Application.Generic.1307206_6c47b7ff9d – Adaware

not-a-virus:AdWare.Win32.PennyBee.nu (Kaspersky), Application.Generic.1307206 (AdAware), Trojan.Win32.Swrort.3.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6c47b7ff9de6864a748f9f7bcb73cb64

SHA1: 91ea2aae0a43ae0b5ab4bd69bbe0f0182bbcc0f8

SHA256: daf4f46499fd36d440881121c183a508773825548746be79aad6ff11905f67e0

SSDeep: 49152:aTu8x6y0yBHvCheTs1UpptTtPUFaYrz3M9pkvfUZp YcNMJKZbrddJc:mug3vCh3UR9UA6wpIMZcYcNMcZbr3C

Size: 2040937 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Software Bundle Company

Created at: 2009-06-07 00:41:54

Analyzed on: WindowsXP SP3 32-bit

Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

ijieaacy.EXE:3364
ijieaacy.EXE:3016
ijiedacy.exe:3044
ijiewacy.exe:2112
ijiewacy.exe:2416
Dulcum.exe:1680
Dulcum.exe:1628
oabilgu.exe:864
%original file name%.exe:388
HiowlEkhwor.exe:2964
HiowlEkhwor.exe:3196
ijieaacy.exe:592

The Application injects its code into the following process(es):

ijiedacy.exe:3404
ijieaacy.exe:2588

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process ijiedacy.exe:3044 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loader[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The process ijiedacy.exe:3404 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v1[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pvint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8 (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6 (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961 (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pv[1].js (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmp_ext[1].js (8 bytes)

The process Dulcum.exe:1628 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%System%\Dulcum.ini (392 bytes)
%WinDir%\Temp\CertsIE.dat (12284 bytes)
%System%\DulcumOff.ini (4 bytes)

The Application deletes the following file(s):

%WinDir%\Temp\CertsIE.dat (0 bytes)

The process oabilgu.exe:864 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%System%\Dulcum.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SpOrder.dll (392 bytes)

The process %original file name%.exe:388 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.dll (12024 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacyu.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\MiiPif.dll (9320 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\utils.exe (6335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\boostwebapp_installer__1468410562.txt (21484 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum64.dll (13584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgFd.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiewacy.EXE (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Uninstaller.exe (8560 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacy.exe (6584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\HiowlEkhwor.exe (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgOd.sys (784 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu.exe (18424 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu64.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgd.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE (50832 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.EXE (85410 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgRd.sys (1552 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (156966 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsislog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\MiiPif.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1.tmp (0 bytes)

The process ijieaacy.exe:592 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (574 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgR.sys (72 bytes)
%System%\drivers\tammg119.sys (26 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammg.sys (54 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (1156 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgF.sys (70 bytes)

The process ijieaacy.exe:2588 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (3072 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (1528 bytes)
%WinDir%\Tasks\Tempo Runner ijiedacy.job (3016 bytes)

The Application deletes the following file(s):

%WinDir%\Tasks\Tempo Runner ijiedacy.job (0 bytes)

Registry activity

The process ijieaacy.EXE:3364 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 38 D4 B6 11 EC 5F 30 6C 8F 24 ED D6 8A 1C 77"

The process ijieaacy.EXE:3016 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 F7 E3 6E 30 4B FE 74 03 6B 7F 76 DC FA 49 30"

The process ijiedacy.exe:3044 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 48 7A 81 46 29 BC E5 50 46 38 F8 AD 61 56 C5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ijiedacy.exe:3404 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\AppdataLow\Software\raelvyo\data]
"E419E2445BF82w23" = "120000"
"AAD4DBA9766467aw23" = "60000"
"AAD4DBA9766467evaw23" = "120000"
"CAD4DBA9766467bducw23" = "3600000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\AppdataLow\Software\raelvyo\data]
"S132B7B8F1DC15w23" = "32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppdataLow\Software\raelvyo\data]
"__cxe_type" = ".10110101"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 84 E0 82 AD 31 B6 7A A2 BC 82 B7 F9 78 BA 38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ijiewacy.exe:2112 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 2B 09 2D 7B 18 C3 E6 36 98 76 0E 44 8E 22 46"

The process ijiewacy.exe:2416 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 6F 4A 75 9F 7A 1B 0C 90 A5 71 C2 4E 5D 4F 30"

The process Dulcum.exe:1680 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0]
"(Default)" = "UEO 1.0 Type Library"

[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}]
"(Default)" = "IWFPController"

[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DulcumLib.AzeKhzawivyro.1]
"(Default)" = "AzeKhzawivyro Class"

[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"InstallingUser" = "eABwADEAXABhAGQAbQAAAA=="

[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}]
"(Default)" = "IChatControl"

[HKCR\DulcumLib.WiiWibdyftitg\CLSID]
"(Default)" = "{1F0F6135-E368-41DA-a327-92D021B47810}"

[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"KomodiaParameters1" = "0"

[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}]
"(Default)" = "INATDriver"

[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DulcumLib.JoasHobhyl\CurVer]
"(Default)" = "DulcumLib.JoasHobhyl.1"

[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DulcumLib.WiiWibdyftitg\CurVer]
"(Default)" = "DulcumLib.WiiWibdyftitg.1"

[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}]
"(Default)" = "IDataTable"

[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\DulcumLib.ChoFedgiw]
"(Default)" = "ChoFedgiw Class"

[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

[HKCR\DulcumLib.JoasHobhyl.1]
"(Default)" = "JoasHobhyl Class"

[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\TypeLib]
"Version" = "1.0"

[HKCR\DulcumLib.SysxNhropto\CurVer]
"(Default)" = "DulcumLib.SysxNhropto.1"

[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\VersionIndependentProgID]
"(Default)" = "DulcumLib.JoasHobhyl"

[HKCR\DulcumLib.ChoFedgiw.1]
"(Default)" = "ChoFedgiw Class"

[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}]
"(Default)" = "ILSPLogic"

[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}]
"(Default)" = "IWatchDog"

[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\ProgID]
"(Default)" = "DulcumLib.SysxNhropto.1"

[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}]
"(Default)" = "JoasHobhyl Class"

