not-a-virus:AdWare.Win32.PennyBee.nu (Kaspersky), Application.Generic.1307206 (AdAware), Trojan.Win32.Swrort.3.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6c47b7ff9de6864a748f9f7bcb73cb64
SHA1: 91ea2aae0a43ae0b5ab4bd69bbe0f0182bbcc0f8
SHA256: daf4f46499fd36d440881121c183a508773825548746be79aad6ff11905f67e0
SSDeep: 49152:aTu8x6y0yBHvCheTs1UpptTtPUFaYrz3M9pkvfUZp YcNMJKZbrddJc:mug3vCh3UR9UA6wpIMZcYcNMcZbr3C
Size: 2040937 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Software Bundle Company
Created at: 2009-06-07 00:41:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Application creates the following process(es):
ijieaacy.EXE:3364
ijieaacy.EXE:3016
ijiedacy.exe:3044
ijiewacy.exe:2112
ijiewacy.exe:2416
Dulcum.exe:1680
Dulcum.exe:1628
oabilgu.exe:864
%original file name%.exe:388
HiowlEkhwor.exe:2964
HiowlEkhwor.exe:3196
ijieaacy.exe:592
The Application injects its code into the following process(es):
ijiedacy.exe:3404
ijieaacy.exe:2588
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process ijiedacy.exe:3044 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loader[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
The process ijiedacy.exe:3404 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v1[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pvint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8 (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6 (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pv[1].js (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmp_ext[1].js (8 bytes)
The process Dulcum.exe:1628 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%System%\Dulcum.ini (392 bytes)
%WinDir%\Temp\CertsIE.dat (12284 bytes)
%System%\DulcumOff.ini (4 bytes)
The Application deletes the following file(s):
%WinDir%\Temp\CertsIE.dat (0 bytes)
The process oabilgu.exe:864 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%System%\Dulcum.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SpOrder.dll (392 bytes)
The process %original file name%.exe:388 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.dll (12024 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacyu.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\MiiPif.dll (9320 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\utils.exe (6335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\boostwebapp_installer__1468410562.txt (21484 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum64.dll (13584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgFd.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiewacy.EXE (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Uninstaller.exe (8560 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacy.exe (6584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\HiowlEkhwor.exe (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgOd.sys (784 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu.exe (18424 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu64.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgd.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE (50832 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.EXE (85410 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgRd.sys (1552 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (156966 bytes)
The Application deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsislog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\MiiPif.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1.tmp (0 bytes)
The process ijieaacy.exe:592 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (574 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgR.sys (72 bytes)
%System%\drivers\tammg119.sys (26 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammg.sys (54 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (1156 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgF.sys (70 bytes)
The process ijieaacy.exe:2588 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (3072 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (1528 bytes)
%WinDir%\Tasks\Tempo Runner ijiedacy.job (3016 bytes)
The Application deletes the following file(s):
%WinDir%\Tasks\Tempo Runner ijiedacy.job (0 bytes)
Registry activity
The process ijieaacy.EXE:3364 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 38 D4 B6 11 EC 5F 30 6C 8F 24 ED D6 8A 1C 77"
The process ijieaacy.EXE:3016 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 F7 E3 6E 30 4B FE 74 03 6B 7F 76 DC FA 49 30"
The process ijiedacy.exe:3044 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 48 7A 81 46 29 BC E5 50 46 38 F8 AD 61 56 C5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ijiedacy.exe:3404 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCU\Software\AppdataLow\Software\raelvyo\data]
"E419E2445BF82w23" = "120000"
"AAD4DBA9766467aw23" = "60000"
"AAD4DBA9766467evaw23" = "120000"
"CAD4DBA9766467bducw23" = "3600000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\AppdataLow\Software\raelvyo\data]
"S132B7B8F1DC15w23" = "32"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\AppdataLow\Software\raelvyo\data]
"__cxe_type" = ".10110101"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 84 E0 82 AD 31 B6 7A A2 BC 82 B7 F9 78 BA 38"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Application modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Application deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ijiewacy.exe:2112 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 2B 09 2D 7B 18 C3 E6 36 98 76 0E 44 8E 22 46"
The process ijiewacy.exe:2416 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 6F 4A 75 9F 7A 1B 0C 90 A5 71 C2 4E 5D 4F 30"
The process Dulcum.exe:1680 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0]
"(Default)" = "UEO 1.0 Type Library"
[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}]
"(Default)" = "IWFPController"
[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\DulcumLib.AzeKhzawivyro.1]
"(Default)" = "AzeKhzawivyro Class"
[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"InstallingUser" = "eABwADEAXABhAGQAbQAAAA=="
[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}]
"(Default)" = "IChatControl"
[HKCR\DulcumLib.WiiWibdyftitg\CLSID]
"(Default)" = "{1F0F6135-E368-41DA-a327-92D021B47810}"
[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"KomodiaParameters1" = "0"
[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}]
"(Default)" = "INATDriver"
[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\DulcumLib.JoasHobhyl\CurVer]
"(Default)" = "DulcumLib.JoasHobhyl.1"
[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\DulcumLib.WiiWibdyftitg\CurVer]
"(Default)" = "DulcumLib.WiiWibdyftitg.1"
[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}]
"(Default)" = "IDataTable"
[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\DulcumLib.ChoFedgiw]
"(Default)" = "ChoFedgiw Class"
[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
[HKCR\DulcumLib.JoasHobhyl.1]
"(Default)" = "JoasHobhyl Class"
[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\TypeLib]
"Version" = "1.0"
[HKCR\DulcumLib.SysxNhropto\CurVer]
"(Default)" = "DulcumLib.SysxNhropto.1"
[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\VersionIndependentProgID]
"(Default)" = "DulcumLib.JoasHobhyl"
[HKCR\DulcumLib.ChoFedgiw.1]
"(Default)" = "ChoFedgiw Class"
[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}]
"(Default)" = "ILSPLogic"
[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}]
"(Default)" = "IWatchDog"
[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\ProgID]
"(Default)" = "DulcumLib.SysxNhropto.1"
[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}]
"(Default)" = "JoasHobhyl Class"
[HKCR\DulcumLib.SysxNhropto.1]
"(Default)" = "SysxNhropto Class"
[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\DulcumLib.SysxNhropto]
"(Default)" = "SysxNhropto Class"
[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"LocalService" = "Dulcum"
[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\TypeLib]
"Version" = "1.0"
[HKCR\DulcumLib.BeiwPhnumge.1\CLSID]
"(Default)" = "{48C17124-4EDF-46A8-9E2A-41396B4F6A55}"
[HKCR\DulcumLib.SysxNhropto\CLSID]
"(Default)" = "{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}"
[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\ProgID]
"(Default)" = "DulcumLib.AzeKhzawivyro.1"
[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}]
"(Default)" = "IInjector"
[HKCR\DulcumLib.RhnoSogafagwaf]
"(Default)" = "RhnoSogafagwaf Class"
[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}]
"(Default)" = "IReadOnlyManager"
[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}]
"(Default)" = "IDataStatistics"
[HKCR\DulcumLib.JoasHobhyl.1\CLSID]
"(Default)" = "{1FB49220-9E99-444C-85AA-F55307D0134F}"
[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\DulcumLib.WiiWibdyftitg.1]
"(Default)" = "WiiWibdyftitg Class"
[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\DulcumLib.WiiWibdyftitg]
"(Default)" = "WiiWibdyftitg Class"
[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}]
"(Default)" = "ISSHController"
[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31"
[HKCR\DulcumLib.BeiwPhnumge\CLSID]
"(Default)" = "{48C17124-4EDF-46A8-9E2A-41396B4F6A55}"
[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\TypeLib]
"Version" = "1.0"
[HKCR\DulcumLib.JoasHobhyl]
"(Default)" = "JoasHobhyl Class"
[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}]
"(Default)" = "IParentalControlController"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F E8 4F 3C D7 30 72 C2 43 C4 52 3D 9D 97 98 61"
[HKCR\AppID\Dulcum.EXE]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\DulcumLib.BeiwPhnumge]
"(Default)" = "BeiwPhnumge Class"
[HKCR\DulcumLib.ChoFedgiw\CurVer]
"(Default)" = "DulcumLib.ChoFedgiw.1"
[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}]
"(Default)" = "RhnoSogafagwaf Class"
[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\ProgID]
"(Default)" = "DulcumLib.JoasHobhyl.1"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dulcum]
"(Default)" = "service"
[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}]
"(Default)" = "IProxyChecks"
[HKCR\DulcumLib.BeiwPhnumge\CurVer]
"(Default)" = "DulcumLib.BeiwPhnumge.1"
[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\TypeLib]
"Version" = "1.0"
[HKCR\DulcumLib.AzeKhzawivyro\CurVer]
"(Default)" = "DulcumLib.AzeKhzawivyro.1"
[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}]
"(Default)" = "AzeKhzawivyro Class"
[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\TypeLib]
"Version" = "1.0"
[HKCR\DulcumLib.SysxNhropto.1\CLSID]
"(Default)" = "{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}"
[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\VersionIndependentProgID]
"(Default)" = "DulcumLib.WiiWibdyftitg"
[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}]
"(Default)" = "BeiwPhnumge Class"
[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}]
"(Default)" = "IParentalControl"
[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"(Default)" = "Dulcum"
[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}]
"(Default)" = "WiiWibdyftitg Class"
[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\VersionIndependentProgID]
"(Default)" = "DulcumLib.BeiwPhnumge"
[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\DulcumLib.AzeKhzawivyro\CLSID]
"(Default)" = "{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}"
[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}]
"(Default)" = "IDataTableFields"
[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\VersionIndependentProgID]
"(Default)" = "DulcumLib.ChoFedgiw"
[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\VersionIndependentProgID]
"(Default)" = "DulcumLib.SysxNhropto"
[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\ProgID]
"(Default)" = "DulcumLib.BeiwPhnumge.1"
[HKCR\DulcumLib.RhnoSogafagwaf.1]
"(Default)" = "RhnoSogafagwaf Class"
[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\ProgID]
"(Default)" = "DulcumLib.RhnoSogafagwaf.1"
[HKCR\DulcumLib.BeiwPhnumge.1]
"(Default)" = "BeiwPhnumge Class"
[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\ProgID]
"(Default)" = "DulcumLib.WiiWibdyftitg.1"
[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\DulcumLib.WiiWibdyftitg.1\CLSID]
"(Default)" = "{1F0F6135-E368-41DA-a327-92D021B47810}"
[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"ServiceParameters" = "-Service"