[HKCR\DulcumLib.SysxNhropto.1]
"(Default)" = "SysxNhropto Class"

[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\DulcumLib.SysxNhropto]
"(Default)" = "SysxNhropto Class"

[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"LocalService" = "Dulcum"

[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\TypeLib]
"Version" = "1.0"

[HKCR\DulcumLib.BeiwPhnumge.1\CLSID]
"(Default)" = "{48C17124-4EDF-46A8-9E2A-41396B4F6A55}"

[HKCR\DulcumLib.SysxNhropto\CLSID]
"(Default)" = "{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}"

[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\ProgID]
"(Default)" = "DulcumLib.AzeKhzawivyro.1"

[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}]
"(Default)" = "IInjector"

[HKCR\DulcumLib.RhnoSogafagwaf]
"(Default)" = "RhnoSogafagwaf Class"

[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}]
"(Default)" = "IReadOnlyManager"

[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}]
"(Default)" = "IDataStatistics"

[HKCR\DulcumLib.JoasHobhyl.1\CLSID]
"(Default)" = "{1FB49220-9E99-444C-85AA-F55307D0134F}"

[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DulcumLib.WiiWibdyftitg.1]
"(Default)" = "WiiWibdyftitg Class"

[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\DulcumLib.WiiWibdyftitg]
"(Default)" = "WiiWibdyftitg Class"

[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}]
"(Default)" = "ISSHController"

[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31"

[HKCR\DulcumLib.BeiwPhnumge\CLSID]
"(Default)" = "{48C17124-4EDF-46A8-9E2A-41396B4F6A55}"

[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\TypeLib]
"Version" = "1.0"

[HKCR\DulcumLib.JoasHobhyl]
"(Default)" = "JoasHobhyl Class"

[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}]
"(Default)" = "IParentalControlController"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F E8 4F 3C D7 30 72 C2 43 C4 52 3D 9D 97 98 61"

[HKCR\AppID\Dulcum.EXE]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\DulcumLib.BeiwPhnumge]
"(Default)" = "BeiwPhnumge Class"

[HKCR\DulcumLib.ChoFedgiw\CurVer]
"(Default)" = "DulcumLib.ChoFedgiw.1"

[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}]
"(Default)" = "RhnoSogafagwaf Class"

[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\ProgID]
"(Default)" = "DulcumLib.JoasHobhyl.1"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dulcum]
"(Default)" = "service"

[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}]
"(Default)" = "IProxyChecks"

[HKCR\DulcumLib.BeiwPhnumge\CurVer]
"(Default)" = "DulcumLib.BeiwPhnumge.1"

[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\TypeLib]
"Version" = "1.0"

[HKCR\DulcumLib.AzeKhzawivyro\CurVer]
"(Default)" = "DulcumLib.AzeKhzawivyro.1"

[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}]
"(Default)" = "AzeKhzawivyro Class"

[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{0848985F-765C-4C0C-8693-8D7A3660C5DA}\TypeLib]
"Version" = "1.0"

[HKCR\DulcumLib.SysxNhropto.1\CLSID]
"(Default)" = "{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}"

[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\VersionIndependentProgID]
"(Default)" = "DulcumLib.WiiWibdyftitg"

[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}]
"(Default)" = "BeiwPhnumge Class"

[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}]
"(Default)" = "IParentalControl"

[HKCR\TypeLib\{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"(Default)" = "Dulcum"

[HKCR\Interface\{9D808351-AB70-410F-860F-F838181AC601}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}]
"(Default)" = "WiiWibdyftitg Class"

[HKCR\Interface\{39C7EF59-F2B2-4E1F-8958-634FAF50CB16}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\VersionIndependentProgID]
"(Default)" = "DulcumLib.BeiwPhnumge"

[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\DulcumLib.AzeKhzawivyro\CLSID]
"(Default)" = "{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}"

[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}]
"(Default)" = "IDataTableFields"

[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\VersionIndependentProgID]
"(Default)" = "DulcumLib.ChoFedgiw"

[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}\VersionIndependentProgID]
"(Default)" = "DulcumLib.SysxNhropto"

[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\ProgID]
"(Default)" = "DulcumLib.BeiwPhnumge.1"

[HKCR\DulcumLib.RhnoSogafagwaf.1]
"(Default)" = "RhnoSogafagwaf Class"

[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\ProgID]
"(Default)" = "DulcumLib.RhnoSogafagwaf.1"

[HKCR\DulcumLib.BeiwPhnumge.1]
"(Default)" = "BeiwPhnumge Class"

[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

[HKCR\CLSID\{1F0F6135-E368-41DA-a327-92D021B47810}\ProgID]
"(Default)" = "DulcumLib.WiiWibdyftitg.1"

[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{2D205D08-0DFD-4F71-8DB6-1DA0AF16F221}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DulcumLib.WiiWibdyftitg.1\CLSID]
"(Default)" = "{1F0F6135-E368-41DA-a327-92D021B47810}"

[HKCR\Interface\{6C552422-0B21-4BFF-8E09-552790E925D3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"ServiceParameters" = "-Service"

[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E0969847-5C11-44B9-ACE4-88E45EE489A2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1FB49220-9E99-444C-85AA-F55307D0134F}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}\VersionIndependentProgID]
"(Default)" = "DulcumLib.AzeKhzawivyro"

[HKCR\Interface\{F18B8E5F-BDDE-477D-8625-AF38730B8EF1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{AFD24599-5421-4332-BC16-C8F65EC8CF3F}]
"(Default)" = "IDataTableHolder"

[HKCR\Interface\{BBD95388-2FE8-458C-8385-9CA513957D93}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DD23A82A-F952-4106-8BD6-EDCD545C637A}\VersionIndependentProgID]
"(Default)" = "DulcumLib.RhnoSogafagwaf"

[HKCR\DulcumLib.AzeKhzawivyro]
"(Default)" = "AzeKhzawivyro Class"

[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

[HKCR\Interface\{87E36D39-1AD3-4E1E-851F-8CDA3E652C65}\TypeLib]
"Version" = "1.0"

[HKCR\DulcumLib.JoasHobhyl\CLSID]
"(Default)" = "{1FB49220-9E99-444C-85AA-F55307D0134F}"

[HKCR\DulcumLib.RhnoSogafagwaf.1\CLSID]
"(Default)" = "{DD23A82A-F952-4106-8BD6-EDCD545C637A}"

[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

[HKCR\DulcumLib.ChoFedgiw.1\CLSID]
"(Default)" = "{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}"

[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{CD56E548-F5D8-4D09-885A-1BD76DF39FE6}\TypeLib]
"Version" = "1.0"

[HKCR\DulcumLib.AzeKhzawivyro.1\CLSID]
"(Default)" = "{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}"

[HKCR\DulcumLib.ChoFedgiw\CLSID]
"(Default)" = "{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}"

[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\DulcumLib.RhnoSogafagwaf\CurVer]
"(Default)" = "DulcumLib.RhnoSogafagwaf.1"

[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\ProgID]
"(Default)" = "DulcumLib.ChoFedgiw.1"

[HKCR\Interface\{42B45CC6-AB83-4C96-B015-12CD50C2010B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{48C17124-4EDF-46A8-9E2A-41396B4F6A55}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\Interface\{41EFEA80-4398-4FCD-A70A-4FBAB65BB501}]
"(Default)" = "IDataContainer"

[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}\LocalServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe"

[HKCR\Interface\{12E84E95-D562-402E-A516-19B53BF4DA8E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}]
"(Default)" = "SysxNhropto Class"

[HKCR\Interface\{A643E275-3DB0-4796-87A1-876118F26FCC}]
"(Default)" = "IDataController"

[HKCR\DulcumLib.RhnoSogafagwaf\CLSID]
"(Default)" = "{DD23A82A-F952-4106-8BD6-EDCD545C637A}"

[HKCR\CLSID\{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}]
"(Default)" = "ChoFedgiw Class"

[HKCR\Interface\{85DD7684-53D7-49EA-836D-7DB90B0FD889}\TypeLib]
"(Default)" = "{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}"

[HKCR\Interface\{E2AB1DAD-204D-4DB2-8BE5-0BC1997E4406}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}]
"AppID" = "{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}"

The Application deletes the following value(s) in system registry:

[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"LocalService"

[HKLM\System\CurrentControlSet\Services\Dulcum]
"NoCom"

[HKCR\AppID\{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}]
"KomodiaParameters1"

The process Dulcum.exe:1628 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 92 49 D3 3C D5 61 9D B4 7B 10 8B 5C 06 FD 27"

The process oabilgu.exe:864 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF CD 05 A4 07 5E FD 04 D7 16 02 49 47 89 3A 51"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "14"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "12"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "43 3A 5C 50 72 6F 67 72 61 6D 20 46 69 6C 65 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1021"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "43 3A 5C 50 72 6F 67 72 61 6D 20 46 69 6C 65 73"

The Application deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000C]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000B]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000E]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000D]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]

The process %original file name%.exe:388 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 1B 83 4C A7 76 BE 62 24 B1 C2 30 AE CD 38 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"SetupType" = "71070"
"UninstallString" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Uninstaller.exe /ga=1503 /ai=119 /bi=5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"DisplayIcon" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\logo.ico"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"DisplayVersion" = "1.1.0.31"
"DisplayName" = "boostwebapp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"Publisher" = "boostwebapp"

The process HiowlEkhwor.exe:2964 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 BB B1 0B 77 9D E6 D6 03 5F 3F 68 13 5B 07 D3"

The process HiowlEkhwor.exe:3196 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED CF 8C 6C B6 5E FD 0F D2 32 36 6E AD 66 C0 2F"

The process ijieaacy.exe:592 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 22 39 DB 2A 94 2F B4 75 14 DC 16 04 05 01 D1"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tammg119.sys]
"(Default)" = "Driver"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\tammg119.sys]
"(Default)" = "Driver"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}]
"InstallDate" = "20141028"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE|Name=yefejnafyte|"

[HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE|Name=yefejnafyte|"

The Application adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31]
"ijieaacy.EXE" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE:*:Enabled:yefejnafyte"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31]
"ijieaacy.EXE" = "%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE:*:Enabled:yefejnafyte"

The process ijieaacy.exe:2588 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 1D BA 78 A3 E4 CC 49 E9 81 99 5F 08 B3 0F D6"

[HKLM\SOFTWARE\119_31]
"AMMDCS" = "1503"

Dropped PE files

MD5	File path
a082e5473b2a9a4d846ed7ddf637ac76	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SpOrder.dll
1ed93ff8ca9ebb32bfa0c3ec6cd304ee	c:\WINDOWS\system32\Dulcum.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\Drivers\tammg119.sys" the Application controls creation and closing of processes by installing the process notifier.

Using the driver "%System%\Drivers\tammg119.sys" the Application controls loading executable images into a memory by installing the Load image notifier.

The Application installs the following kernel-mode hooks:

ZwCreateFile
ZwCreateKey
ZwDeleteFile
ZwDeleteValueKey
ZwOpenFile
ZwOpenKey
ZwOpenProcess
ZwQueryDirectoryFile
ZwSetInformationFile
ZwSetValueKey
ZwTerminateProcess