[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\VersionIndependentProgID]
"(Default)" = "DulcumLib.AzeKhzawivyro"
[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}]
"(Default)" = "IDataTableHolder"
[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\VersionIndependentProgID]
"(Default)" = "DulcumLib.RhnoSogafagwaf"
[HKCR\DulcumLib.AzeKhzawivyro]
"(Default)" = "AzeKhzawivyro Class"
[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\TypeLib]
"Version" = "1.0"
[HKCR\DulcumLib.JoasHobhyl\CLSID]
"(Default)" = "{1FB49220-9E99-444C-85AA-F55307D0134F}"
[HKCR\DulcumLib.RhnoSogafagwaf.1\CLSID]
"(Default)" = "{DD23A82A-F952-4106-8BD6-EDCD545C637A}"
[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
[HKCR\DulcumLib.ChoFedgiw.1\CLSID]
"(Default)" = "{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}"
[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\TypeLib]
"Version" = "1.0"
[HKCR\DulcumLib.AzeKhzawivyro.1\CLSID]
"(Default)" = "{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}"
[HKCR\DulcumLib.ChoFedgiw\CLSID]
"(Default)" = "{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}"
[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\DulcumLib.RhnoSogafagwaf\CurVer]
"(Default)" = "DulcumLib.RhnoSogafagwaf.1"
[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\ProgID]
"(Default)" = "DulcumLib.ChoFedgiw.1"
[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}]
"(Default)" = "IDataContainer"
[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"
[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}]
"(Default)" = "SysxNhropto Class"
[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}]
"(Default)" = "IDataController"
[HKCR\DulcumLib.RhnoSogafagwaf\CLSID]
"(Default)" = "{DD23A82A-F952-4106-8BD6-EDCD545C637A}"
[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}]
"(Default)" = "ChoFedgiw Class"
[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"
[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"
The Application deletes the following value(s) in system registry:
[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"LocalService"
[HKLM\System\CurrentControlSet\Services\Dulcum]
"NoCom"
[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"KomodiaParameters1"
The process Dulcum.exe:1628 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 92 49 D3 3C D5 61 9D B4 7B 10 8B 5C 06 FD 27"
The process oabilgu.exe:864 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF CD 05 A4 07 5E FD 04 D7 16 02 49 47 89 3A 51"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "14"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "12"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "43 3A 5C 50 72 6F 67 72 61 6D 20 46 69 6C 65 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1021"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "43 3A 5C 50 72 6F 67 72 61 6D 20 46 69 6C 65 73"
The Application deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000C]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000B]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000E]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000D]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
The process %original file name%.exe:388 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 1B 83 4C A7 76 BE 62 24 B1 C2 30 AE CD 38 86"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"SetupType" = "71070"
"UninstallString" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Uninstaller.exe /ga=1503 /ai=119 /bi=5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"DisplayIcon" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\logo.ico"
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"DisplayVersion" = "1.1.0.31"
"DisplayName" = "boostwebapp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"Publisher" = "boostwebapp"
The process HiowlEkhwor.exe:2964 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 BB B1 0B 77 9D E6 D6 03 5F 3F 68 13 5B 07 D3"
The process HiowlEkhwor.exe:3196 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED CF 8C 6C B6 5E FD 0F D2 32 36 6E AD 66 C0 2F"
The process ijieaacy.exe:592 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 22 39 DB 2A 94 2F B4 75 14 DC 16 04 05 01 D1"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tammg119.sys]
"(Default)" = "Driver"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\tammg119.sys]
"(Default)" = "Driver"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"InstallDate" = "20141028"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE|Name=yefejnafyte|"
[HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE|Name=yefejnafyte|"
The Application adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31]
"ijieaacy.EXE" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE:*:Enabled:yefejnafyte"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31]
"ijieaacy.EXE" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE:*:Enabled:yefejnafyte"
The process ijieaacy.exe:2588 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 1D BA 78 A3 E4 CC 49 E9 81 99 5F 08 B3 0F D6"
[HKLM\SOFTWARE\119_31]
"AMMDCS" = "1503"
Dropped PE files
MD5 | File path |
---|---|
a082e5473b2a9a4d846ed7ddf637ac76 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SpOrder.dll |
1ed93ff8ca9ebb32bfa0c3ec6cd304ee | c:\WINDOWS\system32\Dulcum.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\Drivers\tammg119.sys" the Application controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\Drivers\tammg119.sys" the Application controls loading executable images into a memory by installing the Load image notifier.
The Application installs the following kernel-mode hooks:
ZwCreateFile
ZwCreateKey
ZwDeleteFile
ZwDeleteValueKey
ZwOpenFile
ZwOpenKey
ZwOpenProcess
ZwQueryDirectoryFile
ZwSetInformationFile
ZwSetValueKey
ZwTerminateProcess
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ijieaacy.EXE:3364
ijieaacy.EXE:3016
ijiedacy.exe:3044
ijiewacy.exe:2112
ijiewacy.exe:2416
Dulcum.exe:1680
Dulcum.exe:1628
oabilgu.exe:864
%original file name%.exe:388
HiowlEkhwor.exe:2964
HiowlEkhwor.exe:3196
ijieaacy.exe:592 - Delete the original Application file.
- Delete or disinfect the following files created/modified by the Application:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loader[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v1[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pvint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pv[1].js (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmp_ext[1].js (8 bytes)
%System%\Dulcum.ini (392 bytes)
%WinDir%\Temp\CertsIE.dat (12284 bytes)
%System%\DulcumOff.ini (4 bytes)
%System%\Dulcum.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SpOrder.dll (392 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.dll (12024 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacyu.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\MiiPif.dll (9320 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\utils.exe (6335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\boostwebapp_installer__1468410562.txt (21484 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum64.dll (13584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgFd.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiewacy.EXE (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Uninstaller.exe (8560 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacy.exe (6584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\HiowlEkhwor.exe (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgOd.sys (784 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu.exe (18424 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu64.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgd.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE (50832 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.EXE (85410 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgRd.sys (1552 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (156966 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgR.sys (72 bytes)
%System%\drivers\tammg119.sys (26 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammg.sys (54 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgF.sys (70 bytes)
%WinDir%\Tasks\Tempo Runner ijiedacy.job (3016 bytes) - Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.1.0.31
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.31
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.1.0.31Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.31File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 77824 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 225280 | 16944 | 17408 | 4.08558 | e9d00de7898ae3a42a8383ed8a0b0e7f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1507
05a7d3434a4f7fdbf0701537409ba2c8
4bf34bc204bb69496cc6a0b436579d7e
a5f8445545e7bfc14cd588a274ea284e
572105a8ba55d2ef27962d6242cda1a9
fba421ce52f88abe24a6f442cc13c15a
199ef97c118cac4e6addd542782e1309
a5f1146ebffd8392352121c21c3b3f52
b3ff54f0cd98ef37fb27f909ac15e444
1d2101755f896e327ec4734319bd3d89
4190e6cc8b16b17837f8442cd4a63b08
533f39598ecde771b2ddf79d03bee8a3
0d1f1b2208adefb85ccfb277dbaa719e
dc1901f5c30b0434755161b64cc9b3e7
48c881963c75a040f66001abfcb7dab4
1a57c4008bf899d167ad4198a1811cd7
2167b945f9c7ca1c893bbcdea6ea8393
a5c292385d45b17e0aff1bb774c1ef43
304f20ad0e7d4adf43547404973363ae
31b5af32f5e6fe31bf7e4285726d068e
b0fa639e99820ba53d6d11010b35ed32
69f508db972b99dff54fe4d8140cd4bd
65837be2678ce23950c440b1d4990e79
1bb07664674617cc7e5e69e4da6e6c24
b5af7f46cb2a563e11fe1c24292683c5
c95a9743fb340b5cded367e28445d822
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Application connects to the servers at the folowing location(s):
Strings from Dumps
Dulcum.exe_1628:
.text
.text
`.rdata
`.rdata
@.data
@.data
.idata
.idata
.rsrc
.rsrc
Mj.hL
Mj.hL
ughd%c
ughd%c
9^Du.Sh
9^Du.Sh
SShP[c
SShP[c
SShx[c
SShx[c
;0u.RVj
;0u.RVj
RSSSSSSh
RSSSSSSh
;%uHS
;%uHS
28^%u
28^%u
>8_%u
>8_%u
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
NtDll.dll
NtDll.dll
boostwebapp
boostwebapp
\chrome.exe
\chrome.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
Google Chrome
Google Chrome
Software\Mozilla\Mozilla Firefox
Software\Mozilla\Mozilla Firefox
PathToExe
PathToExe
\Internet Explorer\iexplore.exe
\Internet Explorer\iexplore.exe
iexplore.exe
iexplore.exe
%d.%d.%d.%d
%d.%d.%d.%d
mac=XXXXXX
mac=XXXXXX
112233445566
112233445566
SbieDll.dll
SbieDll.dll
explorer.exe
explorer.exe
winlogon.exe
winlogon.exe
svchost.exe
svchost.exe
v2.10|Action=Allow|Active=TRUE|Dir=In|App=%s|Name=%s|
v2.10|Action=Allow|Active=TRUE|Dir=In|App=%s|Name=%s|
{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}
{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}
%s\%s
%s\%s
%s%s.exe
%s%s.exe
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
Shell32.dll
Shell32.dll
%s%s.dat
%s%s.dat
%s%sb%s
%s%sb%s
RegDeleteKeyExA
RegDeleteKeyExA
advapi32.dll
advapi32.dll
RegDeleteKeyA
RegDeleteKeyA
%s\Volatile Environment
%s\Volatile Environment
%sLow
%sLow
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
HKEY_LOCAL_MACHINE\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\
kernel32.dll
kernel32.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Line %d, Column %d
Line %d, Column %d
{"%s": [ { "time": "%d", "count": "1", "report": "no", "active": "no" } ] }
{"%s": [ { "time": "%d", "count": "1", "report": "no", "active": "no" } ] }
report
report
?type=ma%sec&id=%d
?type=ma%sec&id=%d
?type=ma%sown&rep=%d&id=%d&merr=%d&fst=%d
?type=ma%sown&rep=%d&id=%d&merr=%d&fst=%d
%s.exe
%s.exe
taskkill /F /T /IM %s
taskkill /F /T /IM %s
?type=ma%sct&id=%d&pidb=%d&pida=%d&pidrt=%d&pidrs=%d&susb=%d&susa=%d
?type=ma%sct&id=%d&pidb=%d&pida=%d&pidrt=%d&pidrs=%d&susb=%d&susa=%d
hXXp://s3.zawss.info/client-cmd/cr.html
hXXp://s3.zawss.info/client-cmd/cr.html
%d_%m_%H_%M_%S
%d_%m_%H_%M_%S
%Y%m%d
%Y%m%d
1.1.0.31
1.1.0.31
10110101
10110101
?type=map_open&id=%d&err=%d
?type=map_open&id=%d&err=%d
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
:Invalid buffer size was passed to a Blowfish encryption or decryption routine.
:Invalid buffer size was passed to a Blowfish encryption or decryption routine.
Invalid key length used to initialize BlowFish.
Invalid key length used to initialize BlowFish.
inj.htm
inj.htm
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
{1FB49220-9E99-444C-85AA-F55307D0134F}
{1FB49220-9E99-444C-85AA-F55307D0134F}
CDataController::HyhoPeravis with param
CDataController::HyhoPeravis with param
Not supported for this version!