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
ijieaacy.EXE:3364
ijieaacy.EXE:3016
ijiedacy.exe:3044
ijiewacy.exe:2112
ijiewacy.exe:2416
Dulcum.exe:1680
Dulcum.exe:1628
oabilgu.exe:864
%original file name%.exe:388
HiowlEkhwor.exe:2964
HiowlEkhwor.exe:3196
ijieaacy.exe:592
Delete the original Application file.
Delete or disinfect the following files created/modified by the Application:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\loader[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\eaba046253abe5b5116ecaa11e4bd273_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v1[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pvint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\ff4319b9fd1980249b99b4ad16274961_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pv[1].js (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\29c726c70fa66389578f5986eedd9ce4_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\8b8b6fa7b099d5977098f1ed10d61b11_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmp_ext[1].js (8 bytes)
%System%\Dulcum.ini (392 bytes)
%WinDir%\Temp\CertsIE.dat (12284 bytes)
%System%\DulcumOff.ini (4 bytes)
%System%\Dulcum.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SpOrder.dll (392 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.dll (12024 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacyu.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiwb.dat (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\MiiPif.dll (9320 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\utils.exe (6335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\boostwebapp_installer__1468410562.txt (21484 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum64.dll (13584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgFd.sys (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiewacy.EXE (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Uninstaller.exe (8560 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacy.exe (6584 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\HiowlEkhwor.exe (22192 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgOd.sys (784 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\lowwamcon.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu.exe (18424 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\jeboiiw.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ipoojdyi.js (12 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\oabilgu64.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\cacpunfago.js (6 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgd.sys (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jadrekz\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.EXE (50832 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.EXE (85410 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\content\ufytriok.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgRd.sys (1552 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (156966 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgR.sys (72 bytes)
%System%\drivers\tammg119.sys (26 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammg.sys (54 bytes)
%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\tammgF.sys (70 bytes)
%WinDir%\Tasks\Tempo Runner ijiedacy.job (3016 bytes)
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.0.31
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.31
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: Product Version: 1.1.0.31Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.31File Description: Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23130	23552	4.44841	0bc2ffd32265a08d72b795b18265828d
.rdata	28672	4496	4608	3.59163	f179218a059068529bdb4637ef5fa28e
.data	36864	110488	1024	3.26405	975304d6dd6c4a4f076b15511e2bbbc0
.ndata	147456	77824	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	225280	16944	17408	4.08558	e9d00de7898ae3a42a8383ed8a0b0e7f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1507
05a7d3434a4f7fdbf0701537409ba2c8
4bf34bc204bb69496cc6a0b436579d7e
a5f8445545e7bfc14cd588a274ea284e
572105a8ba55d2ef27962d6242cda1a9
fba421ce52f88abe24a6f442cc13c15a
199ef97c118cac4e6addd542782e1309
a5f1146ebffd8392352121c21c3b3f52
b3ff54f0cd98ef37fb27f909ac15e444
1d2101755f896e327ec4734319bd3d89
4190e6cc8b16b17837f8442cd4a63b08
533f39598ecde771b2ddf79d03bee8a3
0d1f1b2208adefb85ccfb277dbaa719e
dc1901f5c30b0434755161b64cc9b3e7
48c881963c75a040f66001abfcb7dab4
1a57c4008bf899d167ad4198a1811cd7
2167b945f9c7ca1c893bbcdea6ea8393
a5c292385d45b17e0aff1bb774c1ef43
304f20ad0e7d4adf43547404973363ae
31b5af32f5e6fe31bf7e4285726d068e
b0fa639e99820ba53d6d11010b35ed32
69f508db972b99dff54fe4d8140cd4bd
65837be2678ce23950c440b1d4990e79
1bb07664674617cc7e5e69e4da6e6c24
b5af7f46cb2a563e11fe1c24292683c5
c95a9743fb340b5cded367e28445d822

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Application connects to the servers at the folowing location(s):

Strings from Dumps

Dulcum.exe_1628:

.text

`.rdata

@.data

.idata

.rsrc

Mj.hL

ughd%c

9^Du.Sh

SShP[c

SShx[c

;0u.RVj

RSSSSSSh

;%uHS

28^%u

>8_%u

xSSSh

FTPjKS

FtPj;S

C.PjRV

NtDll.dll

boostwebapp

\chrome.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command

Google Chrome

Software\Mozilla\Mozilla Firefox

PathToExe

\Internet Explorer\iexplore.exe

iexplore.exe

%d.%d.%d.%d

mac=XXXXXX

112233445566

SbieDll.dll

explorer.exe

winlogon.exe

svchost.exe

{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}

%s\%s

%s%s.exe

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

{A520A1A4-1780-4FF6-BD18-167343C5AF16}

Shell32.dll

%s%s.dat

%s%sb%s

RegDeleteKeyExA

advapi32.dll

RegDeleteKeyA

%s\Volatile Environment

%sLow

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\

HKEY_LOCAL_MACHINE\SOFTWARE\

kernel32.dll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Line %d, Column %d

{"%s": [ { "time": "%d", "count": "1", "report": "no", "active": "no" } ] }

report

?type=ma%sec&id=%d

?type=ma%sown&rep=%d&id=%d&merr=%d&fst=%d

%s.exe

taskkill /F /T /IM %s

?type=ma%sct&id=%d&pidb=%d&pida=%d&pidrt=%d&pidrs=%d&susb=%d&susa=%d

hXXp://s3.zawss.info/client-cmd/cr.html

%d_%m_%H_%M_%S

%Y%m%d

1.1.0.31

10110101

?type=map_open&id=%d&err=%d

%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d&ltm=%s&cb=%d

:Invalid buffer size was passed to a Blowfish encryption or decryption routine.

Invalid key length used to initialize BlowFish.

inj.htm

?456789:;

!"#$%&'()* ,-./0123

{1FB49220-9E99-444C-85AA-F55307D0134F}

CDataController::HyhoPeravis with param

Not supported for this version!

avp.exe

nod32.exe

ekrn.exe

fsdfwd.exe

iswsvc.exe

avastsvc.exe

{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}

hkey_local_machine\

Dulcum.ini

Failed to open software key with error

Failed to create software key with error

Failed to open key with error

Data type not supporting this operation!

{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}

{1F0F6135-E368-41DA-a327-92D021B47810}

CDLLManager::FireFoxCallback - Crash

HandleProxyHTTPConnect

HTTPRequestBeforeSend

HTTPRequestBeforeReceive

CDLLManager, DLL in HTTP mode only

ms inside DLL (HandleHTTPConnect)!

Crash in CDLLManager::HandleHTTPConnect

) does not support HTTP Parser

DLL HTTPRequestBeforeSend (ID:

Going to call DLL HTTPRequestBeforeSend (ID:

Crash in CDLLManager::HTTPRequestBeforeSend

Crash in CDLLManager::HTTPRequestBeforeSend call to *(m_pData->pHTTPBeforeSend)

ms inside DLL (HTTPRequestBeforeSend)!

Going to call DLL HTTPRequestBeforeReceive (ID:

DLL HTTPRequestBeforeReceive (ID:

Crash in CDLLManager::HTTPRequestBeforeReceive call to *(m_pData->pHTTPBeforeReceive)

ms inside DLL (HTTPRequestBeforeReceive)!