Not supported for this version!
avp.exe
avp.exe
nod32.exe
nod32.exe
ekrn.exe
ekrn.exe
fsdfwd.exe
fsdfwd.exe
iswsvc.exe
iswsvc.exe
avastsvc.exe
avastsvc.exe
{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}
{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}
hkey_local_machine\
hkey_local_machine\
Dulcum.ini
Dulcum.ini
Failed to open software key with error
Failed to open software key with error
Failed to create software key with error
Failed to create software key with error
Failed to open key with error
Failed to open key with error
Data type not supporting this operation!
Data type not supporting this operation!
{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}
{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}
{1F0F6135-E368-41DA-a327-92D021B47810}
{1F0F6135-E368-41DA-a327-92D021B47810}
CDLLManager::FireFoxCallback - Crash
CDLLManager::FireFoxCallback - Crash
HandleProxyHTTPConnect
HandleProxyHTTPConnect
HTTPRequestBeforeSend
HTTPRequestBeforeSend
HTTPRequestBeforeReceive
HTTPRequestBeforeReceive
CDLLManager, DLL in HTTP mode only
CDLLManager, DLL in HTTP mode only
ms inside DLL (HandleHTTPConnect)!
ms inside DLL (HandleHTTPConnect)!
Crash in CDLLManager::HandleHTTPConnect
Crash in CDLLManager::HandleHTTPConnect
) does not support HTTP Parser
) does not support HTTP Parser
DLL HTTPRequestBeforeSend (ID:
DLL HTTPRequestBeforeSend (ID:
Going to call DLL HTTPRequestBeforeSend (ID:
Going to call DLL HTTPRequestBeforeSend (ID:
Crash in CDLLManager::HTTPRequestBeforeSend
Crash in CDLLManager::HTTPRequestBeforeSend
Crash in CDLLManager::HTTPRequestBeforeSend call to *(m_pData->pHTTPBeforeSend)
Crash in CDLLManager::HTTPRequestBeforeSend call to *(m_pData->pHTTPBeforeSend)
ms inside DLL (HTTPRequestBeforeSend)!
ms inside DLL (HTTPRequestBeforeSend)!
Going to call DLL HTTPRequestBeforeReceive (ID:
Going to call DLL HTTPRequestBeforeReceive (ID:
DLL HTTPRequestBeforeReceive (ID:
DLL HTTPRequestBeforeReceive (ID:
Crash in CDLLManager::HTTPRequestBeforeReceive call to *(m_pData->pHTTPBeforeReceive)
Crash in CDLLManager::HTTPRequestBeforeReceive call to *(m_pData->pHTTPBeforeReceive)
ms inside DLL (HTTPRequestBeforeReceive)!
ms inside DLL (HTTPRequestBeforeReceive)!
Crash in CDLLManager::HTTPRequestBeforeReceive
Crash in CDLLManager::HTTPRequestBeforeReceive
\\.\Ndisredir
\\.\Ndisredir
WINDOWS-874
WINDOWS-874
WINDOWS-1250
WINDOWS-1250
WINDOWS-1251
WINDOWS-1251
WINDOWS-1252
WINDOWS-1252
WINDOWS-1253
WINDOWS-1253
WINDOWS-1254
WINDOWS-1254
WINDOWS-1255
WINDOWS-1255
WINDOWS-1256
WINDOWS-1256
WINDOWS-1257
WINDOWS-1257
WINDOWS-1258
WINDOWS-1258
WINDOWS-1259
WINDOWS-1259
REPORT
REPORT
HTTP/1.1 200 OK
HTTP/1.1 200 OK
0;URL=
0;URL=
HTTP/1.1 302 FOUND
HTTP/1.1 302 FOUND
HTTP/1.1 307 FOUND
HTTP/1.1 307 FOUND
cswindows31j
cswindows31j
windows-1256
windows-1256
windows-1255
windows-1255
windows-1254
windows-1254
windows-1253
windows-1253
windows-1252
windows-1252
windows-1251
windows-1251
windows-1250
windows-1250
VVV.tse.jus.br
VVV.tse.jus.br
VVV.justicaeleitoral.jus.br
VVV.justicaeleitoral.jus.br
maybankard.net
maybankard.net
1.2.5
1.2.5
HTTP/1.1 302
HTTP/1.1 302
HTTP/1.
HTTP/1.
hXXp://
hXXp://
hXXps://
hXXps://
HTTP/1.1 100
HTTP/1.1 100
HTTP/1.1
HTTP/1.1
HTTP://
HTTP://
HTTP/1.
HTTP/1.
http:
http:
daum.net
daum.net
hXXp://VVV.google.com
hXXp://VVV.google.com
http/1.
http/1.
.mpeg
.mpeg
.flac
.flac
.tiff
.tiff
.jpeg
.jpeg
Failed getting GIT inside HTTPRequestBeforeSend
Failed getting GIT inside HTTPRequestBeforeSend
COM error on HTTPRequestBeforeSend
COM error on HTTPRequestBeforeSend
COM error (try/catch) on HTTPRequestBeforeSend
COM error (try/catch) on HTTPRequestBeforeSend
COM error on HTTPRequestBeforeSend performing redirect
COM error on HTTPRequestBeforeSend performing redirect
COM error on HTTPRequestBeforeSend can't perform redirect
COM error on HTTPRequestBeforeSend can't perform redirect
HTTPRequestBeforeSend received bad header, will block request!
HTTPRequestBeforeSend received bad header, will block request!
HTTPRequestBeforeSend received request to modify header, but without one!
HTTPRequestBeforeSend received request to modify header, but without one!
Failed getting GIT inside HTTPRequestBeforeReceive
Failed getting GIT inside HTTPRequestBeforeReceive
COM error on HTTPRequestBeforeReceive
COM error on HTTPRequestBeforeReceive
COM error (try/catch) on HTTPRequestBeforeReceive
COM error (try/catch) on HTTPRequestBeforeReceive
COM error on HTTPRequestBeforeReceive performing redirect
COM error on HTTPRequestBeforeReceive performing redirect
COM error on HTTPRequestBeforeReceive can't perform redirect
COM error on HTTPRequestBeforeReceive can't perform redirect
HTTPRequestBeforeReceive empty header, will block request!
HTTPRequestBeforeReceive empty header, will block request!
HTTPRequestBeforeReceive failed to parse header, will block request!
HTTPRequestBeforeReceive failed to parse header, will block request!
, port:
, port:
, password:
, password:
127.0.0.1
127.0.0.1
HTTP/1.1
HTTP/1.1
User-Agent: Mozilla/5.0 (compatible;MSIE 7.0;Windows NT 6.0)
User-Agent: Mozilla/5.0 (compatible;MSIE 7.0;Windows NT 6.0)
.logmein.com
.logmein.com
{DD23A82A-F952-4106-8BD6-EDCD545C637A}
{DD23A82A-F952-4106-8BD6-EDCD545C637A}
ws2_32.dll
ws2_32.dll
COperationsManager::InitDownloadThread
COperationsManager::InitDownloadThread
Dulcum.EXE
Dulcum.EXE
COperationsManager::Init
COperationsManager::Init
COperationsManager
COperationsManager
Shutting down execution threads
Shutting down execution threads
Shutting down execution threads (stats)
Shutting down execution threads (stats)
Shutting down execution threads (saving stats)
Shutting down execution threads (saving stats)
Dulcum.log
Dulcum.log
CertInstaller
CertInstaller
Shuting down cert installer
Shuting down cert installer
No default cert and no custom cert found!
No default cert and no custom cert found!
Custom cert set at CertThread
Custom cert set at CertThread
Empty custom password
Empty custom password
UECert.dll
UECert.dll
Failed loading cert installer (
Failed loading cert installer (
Loaded cert installer
Loaded cert installer
InstallFirefoxDirectory
InstallFirefoxDirectory
Failed mapping InstallFirefoxDirectory with error:
Failed mapping InstallFirefoxDirectory with error:
Failed authenticating cert installer DLL
Failed authenticating cert installer DLL
SetCertDLL
SetCertDLL
Failed mapping SetCertDLL with error:
Failed mapping SetCertDLL with error:
Got custom public key from:
Got custom public key from:
Failed to open custom cert file with error:
Failed to open custom cert file with error:
InstallWindowsDLL
InstallWindowsDLL
Failed mapping InstallWindowsDLL with error:
Failed mapping InstallWindowsDLL with error:
InstallWindowsBinaryDLL
InstallWindowsBinaryDLL
Failed mapping InstallWindowsBinaryDLL with error:
Failed mapping InstallWindowsBinaryDLL with error:
Installed Windows 8.1 custom cert
Installed Windows 8.1 custom cert
Failed to install Windows 8.1 custom cert
Failed to install Windows 8.1 custom cert
GetCertPEMDLL
GetCertPEMDLL
Failed mapping GetCertPEMDLL with error:
Failed mapping GetCertPEMDLL with error:
opera.exe
opera.exe
firefox.exe
firefox.exe
thunderbird.exe
thunderbird.exe
CertsFF.dat
CertsFF.dat
Our cert found in FF store
Our cert found in FF store
Firefox running in install cert, will not try to install cert
Firefox running in install cert, will not try to install cert
Opera running in install cert, will not try to install cert
Opera running in install cert, will not try to install cert
CertsOP.dat
CertsOP.dat
Thunderbird running in install cert, will not try to install cert
Thunderbird running in install cert, will not try to install cert
Saved Opera store
Saved Opera store
Failed to load Opera store
Failed to load Opera store
Loaded Opera store
Loaded Opera store
Release cert installer
Release cert installer
Crash on COperationsManager::CertThread
Crash on COperationsManager::CertThread
Crash on COperationsManager::InstallCertUser
Crash on COperationsManager::InstallCertUser
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
PavTrc.dll
PavTrc.dll
PavSHookWow.dll
PavSHookWow.dll
PavLspHookWow.dll
PavLspHookWow.dll
PavSHook.dll
PavSHook.dll
PavLspHook.dll
PavLspHook.dll
COperationsManager::CheckProxy - Added process:
COperationsManager::CheckProxy - Added process:
COperationsManager::CheckProxy - Added hard include process:
COperationsManager::CheckProxy - Added hard include process:
COperationsManager::CheckProxy
COperationsManager::CheckProxy
COperationsManager::DownloadThread - Failed getting dtFileDownload table!
COperationsManager::DownloadThread - Failed getting dtFileDownload table!