Crash in CDLLManager::HTTPRequestBeforeReceive

\\.\Ndisredir

WINDOWS-874

WINDOWS-1250

WINDOWS-1251

WINDOWS-1252

WINDOWS-1253

WINDOWS-1254

WINDOWS-1255

WINDOWS-1256

WINDOWS-1257

WINDOWS-1258

WINDOWS-1259

REPORT

HTTP/1.1 200 OK

0;URL=

HTTP/1.1 302 FOUND

HTTP/1.1 307 FOUND

cswindows31j

windows-1256

windows-1255

windows-1254

windows-1253

windows-1252

windows-1251

windows-1250

VVV.tse.jus.br

VVV.justicaeleitoral.jus.br

maybankard.net

1.2.5

HTTP/1.1 302

HTTP/1.

hXXp://

hXXps://

HTTP/1.1 100

HTTP/1.1

HTTP://

HTTP/1.

http:

daum.net

hXXp://VVV.google.com

http/1.

.mpeg

.flac

.tiff

.jpeg

Failed getting GIT inside HTTPRequestBeforeSend

COM error on HTTPRequestBeforeSend

COM error (try/catch) on HTTPRequestBeforeSend

COM error on HTTPRequestBeforeSend performing redirect

COM error on HTTPRequestBeforeSend can't perform redirect

HTTPRequestBeforeSend received bad header, will block request!

HTTPRequestBeforeSend received request to modify header, but without one!

Failed getting GIT inside HTTPRequestBeforeReceive

COM error on HTTPRequestBeforeReceive

COM error (try/catch) on HTTPRequestBeforeReceive

COM error on HTTPRequestBeforeReceive performing redirect

COM error on HTTPRequestBeforeReceive can't perform redirect

HTTPRequestBeforeReceive empty header, will block request!

HTTPRequestBeforeReceive failed to parse header, will block request!

, port:

, password:

127.0.0.1

HTTP/1.1

User-Agent: Mozilla/5.0 (compatible;MSIE 7.0;Windows NT 6.0)

.logmein.com

{DD23A82A-F952-4106-8BD6-EDCD545C637A}

ws2_32.dll

COperationsManager::InitDownloadThread

Dulcum.EXE

COperationsManager::Init

COperationsManager

Shutting down execution threads

Shutting down execution threads (stats)

Shutting down execution threads (saving stats)

Dulcum.log

CertInstaller

Shuting down cert installer

No default cert and no custom cert found!

Custom cert set at CertThread

Empty custom password

UECert.dll

Failed loading cert installer (

Loaded cert installer

InstallFirefoxDirectory

Failed mapping InstallFirefoxDirectory with error:

Failed authenticating cert installer DLL

SetCertDLL

Failed mapping SetCertDLL with error:

Got custom public key from:

Failed to open custom cert file with error:

InstallWindowsDLL

Failed mapping InstallWindowsDLL with error:

InstallWindowsBinaryDLL

Failed mapping InstallWindowsBinaryDLL with error:

Installed Windows 8.1 custom cert

Failed to install Windows 8.1 custom cert

GetCertPEMDLL

Failed mapping GetCertPEMDLL with error:

opera.exe

firefox.exe

thunderbird.exe

CertsFF.dat

Our cert found in FF store

Firefox running in install cert, will not try to install cert

Opera running in install cert, will not try to install cert

CertsOP.dat

Thunderbird running in install cert, will not try to install cert

Saved Opera store

Failed to load Opera store

Loaded Opera store

Release cert installer

Crash on COperationsManager::CertThread

Crash on COperationsManager::InstallCertUser

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

PavTrc.dll

PavSHookWow.dll

PavLspHookWow.dll

PavSHook.dll

PavLspHook.dll

COperationsManager::CheckProxy - Added process:

COperationsManager::CheckProxy - Added hard include process:

COperationsManager::CheckProxy

COperationsManager::DownloadThread - Failed getting dtFileDownload table!

COperationsManager::DownloadThread - bad data for link:

COperationsManager::DownloadThread - Bad registry setting:

COperationsManager::DownloadThread - Failed getting reg value with error:

COperationsManager::DownloadThread - Failed to set registry setting with error:

COperationsManager::DownloadThread - Going to check:

COperationsManager::DownloadThread - Error on call:

COperationsManager::DownloadThread - Didn't receive event for downloading link:

COperationsManager::DownloadThread - Timeout on the event for downloading link:

COperationsManager::DownloadThread - Error from event:

COperationsManager::DownloadThread - Timeout from the result for downloading link:

sdktmp.exe

COperationsManager::DownloadThread - Going to run:

COperationsManager::DownloadThread - Failed to execute file:

COperationsManager::ExecuteFile - Failed to run:

COperationsManager::DownloadThread - Failed to update ini file with error:

COperationsManager::DownloadThread - Received empty INI file

COperationsManager::ExecuteFile - Timeout waiting for process

COperationsManager::ExecuteFile - Failed to delete:

COperationsManager::GetAllUsers - Failed to get key with error:

\Software\Microsoft\Windows\CurrentVersion\Internet Settings

https

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\

COperationsManager::NewProcessList - Installed mobile cert at:

COperationsManager::NewProcessList - Failed to install mobile cert at:

COperationsManager::NewProcessList - Crash calling InstallFirefox

COperationsManager::NewProcessList - Going to install FF cert to:

COperationsManager::NewProcessList - Installed regular cert at:

COperationsManager::GetMACAddress - error getting iphelper

COperationsManager::NewProcessList - Failed to install regular cert at:

COperationsManager::NewProcessList - Failed getting user SID

X:X:X:X:X:X

COperationsManager::GetKomodias - Failed to get key with error:

\\.\%c:

COperationsManager::OPStartService - Wrong data

COperationsManager::OPStartService - Failed to open SCM

COperationsManager::OPStartService - Failed to open service with error:

COperationsManager::OPStopService - Wrong data

COperationsManager::OPStartService - Failed to start service with error

COperationsManager::OPStopService - Failed to open SCM

COperationsManager::OPStopService - Failed to open service with error:

COperationsManager::OPQueryServiceStatus - Wrong data

COperationsManager::OPStopService - Failed to start service with error

COperationsManager::OPQueryServiceStatus - Failed to open SCM

COperationsManager::OPQueryServiceStatus - Failed to open service with error:

-----END PRIVATE KEY-----

-----BEGIN PRIVATE KEY-----

-----END CERTIFICATE-----

6qdiMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG

-----BEGIN CERTIFICATE-----

OWindows 95

Windows 98

Windows ME

Windows NT

Windows 2000

Windows XP

Windows 2003

Windows Vista

Windows 2008

Windows 2008R2

Windows 7

Windows 8

Windows 8.1

Windows 2012

Windows 2012r2

{6494AB3E-774F-4604-818A-EF0783E04A7D}

Failed loading ws2_32.dll with error:

{9DC8FA51-B596-4f77-802C-5B295919C205}

sdk.txt

Failed to open service key with error:

DLL is set to be loaded by using a registry key

Trying to start UDP channel

Starting relay on port:

{16CB9635-CCEA-4184-A4A4-E450754EF940}

Failed to open custom cert (public key) file with error:

Failed to open custom cert (private key) file with error:

Dulcumr.log

String library passed MT test

/RegServer flag not support!

Error openning key HKEY_CLASSES_ROOT!

{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}

Error openning key keyAppID!

RegOpenKeyTransactedA

Advapi32.dll

RegCreateKeyTransactedA

RegDeleteKeyTransactedA

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Failed to open keyAppID with error:

Failed to open HKEY_CLASSES_ROOT with error:

,url,

SSHThread

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\

Dulcum.dll

sqlite3.dll

softokn3.dll

smime3.dll

nssutil3.dll

nssdbm3.dll

nssckbi.dll

nss3.dll

libplds4.dll

libplc4.dll

libnspr4.dll

freebl3.dll

Not supporting WD!

{A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C}

CWebSocket::DownloadFile - Invalid parameter

CWebSocket::DownloadFile - Failed to resolve domain:

CWebSocket::DownloadFile - Failed to create socket

CWebSocket::DownloadFile - Failed to connect to:

User-Agent: Mozilla/4.0

CWebSocket::OnSocketTimeout - Timeout

CWebSocket::OnSocketConnect - Failed to connect to:

CWebSocket::OnSocketConnect - Failed to send request to:

CWebSocket::OnSocketReceive - Received bad data

CWebSocket::OnSocketReceive - Failed to parse header

CWebSocket::OnSocketReceive - Received error code from web server:

CWebSocket::OnSocketReceive - Invalid header

CWebSocket::OnSocketReceive - Failed to open file:

Failed to create/open SafeBoot sub key with error:

{BBE45957-FB3F-43BC-81F1-BD6C8BEE5951}

Not supporting TDI

0.0.0.0

CTCPSocketAsync

Operation made on non existant socket!

Can't run on TCP socket!

CTCPSocket

CTCPSocketAsyncMsg

%s_%lu_%lu

CControlableRelay::CreateSSLListener - Cert tested good!

CControlableRelay::CreateSSLListener - Failed to test cert!

Failed to test cert!

huntington.com

airnewzealand.co.nz

CControlableRelay::CAcceptSocket::CreateListener, Failed to bind socket to port:

Authentication failed (check username or password)

Socks5 reply: Address not supported

Socks5 reply: Command not supported

Failed to load keys!

EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB

BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY

### Msg ###

Read will pass buffer size!

_CTCPSocketAsyncSSL

CERTIFICATE

).cer

\goodcert

\badcert

CCertManager::VerifyChainUsingCrypto - Got bad results for domain:

for cert:

CCertManager::VerifyChainUsingCrypto - Failed to get chain with error:

CCertManager::VerifyChainUsingCrypto - Failed to create chain with error:

-----END %s-----

-----BEGIN %s-----

2.5.4.10=

2.5.4.11=

2.5.4.3=

CCertManager::LoadOperaStore -

CCertManager::LoadFFStore -

CCertManager::GetAllUsers - Failed to get key with error:

CCertManager::LoadIEStore -

CCertManager::LoadIEStore - Failed to open store

CCertManager::LoadIEStore - Failed to open file

CertsIE.dat

CTCPSocketAsyncDelegator

cmd.exe

Visual C CRT: Not enough memory to complete call to strerror.

GetProcessWindowStation

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

.?AVCMD5@@

.?AVCHTTPData@@

.?AVCHTTPFilter@@

.?AVCHTTPHeader@@

.?AVCKeywordManager@@

.?AVCTCPSocketAsyncBlowFish@@

.?AVCTCPSocketAsyncSSL@@

.?AVCTCPSocketAsyncMsg@@

.?AVCTCPSocketAsync@@

.?AVCTCPSocket@@

)hXXp://cybertrust.omniroot.com/repository0

1hXXp://cdp1.public-trust.com/CRL/Omniroot2025.crl0

.?AVCOperationsManager@@

.?AUISupportErrorInfo@@

.?AVCSSHManager@@

.?AVCUDPServer@@

.?AVCWebSocket@@

.?AVCTCPSocketOverider@CTCPSocketAsync@@

.?AVCSocketGetCert@CCertManager@@

.?AVCCertManager@@

.?AVCTCPSocketAsyncDelegator@@

zcÃ

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\Dulcum.exe

VERSION.dll

PSAPI.DLL

WS2_32.dll

GetProcessHeap

GetWindowsDirectoryA

GetWindowsDirectoryW

KERNEL32.dll

SetProcessWindowStation

MsgWaitForMultipleObjectsEx

USER32.dll

RegCloseKey

RegOpenKeyExA

RegEnumKeyExA

RegCreateKeyExA

RegQueryInfoKeyA

RegOpenKeyA

RegEnumKeyExW

RegCreateKeyA

RegEnumKeyA

ReportEventA

RegQueryInfoKeyW

RegOpenKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetExtendedTcpTable

IPHLPAPI.DLL

WinHttpReadData

WinHttpQueryDataAvailable

WinHttpCrackUrl

WinHttpQueryHeaders

WinHttpReceiveResponse

WinHttpOpenRequest

WinHttpSendRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpSetTimeouts

WinHttpOpen

WINHTTP.dll

Secur32.dll

CertFreeCertificateContext

CertFreeCertificateChain

CertGetCertificateChain

CertCreateCertificateContext

CertNameToStrA

CertEnumCRLsInStore

CertEnumCertificatesInStore

CertOpenStore

CertCloseStore

CertOpenSystemStoreA

CRYPT32.dll

GetCPInfo

{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96} = s 'Dulcum'