COperationsManager::DownloadThread - bad data for link:
COperationsManager::DownloadThread - bad data for link:
COperationsManager::DownloadThread - Bad registry setting:
COperationsManager::DownloadThread - Bad registry setting:
COperationsManager::DownloadThread - Failed getting reg value with error:
COperationsManager::DownloadThread - Failed getting reg value with error:
COperationsManager::DownloadThread - Failed to set registry setting with error:
COperationsManager::DownloadThread - Failed to set registry setting with error:
COperationsManager::DownloadThread - Going to check:
COperationsManager::DownloadThread - Going to check:
COperationsManager::DownloadThread - Error on call:
COperationsManager::DownloadThread - Error on call:
COperationsManager::DownloadThread - Didn't receive event for downloading link:
COperationsManager::DownloadThread - Didn't receive event for downloading link:
COperationsManager::DownloadThread - Timeout on the event for downloading link:
COperationsManager::DownloadThread - Timeout on the event for downloading link:
COperationsManager::DownloadThread - Error from event:
COperationsManager::DownloadThread - Error from event:
COperationsManager::DownloadThread - Timeout from the result for downloading link:
COperationsManager::DownloadThread - Timeout from the result for downloading link:
sdktmp.exe
sdktmp.exe
COperationsManager::DownloadThread - Going to run:
COperationsManager::DownloadThread - Going to run:
COperationsManager::DownloadThread - Failed to execute file:
COperationsManager::DownloadThread - Failed to execute file:
COperationsManager::ExecuteFile - Failed to run:
COperationsManager::ExecuteFile - Failed to run:
COperationsManager::DownloadThread - Failed to update ini file with error:
COperationsManager::DownloadThread - Failed to update ini file with error:
COperationsManager::DownloadThread - Received empty INI file
COperationsManager::DownloadThread - Received empty INI file
COperationsManager::ExecuteFile - Timeout waiting for process
COperationsManager::ExecuteFile - Timeout waiting for process
COperationsManager::ExecuteFile - Failed to delete:
COperationsManager::ExecuteFile - Failed to delete:
COperationsManager::GetAllUsers - Failed to get key with error:
COperationsManager::GetAllUsers - Failed to get key with error:
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
https
https
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
COperationsManager::NewProcessList - Installed mobile cert at:
COperationsManager::NewProcessList - Installed mobile cert at:
COperationsManager::NewProcessList - Failed to install mobile cert at:
COperationsManager::NewProcessList - Failed to install mobile cert at:
COperationsManager::NewProcessList - Crash calling InstallFirefox
COperationsManager::NewProcessList - Crash calling InstallFirefox
COperationsManager::NewProcessList - Going to install FF cert to:
COperationsManager::NewProcessList - Going to install FF cert to:
COperationsManager::NewProcessList - Installed regular cert at:
COperationsManager::NewProcessList - Installed regular cert at:
COperationsManager::GetMACAddress - error getting iphelper
COperationsManager::GetMACAddress - error getting iphelper
COperationsManager::NewProcessList - Failed to install regular cert at:
COperationsManager::NewProcessList - Failed to install regular cert at:
COperationsManager::NewProcessList - Failed getting user SID
COperationsManager::NewProcessList - Failed getting user SID
X:X:X:X:X:X
X:X:X:X:X:X
COperationsManager::GetKomodias - Failed to get key with error:
COperationsManager::GetKomodias - Failed to get key with error:
\\.\%c:
\\.\%c:
COperationsManager::OPStartService - Wrong data
COperationsManager::OPStartService - Wrong data
COperationsManager::OPStartService - Failed to open SCM
COperationsManager::OPStartService - Failed to open SCM
COperationsManager::OPStartService - Failed to open service with error:
COperationsManager::OPStartService - Failed to open service with error:
COperationsManager::OPStopService - Wrong data
COperationsManager::OPStopService - Wrong data
COperationsManager::OPStartService - Failed to start service with error
COperationsManager::OPStartService - Failed to start service with error
COperationsManager::OPStopService - Failed to open SCM
COperationsManager::OPStopService - Failed to open SCM
COperationsManager::OPStopService - Failed to open service with error:
COperationsManager::OPStopService - Failed to open service with error:
COperationsManager::OPQueryServiceStatus - Wrong data
COperationsManager::OPQueryServiceStatus - Wrong data
COperationsManager::OPStopService - Failed to start service with error
COperationsManager::OPStopService - Failed to start service with error
COperationsManager::OPQueryServiceStatus - Failed to open SCM
COperationsManager::OPQueryServiceStatus - Failed to open SCM
COperationsManager::OPQueryServiceStatus - Failed to open service with error:
COperationsManager::OPQueryServiceStatus - Failed to open service with error:
-----END PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
-----END CERTIFICATE-----
-----END CERTIFICATE-----
6qdiMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
6qdiMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
OWindows 95
OWindows 95
Windows 98
Windows 98
Windows ME
Windows ME
Windows NT
Windows NT
Windows 2000
Windows 2000
Windows XP
Windows XP
Windows 2003
Windows 2003
Windows Vista
Windows Vista
Windows 2008
Windows 2008
Windows 2008R2
Windows 2008R2
Windows 7
Windows 7
Windows 8
Windows 8
Windows 8.1
Windows 8.1
Windows 2012
Windows 2012
Windows 2012r2
Windows 2012r2
{6494AB3E-774F-4604-818A-EF0783E04A7D}
{6494AB3E-774F-4604-818A-EF0783E04A7D}
Failed loading ws2_32.dll with error:
Failed loading ws2_32.dll with error:
{9DC8FA51-B596-4f77-802C-5B295919C205}
{9DC8FA51-B596-4f77-802C-5B295919C205}
sdk.txt
sdk.txt
Failed to open service key with error:
Failed to open service key with error:
DLL is set to be loaded by using a registry key
DLL is set to be loaded by using a registry key
Trying to start UDP channel
Trying to start UDP channel
Starting relay on port:
Starting relay on port:
{16CB9635-CCEA-4184-A4A4-E450754EF940}
{16CB9635-CCEA-4184-A4A4-E450754EF940}
Failed to open custom cert (public key) file with error:
Failed to open custom cert (public key) file with error:
Failed to open custom cert (private key) file with error:
Failed to open custom cert (private key) file with error:
Dulcumr.log
Dulcumr.log
String library passed MT test
String library passed MT test
/RegServer flag not support!
/RegServer flag not support!
Error openning key HKEY_CLASSES_ROOT!
Error openning key HKEY_CLASSES_ROOT!
{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}
{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}
Error openning key keyAppID!
Error openning key keyAppID!
RegOpenKeyTransactedA
RegOpenKeyTransactedA
Advapi32.dll
Advapi32.dll
RegCreateKeyTransactedA
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
RegDeleteKeyTransactedA
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Failed to open keyAppID with error:
Failed to open keyAppID with error:
Failed to open HKEY_CLASSES_ROOT with error:
Failed to open HKEY_CLASSES_ROOT with error:
,url,
,url,
SSHThread
SSHThread
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\
Dulcum.dll
Dulcum.dll
sqlite3.dll
sqlite3.dll
softokn3.dll
softokn3.dll
smime3.dll
smime3.dll
nssutil3.dll
nssutil3.dll
nssdbm3.dll
nssdbm3.dll
nssckbi.dll
nssckbi.dll
nss3.dll
nss3.dll
libplds4.dll
libplds4.dll
libplc4.dll
libplc4.dll
libnspr4.dll
libnspr4.dll
freebl3.dll
freebl3.dll
Not supporting WD!
Not supporting WD!
{A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C}
{A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C}
CWebSocket::DownloadFile - Invalid parameter
CWebSocket::DownloadFile - Invalid parameter
CWebSocket::DownloadFile - Failed to resolve domain:
CWebSocket::DownloadFile - Failed to resolve domain:
CWebSocket::DownloadFile - Failed to create socket
CWebSocket::DownloadFile - Failed to create socket
CWebSocket::DownloadFile - Failed to connect to:
CWebSocket::DownloadFile - Failed to connect to:
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
CWebSocket::OnSocketTimeout - Timeout
CWebSocket::OnSocketTimeout - Timeout
CWebSocket::OnSocketConnect - Failed to connect to:
CWebSocket::OnSocketConnect - Failed to connect to:
CWebSocket::OnSocketConnect - Failed to send request to:
CWebSocket::OnSocketConnect - Failed to send request to:
CWebSocket::OnSocketReceive - Received bad data
CWebSocket::OnSocketReceive - Received bad data
CWebSocket::OnSocketReceive - Failed to parse header
CWebSocket::OnSocketReceive - Failed to parse header
CWebSocket::OnSocketReceive - Received error code from web server:
CWebSocket::OnSocketReceive - Received error code from web server:
CWebSocket::OnSocketReceive - Invalid header
CWebSocket::OnSocketReceive - Invalid header
CWebSocket::OnSocketReceive - Failed to open file:
CWebSocket::OnSocketReceive - Failed to open file:
Failed to create/open SafeBoot sub key with error:
Failed to create/open SafeBoot sub key with error:
{BBE45957-FB3F-43BC-81F1-BD6C8BEE5951}
{BBE45957-FB3F-43BC-81F1-BD6C8BEE5951}
Not supporting TDI
Not supporting TDI
0.0.0.0
0.0.0.0
CTCPSocketAsync
CTCPSocketAsync
Operation made on non existant socket!
Operation made on non existant socket!
Can't run on TCP socket!
Can't run on TCP socket!
CTCPSocket
CTCPSocket
CTCPSocketAsyncMsg
CTCPSocketAsyncMsg
%s_%lu_%lu
%s_%lu_%lu
CControlableRelay::CreateSSLListener - Cert tested good!
CControlableRelay::CreateSSLListener - Cert tested good!
CControlableRelay::CreateSSLListener - Failed to test cert!
CControlableRelay::CreateSSLListener - Failed to test cert!
Failed to test cert!
Failed to test cert!
huntington.com
huntington.com
airnewzealand.co.nz
airnewzealand.co.nz
CControlableRelay::CAcceptSocket::CreateListener, Failed to bind socket to port:
CControlableRelay::CAcceptSocket::CreateListener, Failed to bind socket to port:
Authentication failed (check username or password)
Authentication failed (check username or password)
Socks5 reply: Address not supported
Socks5 reply: Address not supported
Socks5 reply: Command not supported
Socks5 reply: Command not supported
Failed to load keys!
Failed to load keys!
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
### Msg ###
### Msg ###
Read will pass buffer size!
Read will pass buffer size!