'%ShortModule%'

val AppID = s {B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}

DulcumLib.ChoFedgiw.1 = s 'ChoFedgiw Class'

CLSID = s '{1379DC63-E5C9-4CA2-8167-A3AC3B7804CF}'

DulcumLib.ChoFedgiw = s 'ChoFedgiw Class'

CurVer = s 'DulcumLib.ChoFedgiw.1'

ForceRemove {1379DC63-E5C9-4CA2-8167-A3AC3B7804CF} = s 'ChoFedgiw Class'

ProgID = s 'DulcumLib.ChoFedgiw.1'

VersionIndependentProgID = s 'DulcumLib.ChoFedgiw'

val AppID = s '{B3A4E1E3-9609-45DE-91A7-CEC2F8096D96}'

'TypeLib' = s '{D7B1AF5B-A80E-4DC5-8FB9-08321E58ED5D}'

DulcumLib.SysxNhropto.1 = s 'SysxNhropto Class'

CLSID = s '{1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0}'

DulcumLib.SysxNhropto = s 'SysxNhropto Class'

CurVer = s 'DulcumLib.SysxNhropto.1'

ForceRemove {1EAD3F4A-0EC3-4834-aD79-49B5A324B6B0} = s 'SysxNhropto Class'

ProgID = s 'DulcumLib.SysxNhropto.1'

VersionIndependentProgID = s 'DulcumLib.SysxNhropto'

DulcumLib.WiiWibdyftitg.1 = s 'WiiWibdyftitg Class'

CLSID = s '{1F0F6135-E368-41DA-a327-92D021B47810}'

DulcumLib.WiiWibdyftitg = s 'WiiWibdyftitg Class'

CurVer = s 'DulcumLib.WiiWibdyftitg.1'

ForceRemove {1F0F6135-E368-41DA-a327-92D021B47810} = s 'WiiWibdyftitg Class'

ProgID = s 'DulcumLib.WiiWibdyftitg.1'

VersionIndependentProgID = s 'DulcumLib.WiiWibdyftitg'

DulcumLib.RhnoSogafagwaf.1 = s 'RhnoSogafagwaf Class'

CLSID = s '{DD23A82A-F952-4106-8BD6-EDCD545C637A}'

DulcumLib.RhnoSogafagwaf = s 'RhnoSogafagwaf Class'

CurVer = s 'DulcumLib.RhnoSogafagwaf.1'

ForceRemove {DD23A82A-F952-4106-8BD6-EDCD545C637A} = s 'RhnoSogafagwaf Class'

ProgID = s 'DulcumLib.RhnoSogafagwaf.1'

VersionIndependentProgID = s 'DulcumLib.RhnoSogafagwaf'

DulcumLib.WopBaaijkap.1 = s 'WopBaaijkap Class'

CLSID = s '{F6BBFEEB-ADD4-4B34-8B07-D58CAEFDECCA}'

DulcumLib.WopBaaijkap = s 'WopBaaijkap Class'

CurVer = s 'DulcumLib.WopBaaijkap.1'

ForceRemove {F6BBFEEB-ADD4-4B34-8B07-D58CAEFDECCA} = s 'WopBaaijkap Class'

ProgID = s 'DulcumLib.WopBaaijkap.1'

VersionIndependentProgID = s 'DulcumLib.WopBaaijkap'

DulcumLib.JavFixodacwen.1 = s 'JavFixodacwen Class'

CLSID = s '{DAC5E6DC-8407-457F-8F08-79AA13EE85B4}'

DulcumLib.JavFixodacwen = s 'JavFixodacwen Class'

CurVer = s 'DulcumLib.JavFixodacwen.1'

ForceRemove {DAC5E6DC-8407-457F-8F08-79AA13EE85B4} = s 'JavFixodacwen Class'

ProgID = s 'DulcumLib.JavFixodacwen.1'

VersionIndependentProgID = s 'DulcumLib.JavFixodacwen'

DulcumLib.LopdRusipauwja.1 = s 'LopdRusipauwja Class'

CLSID = s '{A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C}'

DulcumLib.LopdRusipauwja = s 'LopdRusipauwja Class'

CurVer = s 'DulcumLib.LopdRusipauwja.1'

ForceRemove {A05B45E0-3C09-4C0C-8D0B-05F0B7F7597C} = s 'LopdRusipauwja Class'

ProgID = s 'DulcumLib.LopdRusipauwja.1'

VersionIndependentProgID = s 'DulcumLib.LopdRusipauwja'

DulcumLib.BobMycebukiej.1 = s 'BobMycebukiej Class'

CLSID = s '{AD296071-873C-4BB1-9818-BB740C07A3B1}'

DulcumLib.BobMycebukiej = s 'BobMycebukiej Class'

CurVer = s 'DulcumLib.BobMycebukiej.1'

ForceRemove {AD296071-873C-4BB1-9818-BB740C07A3B1} = s 'BobMycebukiej Class'

ProgID = s 'DulcumLib.BobMycebukiej.1'

VersionIndependentProgID = s 'DulcumLib.BobMycebukiej'

DulcumLib.AzeKhzawivyro.1 = s 'AzeKhzawivyro Class'

CLSID = s '{831F62AC-B7DC-4CF9-90BA-1DCDA445B52C}'

DulcumLib.AzeKhzawivyro = s 'AzeKhzawivyro Class'

CurVer = s 'DulcumLib.AzeKhzawivyro.1'

ForceRemove {831F62AC-B7DC-4CF9-90BA-1DCDA445B52C} = s 'AzeKhzawivyro Class'

ProgID = s 'DulcumLib.AzeKhzawivyro.1'

VersionIndependentProgID = s 'DulcumLib.AzeKhzawivyro'

DulcumLib.JoasHobhyl.1 = s 'JoasHobhyl Class'

CLSID = s '{1FB49220-9E99-444C-85AA-F55307D0134F}'

DulcumLib.JoasHobhyl = s 'JoasHobhyl Class'