_CTCPSocketAsyncSSL
_CTCPSocketAsyncSSL
CERTIFICATE
CERTIFICATE
).cer
).cer
\goodcert
\goodcert
\badcert
\badcert
CCertManager::VerifyChainUsingCrypto - Got bad results for domain:
CCertManager::VerifyChainUsingCrypto - Got bad results for domain:
for cert:
for cert:
CCertManager::VerifyChainUsingCrypto - Failed to get chain with error:
CCertManager::VerifyChainUsingCrypto - Failed to get chain with error:
CCertManager::VerifyChainUsingCrypto - Failed to create chain with error:
CCertManager::VerifyChainUsingCrypto - Failed to create chain with error:
-----END %s-----
-----END %s-----
-----BEGIN %s-----
-----BEGIN %s-----
2.5.4.10=
2.5.4.10=
2.5.4.11=
2.5.4.11=
2.5.4.3=
2.5.4.3=
CCertManager::LoadOperaStore -
CCertManager::LoadOperaStore -
CCertManager::LoadFFStore -
CCertManager::LoadFFStore -
CCertManager::GetAllUsers - Failed to get key with error:
CCertManager::GetAllUsers - Failed to get key with error:
CCertManager::LoadIEStore -
CCertManager::LoadIEStore -
CCertManager::LoadIEStore - Failed to open store
CCertManager::LoadIEStore - Failed to open store
CCertManager::LoadIEStore - Failed to open file
CCertManager::LoadIEStore - Failed to open file
CertsIE.dat
CertsIE.dat
CTCPSocketAsyncDelegator
CTCPSocketAsyncDelegator
cmd.exe
cmd.exe
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
GetProcessWindowStation
GetProcessWindowStation
portuguese-brazilian
portuguese-brazilian
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
operator
operator
inflate 1.2.5 Copyright 1995-2010 Mark Adler
inflate 1.2.5 Copyright 1995-2010 Mark Adler
.?AVCMD5@@
.?AVCMD5@@
.?AVCHTTPData@@
.?AVCHTTPData@@
.?AVCHTTPFilter@@
.?AVCHTTPFilter@@
.?AVCHTTPHeader@@
.?AVCHTTPHeader@@
.?AVCKeywordManager@@
.?AVCKeywordManager@@
.?AVCTCPSocketAsyncBlowFish@@
.?AVCTCPSocketAsyncBlowFish@@
.?AVCTCPSocketAsyncSSL@@
.?AVCTCPSocketAsyncSSL@@
.?AVCTCPSocketAsyncMsg@@
.?AVCTCPSocketAsyncMsg@@
.?AVCTCPSocketAsync@@
.?AVCTCPSocketAsync@@
.?AVCTCPSocket@@
.?AVCTCPSocket@@
)hXXp://cybertrust.omniroot.com/repository0
)hXXp://cybertrust.omniroot.com/repository0
1hXXp://cdp1.public-trust.com/CRL/Omniroot2025.crl0
1hXXp://cdp1.public-trust.com/CRL/Omniroot2025.crl0
.?AVCOperationsManager@@
.?AVCOperationsManager@@
.?AUISupportErrorInfo@@
.?AUISupportErrorInfo@@
.?AVCSSHManager@@
.?AVCSSHManager@@
.?AVCUDPServer@@
.?AVCUDPServer@@
.?AVCWebSocket@@
.?AVCWebSocket@@
.?AVCTCPSocketOverider@CTCPSocketAsync@@
.?AVCTCPSocketOverider@CTCPSocketAsync@@
.?AVCSocketGetCert@CCertManager@@
.?AVCSocketGetCert@CCertManager@@
.?AVCCertManager@@
.?AVCCertManager@@
.?AVCTCPSocketAsyncDelegator@@
.?AVCTCPSocketAsyncDelegator@@
zcÃ
zcÃ
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe
VERSION.dll
VERSION.dll
PSAPI.DLL
PSAPI.DLL
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
SetProcessWindowStation
SetProcessWindowStation
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyA
RegCreateKeyA
RegEnumKeyA
RegEnumKeyA
ReportEventA
ReportEventA
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetExtendedTcpTable
GetExtendedTcpTable
IPHLPAPI.DLL
IPHLPAPI.DLL
WinHttpReadData
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSendRequest
WinHttpSendRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpen
WinHttpOpen
WINHTTP.dll
WINHTTP.dll
Secur32.dll
Secur32.dll
CertFreeCertificateContext
CertFreeCertificateContext
CertFreeCertificateChain
CertFreeCertificateChain
CertGetCertificateChain
CertGetCertificateChain
CertCreateCertificateContext
CertCreateCertificateContext
CertNameToStrA
CertNameToStrA
CertEnumCRLsInStore
CertEnumCRLsInStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertOpenStore
CertOpenStore
CertCloseStore
CertCloseStore
CertOpenSystemStoreA
CertOpenSystemStoreA
CRYPT32.dll
CRYPT32.dll
GetCPInfo
GetCPInfo
{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96} = s 'Dulcum'
{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96} = s 'Dulcum'
'%ShortModule%'
'%ShortModule%'
val AppID = s {B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}
val AppID = s {B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}
DulcumLib.ChoFedgiw.1 = s 'ChoFedgiw Class'
DulcumLib.ChoFedgiw.1 = s 'ChoFedgiw Class'
CLSID = s '{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}'
CLSID = s '{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}'
DulcumLib.ChoFedgiw = s 'ChoFedgiw Class'
DulcumLib.ChoFedgiw = s 'ChoFedgiw Class'
CurVer = s 'DulcumLib.ChoFedgiw.1'
CurVer = s 'DulcumLib.ChoFedgiw.1'
ForceRemove {1379DC63-E5C9-4CA2-8167-A3AC3B7804CF} = s 'ChoFedgiw Class'
ForceRemove {1379DC63-E5C9-4CA2-8167-A3AC3B7804CF} = s 'ChoFedgiw Class'
ProgID = s 'DulcumLib.ChoFedgiw.1'
ProgID = s 'DulcumLib.ChoFedgiw.1'
VersionIndependentProgID = s 'DulcumLib.ChoFedgiw'
VersionIndependentProgID = s 'DulcumLib.ChoFedgiw'
val AppID = s '{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}'
val AppID = s '{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}'
'TypeLib' = s '{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}'
'TypeLib' = s '{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}'
DulcumLib.SysxNhropto.1 = s 'SysxNhropto Class'
DulcumLib.SysxNhropto.1 = s 'SysxNhropto Class'
CLSID = s '{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}'
CLSID = s '{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}'
DulcumLib.SysxNhropto = s 'SysxNhropto Class'
DulcumLib.SysxNhropto = s 'SysxNhropto Class'
CurVer = s 'DulcumLib.SysxNhropto.1'
CurVer = s 'DulcumLib.SysxNhropto.1'
ForceRemove {1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0} = s 'SysxNhropto Class'
ForceRemove {1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0} = s 'SysxNhropto Class'
ProgID = s 'DulcumLib.SysxNhropto.1'
ProgID = s 'DulcumLib.SysxNhropto.1'
VersionIndependentProgID = s 'DulcumLib.SysxNhropto'
VersionIndependentProgID = s 'DulcumLib.SysxNhropto'
DulcumLib.WiiWibdyftitg.1 = s 'WiiWibdyftitg Class'
DulcumLib.WiiWibdyftitg.1 = s 'WiiWibdyftitg Class'
CLSID = s '{1F0F6135-E368-41DA-a327-92D021B47810}'
CLSID = s '{1F0F6135-E368-41DA-a327-92D021B47810}'
DulcumLib.WiiWibdyftitg = s 'WiiWibdyftitg Class'
DulcumLib.WiiWibdyftitg = s 'WiiWibdyftitg Class'
CurVer = s 'DulcumLib.WiiWibdyftitg.1'
CurVer = s 'DulcumLib.WiiWibdyftitg.1'
ForceRemove {1F0F6135-E368-41DA-a327-92D021B47810} = s 'WiiWibdyftitg Class'
ForceRemove {1F0F6135-E368-41DA-a327-92D021B47810} = s 'WiiWibdyftitg Class'
ProgID = s 'DulcumLib.WiiWibdyftitg.1'
ProgID = s 'DulcumLib.WiiWibdyftitg.1'
VersionIndependentProgID = s 'DulcumLib.WiiWibdyftitg'
VersionIndependentProgID = s 'DulcumLib.WiiWibdyftitg'
DulcumLib.RhnoSogafagwaf.1 = s 'RhnoSogafagwaf Class'
DulcumLib.RhnoSogafagwaf.1 = s 'RhnoSogafagwaf Class'
CLSID = s '{DD23A82A-F952-4106-8BD6-EDCD545C637A}'
CLSID = s '{DD23A82A-F952-4106-8BD6-EDCD545C637A}'
DulcumLib.RhnoSogafagwaf = s 'RhnoSogafagwaf Class'
DulcumLib.RhnoSogafagwaf = s 'RhnoSogafagwaf Class'
CurVer = s 'DulcumLib.RhnoSogafagwaf.1'
CurVer = s 'DulcumLib.RhnoSogafagwaf.1'
ForceRemove {DD23A82A-F952-4106-8BD6-EDCD545C637A} = s 'RhnoSogafagwaf Class'
ForceRemove {DD23A82A-F952-4106-8BD6-EDCD545C637A} = s 'RhnoSogafagwaf Class'
ProgID = s 'DulcumLib.RhnoSogafagwaf.1'
ProgID = s 'DulcumLib.RhnoSogafagwaf.1'
VersionIndependentProgID = s 'DulcumLib.RhnoSogafagwaf'
VersionIndependentProgID = s 'DulcumLib.RhnoSogafagwaf'
DulcumLib.WopBaaijkap.1 = s 'WopBaaijkap Class'
DulcumLib.WopBaaijkap.1 = s 'WopBaaijkap Class'
CLSID = s '{F6BBFEEB-ADD4-4B34-8B07-D58CAEFDECCA}'
CLSID = s '{F6BBFEEB-ADD4-4B34-8B07-D58CAEFDECCA}'
DulcumLib.WopBaaijkap = s 'WopBaaijkap Class'
DulcumLib.WopBaaijkap = s 'WopBaaijkap Class'
CurVer = s 'DulcumLib.WopBaaijkap.1'
CurVer = s 'DulcumLib.WopBaaijkap.1'
ForceRemove {F6BBFEEB-ADD4-4B34-8B07-D58CAEFDECCA} = s 'WopBaaijkap Class'
ForceRemove {F6BBFEEB-ADD4-4B34-8B07-D58CAEFDECCA} = s 'WopBaaijkap Class'
ProgID = s 'DulcumLib.WopBaaijkap.1'
ProgID = s 'DulcumLib.WopBaaijkap.1'
VersionIndependentProgID = s 'DulcumLib.WopBaaijkap'
VersionIndependentProgID = s 'DulcumLib.WopBaaijkap'
DulcumLib.JavFixodacwen.1 = s 'JavFixodacwen Class'
DulcumLib.JavFixodacwen.1 = s 'JavFixodacwen Class'
CLSID = s '{DAC5E6DC-8407-457F-8F08-79AA13EE85B4}'
CLSID = s '{DAC5E6DC-8407-457F-8F08-79AA13EE85B4}'
DulcumLib.JavFixodacwen = s 'JavFixodacwen Class'
DulcumLib.JavFixodacwen = s 'JavFixodacwen Class'
CurVer = s 'DulcumLib.JavFixodacwen.1'
CurVer = s 'DulcumLib.JavFixodacwen.1'
ForceRemove {DAC5E6DC-8407-457F-8F08-79AA13EE85B4} = s 'JavFixodacwen Class'
ForceRemove {DAC5E6DC-8407-457F-8F08-79AA13EE85B4} = s 'JavFixodacwen Class'
ProgID = s 'DulcumLib.JavFixodacwen.1'
ProgID = s 'DulcumLib.JavFixodacwen.1'
VersionIndependentProgID = s 'DulcumLib.JavFixodacwen'
VersionIndependentProgID = s 'DulcumLib.JavFixodacwen'
DulcumLib.LopdRusipauwja.1 = s 'LopdRusipauwja Class'
DulcumLib.LopdRusipauwja.1 = s 'LopdRusipauwja Class'
CLSID = s '{A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C}'
CLSID = s '{A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C}'
DulcumLib.LopdRusipauwja = s 'LopdRusipauwja Class'
DulcumLib.LopdRusipauwja = s 'LopdRusipauwja Class'
CurVer = s 'DulcumLib.LopdRusipauwja.1'
CurVer = s 'DulcumLib.LopdRusipauwja.1'
ForceRemove {A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C} = s 'LopdRusipauwja Class'
ForceRemove {A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C} = s 'LopdRusipauwja Class'
ProgID = s 'DulcumLib.LopdRusipauwja.1'
ProgID = s 'DulcumLib.LopdRusipauwja.1'
VersionIndependentProgID = s 'DulcumLib.LopdRusipauwja'
VersionIndependentProgID = s 'DulcumLib.LopdRusipauwja'
DulcumLib.BobMycebukiej.1 = s 'BobMycebukiej Class'
DulcumLib.BobMycebukiej.1 = s 'BobMycebukiej Class'
CLSID = s '{AD296071-873C-4BB1-9818-BB740C07A3B1}'
CLSID = s '{AD296071-873C-4BB1-9818-BB740C07A3B1}'
DulcumLib.BobMycebukiej = s 'BobMycebukiej Class'
DulcumLib.BobMycebukiej = s 'BobMycebukiej Class'
CurVer = s 'DulcumLib.BobMycebukiej.1'
CurVer = s 'DulcumLib.BobMycebukiej.1'
ForceRemove {AD296071-873C-4BB1-9818-BB740C07A3B1} = s 'BobMycebukiej Class'
ForceRemove {AD296071-873C-4BB1-9818-BB740C07A3B1} = s 'BobMycebukiej Class'
ProgID = s 'DulcumLib.BobMycebukiej.1'
ProgID = s 'DulcumLib.BobMycebukiej.1'
VersionIndependentProgID = s 'DulcumLib.BobMycebukiej'
VersionIndependentProgID = s 'DulcumLib.BobMycebukiej'
DulcumLib.AzeKhzawivyro.1 = s 'AzeKhzawivyro Class'
DulcumLib.AzeKhzawivyro.1 = s 'AzeKhzawivyro Class'
CLSID = s '{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}'
CLSID = s '{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}'
DulcumLib.AzeKhzawivyro = s 'AzeKhzawivyro Class'
DulcumLib.AzeKhzawivyro = s 'AzeKhzawivyro Class'
CurVer = s 'DulcumLib.AzeKhzawivyro.1'
CurVer = s 'DulcumLib.AzeKhzawivyro.1'
ForceRemove {831F62AC-B7DC-4CF9-90BA-1DCDA445B52C} = s 'AzeKhzawivyro Class'
ForceRemove {831F62AC-B7DC-4CF9-90BA-1DCDA445B52C} = s 'AzeKhzawivyro Class'
ProgID = s 'DulcumLib.AzeKhzawivyro.1'
ProgID = s 'DulcumLib.AzeKhzawivyro.1'
VersionIndependentProgID = s 'DulcumLib.AzeKhzawivyro'
VersionIndependentProgID = s 'DulcumLib.AzeKhzawivyro'
DulcumLib.JoasHobhyl.1 = s 'JoasHobhyl Class'
DulcumLib.JoasHobhyl.1 = s 'JoasHobhyl Class'
CLSID = s '{1FB49220-9E99-444C-85AA-F55307D0134F}'
CLSID = s '{1FB49220-9E99-444C-85AA-F55307D0134F}'
DulcumLib.JoasHobhyl = s 'JoasHobhyl Class'
DulcumLib.JoasHobhyl = s 'JoasHobhyl Class'
CurVer = s 'DulcumLib.JoasHobhyl.1'
CurVer = s 'DulcumLib.JoasHobhyl.1'
ForceRemove {1FB49220-9E99-444C-85AA-F55307D0134F} = s 'JoasHobhyl Class'
ForceRemove {1FB49220-9E99-444C-85AA-F55307D0134F} = s 'JoasHobhyl Class'
ProgID = s 'DulcumLib.JoasHobhyl.1'
ProgID = s 'DulcumLib.JoasHobhyl.1'
VersionIndependentProgID = s 'DulcumLib.JoasHobhyl'
VersionIndependentProgID = s 'DulcumLib.JoasHobhyl'
DulcumLib.HuttPefgiupc.1 = s 'HuttPefgiupc Class'
DulcumLib.HuttPefgiupc.1 = s 'HuttPefgiupc Class'
CLSID = s '{8C615F5F-2AF9-4DEA-8088-DE832002ACE4}'
CLSID = s '{8C615F5F-2AF9-4DEA-8088-DE832002ACE4}'
DulcumLib.HuttPefgiupc = s 'HuttPefgiupc Class'
DulcumLib.HuttPefgiupc = s 'HuttPefgiupc Class'
CurVer = s 'DulcumLib.HuttPefgiupc.1'
CurVer = s 'DulcumLib.HuttPefgiupc.1'
ForceRemove {8C615F5F-2AF9-4DEA-8088-DE832002ACE4} = s 'HuttPefgiupc Class'
ForceRemove {8C615F5F-2AF9-4DEA-8088-DE832002ACE4} = s 'HuttPefgiupc Class'
ProgID = s 'DulcumLib.HuttPefgiupc.1'
ProgID = s 'DulcumLib.HuttPefgiupc.1'
VersionIndependentProgID = s 'DulcumLib.HuttPefgiupc'
VersionIndependentProgID = s 'DulcumLib.HuttPefgiupc'
DulcumLib.BeiwPhnumge.1 = s 'BeiwPhnumge Class'
DulcumLib.BeiwPhnumge.1 = s 'BeiwPhnumge Class'
CLSID = s '{48C17124-4EDF-46A8-9E2A-41396B4F6A55}'
CLSID = s '{48C17124-4EDF-46A8-9E2A-41396B4F6A55}'
DulcumLib.BeiwPhnumge = s 'BeiwPhnumge Class'
DulcumLib.BeiwPhnumge = s 'BeiwPhnumge Class'
CurVer = s 'DulcumLib.BeiwPhnumge.1'
CurVer = s 'DulcumLib.BeiwPhnumge.1'
ForceRemove {48C17124-4EDF-46A8-9E2A-41396B4F6A55} = s 'BeiwPhnumge Class'
ForceRemove {48C17124-4EDF-46A8-9E2A-41396B4F6A55} = s 'BeiwPhnumge Class'
ProgID = s 'DulcumLib.BeiwPhnumge.1'
ProgID = s 'DulcumLib.BeiwPhnumge.1'
VersionIndependentProgID = s 'DulcumLib.BeiwPhnumge'
VersionIndependentProgID = s 'DulcumLib.BeiwPhnumge'
DulcumLib.LubEceonene.1 = s 'LubEceonene Class'
DulcumLib.LubEceonene.1 = s 'LubEceonene Class'
CLSID = s '{6494AB3E-774F-4604-818A-EF0783E04A7D}'
CLSID = s '{6494AB3E-774F-4604-818A-EF0783E04A7D}'
DulcumLib.LubEceonene = s 'LubEceonene Class'
DulcumLib.LubEceonene = s 'LubEceonene Class'
CurVer = s 'DulcumLib.LubEceonene.1'
CurVer = s 'DulcumLib.LubEceonene.1'
ForceRemove {6494AB3E-774F-4604-818A-EF0783E04A7D} = s 'LubEceonene Class'
ForceRemove {6494AB3E-774F-4604-818A-EF0783E04A7D} = s 'LubEceonene Class'
ProgID = s 'DulcumLib.LubEceonene.1'
ProgID = s 'DulcumLib.LubEceonene.1'
VersionIndependentProgID = s 'DulcumLib.LubEceonene'
VersionIndependentProgID = s 'DulcumLib.LubEceonene'
DulcumLib.IsiObemibogn.1 = s 'IsiObemibogn Class'
DulcumLib.IsiObemibogn.1 = s 'IsiObemibogn Class'
CLSID = s '{BBE45957-FB3F-43BC-81F1-BD6C8BEE5951}'
CLSID = s '{BBE45957-FB3F-43BC-81F1-BD6C8BEE5951}'
DulcumLib.IsiObemibogn = s 'IsiObemibogn Class'
DulcumLib.IsiObemibogn = s 'IsiObemibogn Class'
CurVer = s 'DulcumLib.IsiObemibogn.1'
CurVer = s 'DulcumLib.IsiObemibogn.1'
ForceRemove {BBE45957-FB3F-43BC-81F1-BD6C8BEE5951} = s 'IsiObemibogn Class'
ForceRemove {BBE45957-FB3F-43BC-81F1-BD6C8BEE5951} = s 'IsiObemibogn Class'
ProgID = s 'DulcumLib.IsiObemibogn.1'
ProgID = s 'DulcumLib.IsiObemibogn.1'
VersionIndependentProgID = s 'DulcumLib.IsiObemibogn'
VersionIndependentProgID = s 'DulcumLib.IsiObemibogn'
stdole2.tlbWWW
stdole2.tlbWWW
istLogin,
istLogin,
0~ziptHTTPWX
0~ziptHTTPWX
:iptHTTPConnectWWX
:iptHTTPConnectWWX
iptHTTPConnectSSLWWWX
iptHTTPConnectSSLWWWX
iptHTTPHybridWWWX
iptHTTPHybridWWWX
iptHTTPHybridSSLX
iptHTTPHybridSSLX
&iptHTTPSSLWWX
&iptHTTPSSLWWX
iptSocks5TCPUDPWX
iptSocks5TCPUDPWX
0RkiptRedirectBypassWWWX
0RkiptRedirectBypassWWWX
iptSocks5UDPX
iptSocks5UDPX
ftParentalOnlyWW
ftParentalOnlyWW
ftParentalTextOnlyWW
ftParentalTextOnlyWW
bftParentalOnlyMinimalWWW
bftParentalOnlyMinimalWWW
=lPortWWW
=lPortWWW
lProxyPortWW
lProxyPortWW
ZpPasswordWWW
ZpPasswordWWW
bURL
bURL
FbFullRequestURLW
FbFullRequestURLW
0:QdtPortWW
0:QdtPortWW
dtPortInvWWW
dtPortInvWWW
dtApplicationUDP
dtApplicationUDP
06MdtPortUDPWWW
06MdtPortUDPWWW
dtIPUDPW
dtIPUDPW
dtApplicationInvUDPW
dtApplicationInvUDPW
(dtPortInvUDP
(dtPortInvUDP
dtIPInvUDPWW
dtIPInvUDPWW
0l9dtApplicationTCPIWWW
0l9dtApplicationTCPIWWW
dtPortTCPIWW
dtPortTCPIWW
dtIPTCPI
dtIPTCPI
dtApplicationInvTCPI
dtApplicationInvTCPI
dtPortInvTCPIWWW
dtPortInvTCPIWWW
dtIPInvTCPIW
dtIPInvTCPIW
01.dtSSLDowngradeWW
01.dtSSLDowngradeWW
tctHTTPFilter@
tctHTTPFilter@
.aTypeWWWx
.aTypeWWWx
pSSHx
pSSHx
pUDPx
pUDPx
HyhoPeravisW
HyhoPeravisW
AKbCertWWWx
AKbCertWWWx
00|itnPortW4
00|itnPortW4
lBypassSendWl
lBypassSendWl
lSourcePortW
lSourcePortW
pPortWWW
pPortWWW
CatjSeudpoWW
CatjSeudpoWW
AusPortWW
AusPortWW
2usInternalPortWWl
2usInternalPortWWl
0;lfeTCPWWW
0;lfeTCPWWW
feTCPInc
feTCPInc
qfeUDPWWW
qfeUDPWWW
feUDPIncl
feUDPIncl
lRemotePortW
lRemotePortW
lOriginalPortWWWl
lOriginalPortWWWl
seTCPWWW
seTCPWWW
seTCPInc
seTCPInc
seUDPWWW
seUDPWWW
seUDPIncl
seUDPIncl
pProxyBypass
pProxyBypass
stPortWW(
stPortWW(
rtRegistryKeyWWW
rtRegistryKeyWWW
8LuISSHControllerWWH
8LuISSHControllerWWH
pURL
pURL
!TbOldPassword
!TbOldPassword
JbPasswordWWW
JbPasswordWWW
SSHControllerWWW
SSHControllerWWW
method HyhoPeravis
method HyhoPeravis
method CatjSeudpoW
method CatjSeudpoW
Created by MIDL version 7.00.0555 at Thu May 07 23:07:47 2015
Created by MIDL version 7.00.0555 at Thu May 07 23:07:47 2015
c:\webwork\boostwebapp\agent\commonutils\CheckSuspended.h
c:\webwork\boostwebapp\agent\commonutils\CheckSuspended.h
.default
.default
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
l..\misc\Json\json_reader.cpp
l..\misc\Json\json_reader.cpp
..\misc\Json\json_reader.cpp
..\misc\Json\json_reader.cpp
..\misc\Json\json_value.cpp
..\misc\Json\json_value.cpp
t..\misc\Json\json_value.cpp
t..\misc\Json\json_value.cpp
..\misc\Json\json_writer.cpp
..\misc\Json\json_writer.cpp
childValues_.size() == size
childValues_.size() == size
int(indentString_.size()) >= indentSize_
int(indentString_.size()) >= indentSize_
indentString_.size() >= indentation_.size()
indentString_.size() >= indentation_.size()
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
CyoDecode.cpp
CyoDecode.cpp
cCyoEncode.cpp
cCyoEncode.cpp
CyoEncode.cpp
CyoEncode.cpp
sslredirectport
sslredirectport
redirectport
redirectport
port
port
password
password
filterhttp
filterhttp
dropbox.exe
dropbox.exe
aim.exe
aim.exe
lync.exe
lync.exe
mozybackup.exe
mozybackup.exe
skype.exe
skype.exe
logmein.exe
logmein.exe
ramaint.exe
ramaint.exe
lmiguardiansvc.exe
lmiguardiansvc.exe
logmeinsystray.exe
logmeinsystray.exe
logmeintoolkit.exe
logmeintoolkit.exe
googledrivesync.exe
googledrivesync.exe
aus2.mozilla.org
aus2.mozilla.org
aus3.mozilla.org
aus3.mozilla.org
windowsupdate.com
windowsupdate.com
update.microsoft.com
update.microsoft.com
windowsupdate.microsoft.com
windowsupdate.microsoft.com
c.microsoft.com
c.microsoft.com
one.microsoft.com
one.microsoft.com
ccapp.exe
ccapp.exe
avwebgrd.exe
avwebgrd.exe
coreserviceshell.exe
coreserviceshell.exe
rps.exe
rps.exe
ccsvchst.exe
ccsvchst.exe
afterfx.exe
afterfx.exe
msvsmon.exe
msvsmon.exe
webproxy.exe
webproxy.exe
portinv
portinv
portinvi
portinvi
appinvudp
appinvudp
portinvudp
portinvudp
ipinvudp
ipinvudp
httpfilterconnect
httpfilterconnect
tcprulesand
tcprulesand
httpdisable
httpdisable
dllhttponly
dllhttponly
dtPort
dtPort
dtPortInv
dtPortInv
dtPortUDP
dtPortUDP
dtIPUDP
dtIPUDP
dtApplicationInvUDP
dtApplicationInvUDP
dtPortInvUDP
dtPortInvUDP
dtIPInvUDP
dtIPInvUDP
dtApplicationTCPI
dtApplicationTCPI
dtPortTCPI
dtPortTCPI
dtPortInvTCPI
dtPortInvTCPI
dtIPInvTCPI
dtIPInvTCPI
ctHTTPFilter
ctHTTPFilter
Not supported!
Not supported!
ydllhttponly
ydllhttponly
.r.log
.r.log
.s.log
.s.log
chrome.exe
chrome.exe
safari.exe
safari.exe
webkit2webprocess.exe
webkit2webprocess.exe
ffcert
ffcert
tiexplore.exe
tiexplore.exe
/forcehttp
/forcehttp
tcpinc
tcpinc
udpinc
udpinc
DulcumOff.ini
DulcumOff.ini
certdebug
certdebug
Data\profile\cert8.db
Data\profile\cert8.db
\Application Data\Mozilla\Firefox\Profiles\
\Application Data\Mozilla\Firefox\Profiles\
\AppData\Roaming\Mozilla\Firefox\Profiles\
\AppData\Roaming\Mozilla\Firefox\Profiles\
\cert8.db
\cert8.db
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\OriginalFilename
c:\program files\microsoft visual studio 12.0\common7\ide\devenv.exe
c:\program files\microsoft visual studio 12.0\common7\ide\devenv.exe
\vmms.exe
\vmms.exe
c:\program files (x86)\microsoft visual studio 12.0\common7\ide\devenv.exe
c:\program files (x86)\microsoft visual studio 12.0\common7\ide\devenv.exe
c:\program files\microsoft sql server\110\tools\binn\managementstudio\ssms.exe
c:\program files\microsoft sql server\110\tools\binn\managementstudio\ssms.exe
c:\program files (x86)\microsoft sql server\110\tools\binn\managementstudio\ssms.exe
c:\program files (x86)\microsoft sql server\110\tools\binn\managementstudio\ssms.exe
\vmwp.exe
\vmwp.exe
c:\program Files\microsoft office\office15\lync.exe
c:\program Files\microsoft office\office15\lync.exe
c:\program Files (x86)\microsoft office\office15\lync.exe
c:\program Files (x86)\microsoft office\office15\lync.exe
\inetsrv\w3wp.exe
\inetsrv\w3wp.exe
%Program Files%\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
%Program Files%\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
\vmconnect.exe
\vmconnect.exe
ssl3.dll
ssl3.dll
OLEAUT32.DLL
OLEAUT32.DLL
MCUI32.exe
MCUI32.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinSock*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinSock*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock*
tcpip
tcpip
ekernel32.dll
ekernel32.dll
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
WUSER32.DLL
WUSER32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
ADVAPI32.DLL
ADVAPI32.DLL
Assertion failed: %s, file %s, line %d
Assertion failed: %s, file %s, line %d
ijiewacy.exe_2416:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
PSSh3
PSSh3
NtDll.dll
NtDll.dll
%s%s.exe
%s%s.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
operator
operator
GetProcessWindowStation
GetProcessWindowStation
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
PSAPI.DLL
PSAPI.DLL
GetCPInfo
GetCPInfo
zcÃ
zcÃ
gboostwebapp
gboostwebapp
g%s%s.dat
g%s%s.dat
"%s" %s
"%s" %s
ijieaacy.exe
ijieaacy.exe
reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=/ts2=1
reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=/ts2=1
%s.exe
%s.exe
reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=-cms
reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=-cms
Soft%sicro%sdows\Cur%sion\R%s
Soft%sicro%sdows\Cur%sion\R%s
B%sLow
B%sLow
%s\Volatile Environment
%s\Volatile Environment
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
.default
.default
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiewacy.exe
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiewacy.exe
ijieaacy.exe_2588:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSShd
SSShd
Mj.hL
Mj.hL
WhH%F
WhH%F
8%u,j
8%u,j
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
NtDll.dll
NtDll.dll
%s%s.exe
%s%s.exe
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteKeyExA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\
%s/%s
%s/%s
%s/sho%sn
%s/sho%sn
st.bi
st.bi
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
FRegDeleteKeyExW
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
un@cybluuk.com
un@cybluuk.com
2.0.3
2.0.3
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
portuguese-brazilian
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
operator
operator
GetProcessWindowStation
GetProcessWindowStation
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyW
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyW
RegDeleteKeyW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
VERSION.dll
VERSION.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
gdiplus.dll
gdiplus.dll
PSAPI.DLL
PSAPI.DLL
WinHttpReadData
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSendRequest
WinHttpSendRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpen
WinHttpOpen
WINHTTP.dll
WINHTTP.dll
GetCPInfo
GetCPInfo
PeekNamedPipe
PeekNamedPipe
zcÃ
zcÃ
3034383
3034383
8(9,90949
8(9,90949
0$1(1,1014181
0$1(1,1014181
>0>4>8>
>0>4>8>
5"53585=5
5"53585=5
= =$=(=,=
= =$=(=,=
5*6064686
5*6064686
9,:2:<:2>
9,:2:<:2>
=#='= =/=3=@=
=#='= =/=3=@=
7,787\7|7
7,787\7|7
:$:,:8:\:|:
:$:,:8:\:|:
0 0$0,0@0`0
0 0$0,0@0`0
C%d.%d.%d.%d
C%d.%d.%d.%d
g%s\%s
g%s\%s
boostwebapp
boostwebapp
explorer.exe
explorer.exe
Google Chrome
Google Chrome
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
\chrome.exe
\chrome.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
PathToExe
PathToExe
Software\Mozilla\Mozilla Firefox
Software\Mozilla\Mozilla Firefox
iexplore.exe
iexplore.exe
\Internet Explorer\iexplore.exe
\Internet Explorer\iexplore.exe
112233445566
112233445566
mac=XXXXXX
mac=XXXXXX
SbieDll.dll
SbieDll.dll
{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}
{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}
v2.10|Action=Allow|Active=TRUE|Dir=In|App=%s|Name=%s|
v2.10|Action=Allow|Active=TRUE|Dir=In|App=%s|Name=%s|
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
B%s%s.dat
B%s%s.dat
%s%sb%s
%s%sb%s
advapi32.dll
advapi32.dll
A%sLow
A%sLow
%s\Volatile Environment
%s\Volatile Environment
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
.default
.default
"%s" %s
"%s" %s
ijieaacy.exe
ijieaacy.exe
kernel32.dll
kernel32.dll
"%s%s64.exe" -f
"%s%s64.exe" -f
"%s%s.exe" -f
"%s%s.exe" -f
"%s%s.exe" /Unregserver
"%s%s.exe" /Unregserver
remove scn=%s
remove scn=%s
stop scn=%s
stop scn=%s
start scn=%s
start scn=%s
"%s%s.exe" /Service
"%s%s.exe" /Service
"%s%s64.exe" -b -d "%s%s64.dll"
"%s%s64.exe" -b -d "%s%s64.dll"
"%s%s.exe" -b -d "%s%s.dll"
"%s%s.exe" -b -d "%s%s.dll"
%s.exe
%s.exe
%SystemDrive%
%SystemDrive%
hXXp://%s/%s
hXXp://%s/%s
%s?type=install_start&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&mac=%s&dsr=%s&pgd=%s&bid=%s&buid=%d&av=%s&vm=%u<m=%s&cb=%d&x=172
%s?type=install_start&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&mac=%s&dsr=%s&pgd=%s&bid=%s&buid=%d&av=%s&vm=%u<m=%s&cb=%d&x=172
%d&avname=%s
%d&avname=%s
ws%s.
ws%s.
10110101
10110101
1.1.0.31
1.1.0.31
%Y%m%d
%Y%m%d
%d_%m_%H_%M_%S
%d_%m_%H_%M_%S
%s%saffId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&manu=%s&ff=%s&ch=%s&ie=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d&x=408
%s%saffId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&manu=%s&ff=%s&ch=%s&ie=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d&x=408
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&manu=%s&ff=%s&ch=%s&ie=%s&mac=%s&dsr=%s&pgd=%s&bid=%s&buid=%d&vm=%u&wktm=%d<m=%s&cb=%d&x=175
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&manu=%s&ff=%s&ch=%s&ie=%s&mac=%s&dsr=%s&pgd=%s&bid=%s&buid=%d&vm=%u&wktm=%d<m=%s&cb=%d&x=175
%s %s
%s %s
?type=active&cnt=%d&prvtm=%s&dl=%d
?type=active&cnt=%d&prvtm=%s&dl=%d
?type=updstat&kind=%s&old=%d&id=%s&down=%d&run=%d&ecode=%d&edcode=%d&runby=%d&tskerr=%d&tskst=%d&lpath=%s
?type=updstat&kind=%s&old=%d&id=%s&down=%d&run=%d&ecode=%d&edcode=%d&runby=%d&tskerr=%d&tskst=%d&lpath=%s
Tempo %s Runner
Tempo %s Runner
?type=klld&id=%d&pidb=%d&susb=%d&pidrt=%d&pidrs=%d&count=%d
?type=klld&id=%d&pidb=%d&susb=%d&pidrt=%d&pidrs=%d&count=%d
taskkill /F /T /IM %s
taskkill /F /T /IM %s
Tempo Runner %s
Tempo Runner %s
/dgad="%s"
/dgad="%s"
?type=rstrt&id=%d&count=%d
?type=rstrt&id=%d&count=%d
Start Following: %s.exe
Start Following: %s.exe
%s\tmp%d\%s%d.exe
%s\tmp%d\%s%d.exe
https:
https:
%s\tmp%d
%s\tmp%d
ru%sce
ru%sce
%sdonce
%sdonce
%s?type=update&cnt=%d&prvtm=%s
%s?type=update&cnt=%d&prvtm=%s
%s un=NT AUTH
%s un=NT AUTH
ORITY\SYSTEM cl=%s
ORITY\SYSTEM cl=%s
es.ini
es.ini
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
hXXp://s3.zawss.info/client-cmd/cr.html
hXXp://s3.zawss.info/client-cmd/cr.html
?type=map_open&id=%d&err=%d
?type=map_open&id=%d&err=%d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Advapi32.dll
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
hXXp://%s/nr/%s
hXXp://%s/nr/%s
%s/%s/v%s/report.html
%s/%s/v%s/report.html
%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%Y_%m_%d
%Y_%m_%d
Software\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}
Software\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ijie6acy.dll
ijie6acy.dll
ijie3acy.dll
ijie3acy.dll
jeboiiw.dat
jeboiiw.dat
oabilgu64.exe
oabilgu64.exe
oabilgu.exe
oabilgu.exe
Dulcum.exe
Dulcum.exe
utils.exe
utils.exe
uninstaller.exe
uninstaller.exe
Od.sys
Od.sys
d.sys
d.sys
?type=str%s
?type=str%s
AM%sCS
AM%sCS
mscoree.dll
mscoree.dll
cmd.exe
cmd.exe
KERNEL32.DLL
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.exe
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.exe
HiowlEkhwor.exe_3196:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
NtDll.dll
NtDll.dll
%s%s.exe
%s%s.exe
[%u:%u - %s %s (%d)] %s: %s
[%u:%u - %s %s (%d)] %s: %s
HKEY_LOCAL_MACHINE\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\
Line %d, Column %d
Line %d, Column %d
report
report
{"%s": [ { "time": "%d", "count": "1", "report": "no", "active": "no" } ] }
{"%s": [ { "time": "%d", "count": "1", "report": "no", "active": "no" } ] }
hXXps://kle.austries.com/amm/rapps/%s_%s/%s/loader.js?d=t
hXXps://kle.austries.com/amm/rapps/%s_%s/%s/loader.js?d=t
hXXp://kle.austries.com/amm/rapps/%s_%s/%s/loader.js?d=t
hXXp://kle.austries.com/amm/rapps/%s_%s/%s/loader.js?d=t
%sfish
%sfish
RegDeleteKeyExW
RegDeleteKeyExW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegOpenKeyTransactedW
RegOpenKeyTransactedW
password
password
port
port
RegDeleteKeyA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteKeyExA
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
C:\webwork\boostwebapp\Agent\ProxyCmd\Release\ProxyCmd.pdb
C:\webwork\boostwebapp\Agent\ProxyCmd\Release\ProxyCmd.pdb
VERSION.dll
VERSION.dll
GetProcessHeap
GetProcessHeap
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
CreateIoCompletionPort
CreateIoCompletionPort
ConnectNamedPipe
ConnectNamedPipe
CreateNamedPipeA
CreateNamedPipeA
DisconnectNamedPipe
DisconnectNamedPipe
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpen
WinHttpOpen
WinHttpReadData
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WINHTTP.dll
WINHTTP.dll
GetCPInfo
GetCPInfo
.?AVCMD5@@
.?AVCMD5@@
zcÃ
zcÃ
boostwebapp
boostwebapp
iexplore.exe
iexplore.exe
\Internet Explorer\iexplore.exe
\Internet Explorer\iexplore.exe
PathToExe
PathToExe
Software\Mozilla\Mozilla Firefox
Software\Mozilla\Mozilla Firefox
Google Chrome
Google Chrome
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
\chrome.exe
\chrome.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
%d.%d.%d.%d
%d.%d.%d.%d
112233445566
112233445566
mac=XXXXXX
mac=XXXXXX
SbieDll.dll
SbieDll.dll
svchost.exe
svchost.exe
winlogon.exe
winlogon.exe
explorer.exe
explorer.exe
{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}
{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}
v2.10|Action=Allow|Active=TRUE|Dir=In|App=%s|Name=%s|
v2.10|Action=Allow|Active=TRUE|Dir=In|App=%s|Name=%s|
%s\%s
%s\%s
Shell32.dll
Shell32.dll
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
{A520A1A4-1780-4FF6-BD18-167343C5AF16}
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
g\\.\pipe\7B4E5745-3859-41C7-93A6-6B4AA2C98C4D
g\\.\pipe\7B4E5745-3859-41C7-93A6-6B4AA2C98C4D
%s%s.dat
%s%s.dat
B%s%sb%s
B%s%sb%s
\agentlog.txt
\agentlog.txt
"%s" %s
"%s" %s
ijieaacy.exe
ijieaacy.exe
kernel32.dll
kernel32.dll
?type=ma%sown&rep=%d&id=%d&merr=%d&fst=%d
?type=ma%sown&rep=%d&id=%d&merr=%d&fst=%d
?type=ma%sec&id=%d
?type=ma%sec&id=%d
?type=ma%sct&id=%d&pidb=%d&pida=%d&pidrt=%d&pidrs=%d&susb=%d&susa=%d
?type=ma%sct&id=%d&pidb=%d&pida=%d&pidrt=%d&pidrs=%d&susb=%d&susa=%d
taskkill /F /T /IM %s
taskkill /F /T /IM %s
%s.exe
%s.exe
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
10110101
10110101
1.1.0.31
1.1.0.31
%Y%m%d
%Y%m%d
%d_%m_%H_%M_%S
%d_%m_%H_%M_%S
hXXp://s3.zawss.info/client-cmd/cr.html
hXXp://s3.zawss.info/client-cmd/cr.html
?type=map_open&id=%d&err=%d
?type=map_open&id=%d&err=%d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=-cmd
reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=-cmd
Copera.exe
Copera.exe
webkit2webprocess.exe
webkit2webprocess.exe
safari.exe
safari.exe
chrome.exe
chrome.exe
firefox.exe
firefox.exe
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
WAdvapi32.dll
WAdvapi32.dll
advapi32.dll
advapi32.dll
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
.default
.default
%sLow
%sLow
%s\Volatile Environment
%s\Volatile Environment
mscoree.dll
mscoree.dll
cmd.exe
cmd.exe
KERNEL32.DLL
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
ADVAPI32.DLL
ADVAPI32.DLL
WUSER32.DLL
WUSER32.DLL
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\HiowlEkhwor.exe
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\HiowlEkhwor.exe
ijiedacy.exe_3404:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
(WSSh
(WSSh
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
FRegDeleteKeyExW
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
operator
operator
GetProcessWindowStation
GetProcessWindowStation
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
ijiedacyu.dll
ijiedacyu.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
gdiplus.dll
gdiplus.dll
WinHttpReadData
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpen
WinHttpOpen
WINHTTP.dll
WINHTTP.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
6x7f7p8
6x7f7p8
1*2024282
1*2024282
Advapi32.dll
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
rboostwebapp
rboostwebapp
112233445566
112233445566
mac=XXXXXX
mac=XXXXXX
g%s%s.dat
g%s%s.dat
B%sLow
B%sLow
%s\Volatile Environment
%s\Volatile Environment
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
.default
.default
@%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
@%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d<m=%s&cb=%d
10110101
10110101
1.1.0.31
1.1.0.31
%Y%m%d
%Y%m%d
%d_%m_%H_%M_%S
%d_%m_%H_%M_%S
hXXp://s3.zawss.info/client-cmd/cr.html
hXXp://s3.zawss.info/client-cmd/cr.html
?type=map_open&id=%d&err=%d
?type=map_open&id=%d&err=%d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
BKERNEL32.DLL
BKERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacy.exe
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacy.exe