CurVer = s 'DulcumLib.JoasHobhyl.1'

ForceRemove {1FB49220-9E99-444C-85AA-F55307D0134F} = s 'JoasHobhyl Class'

ProgID = s 'DulcumLib.JoasHobhyl.1'

VersionIndependentProgID = s 'DulcumLib.JoasHobhyl'

DulcumLib.HuttPefgiupc.1 = s 'HuttPefgiupc Class'

CLSID = s '{8C615F5F-2AF9-4DEA-8088-DE832002ACE4}'

DulcumLib.HuttPefgiupc = s 'HuttPefgiupc Class'

CurVer = s 'DulcumLib.HuttPefgiupc.1'

ForceRemove {8C615F5F-2AF9-4DEA-8088-DE832002ACE4} = s 'HuttPefgiupc Class'

ProgID = s 'DulcumLib.HuttPefgiupc.1'

VersionIndependentProgID = s 'DulcumLib.HuttPefgiupc'

DulcumLib.BeiwPhnumge.1 = s 'BeiwPhnumge Class'

CLSID = s '{48C17124-4EDF-46A8-9E2A-41396B4F6A55}'

DulcumLib.BeiwPhnumge = s 'BeiwPhnumge Class'

CurVer = s 'DulcumLib.BeiwPhnumge.1'

ForceRemove {48C17124-4EDF-46A8-9E2A-41396B4F6A55} = s 'BeiwPhnumge Class'

ProgID = s 'DulcumLib.BeiwPhnumge.1'

VersionIndependentProgID = s 'DulcumLib.BeiwPhnumge'

DulcumLib.LubEceonene.1 = s 'LubEceonene Class'

CLSID = s '{6494AB3E-774F-4604-818A-EF0783E04A7D}'

DulcumLib.LubEceonene = s 'LubEceonene Class'

CurVer = s 'DulcumLib.LubEceonene.1'

ForceRemove {6494AB3E-774F-4604-818A-EF0783E04A7D} = s 'LubEceonene Class'

ProgID = s 'DulcumLib.LubEceonene.1'

VersionIndependentProgID = s 'DulcumLib.LubEceonene'

DulcumLib.IsiObemibogn.1 = s 'IsiObemibogn Class'

CLSID = s '{BBE45957-FB3F-43BC-81F1-BD6C8BEE5951}'

DulcumLib.IsiObemibogn = s 'IsiObemibogn Class'

CurVer = s 'DulcumLib.IsiObemibogn.1'

ForceRemove {BBE45957-FB3F-43BC-81F1-BD6C8BEE5951} = s 'IsiObemibogn Class'

ProgID = s 'DulcumLib.IsiObemibogn.1'

VersionIndependentProgID = s 'DulcumLib.IsiObemibogn'

stdole2.tlbWWW

istLogin,

0~ziptHTTPWX

:iptHTTPConnectWWX

iptHTTPConnectSSLWWWX

iptHTTPHybridWWWX

iptHTTPHybridSSLX

&iptHTTPSSLWWX

iptSocks5TCPUDPWX

0RkiptRedirectBypassWWWX

iptSocks5UDPX

ftParentalOnlyWW

ftParentalTextOnlyWW

bftParentalOnlyMinimalWWW

=lPortWWW

lProxyPortWW

ZpPasswordWWW

bURL

FbFullRequestURLW

0:QdtPortWW

dtPortInvWWW

dtApplicationUDP

06MdtPortUDPWWW

dtIPUDPW

dtApplicationInvUDPW

(dtPortInvUDP

dtIPInvUDPWW

0l9dtApplicationTCPIWWW

dtPortTCPIWW

dtIPTCPI

dtApplicationInvTCPI

dtPortInvTCPIWWW

dtIPInvTCPIW

01.dtSSLDowngradeWW

tctHTTPFilter@

.aTypeWWWx

pSSHx

pUDPx

HyhoPeravisW

AKbCertWWWx

00|itnPortW4

lBypassSendWl

lSourcePortW

pPortWWW

CatjSeudpoWW

AusPortWW

2usInternalPortWWl

0;lfeTCPWWW

feTCPInc

qfeUDPWWW

feUDPIncl

lRemotePortW

lOriginalPortWWWl

seTCPWWW

seTCPInc

seUDPWWW

seUDPIncl

pProxyBypass

stPortWW(

rtRegistryKeyWWW

8LuISSHControllerWWH

pURL

!TbOldPassword

JbPasswordWWW

SSHControllerWWW

method HyhoPeravis

method CatjSeudpoW

Created by MIDL version 7.00.0555 at Thu May 07 23:07:47 2015

c:\webwork\boostwebapp\agent\commonutils\CheckSuspended.h

.default

S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu

l..\misc\Json\json_reader.cpp

..\misc\Json\json_reader.cpp

..\misc\Json\json_value.cpp

t..\misc\Json\json_value.cpp

..\misc\Json\json_writer.cpp

childValues_.size() == size

int(indentString_.size()) >= indentSize_

indentString_.size() >= indentation_.size()

Content-Type: application/x-www-form-urlencoded

CyoDecode.cpp

cCyoEncode.cpp

CyoEncode.cpp

sslredirectport

redirectport

port

password

filterhttp

dropbox.exe

aim.exe

lync.exe

mozybackup.exe

skype.exe

logmein.exe

ramaint.exe

lmiguardiansvc.exe

logmeinsystray.exe

logmeintoolkit.exe

googledrivesync.exe

aus2.mozilla.org

aus3.mozilla.org

windowsupdate.com

update.microsoft.com

windowsupdate.microsoft.com

c.microsoft.com

one.microsoft.com

ccapp.exe

avwebgrd.exe

coreserviceshell.exe

rps.exe

ccsvchst.exe

afterfx.exe

msvsmon.exe

webproxy.exe

portinv

portinvi

appinvudp

portinvudp

ipinvudp

httpfilterconnect

tcprulesand

httpdisable

dllhttponly

dtPort

dtPortInv

dtPortUDP

dtIPUDP

dtApplicationInvUDP

dtPortInvUDP

dtIPInvUDP

dtApplicationTCPI

dtPortTCPI

dtPortInvTCPI

dtIPInvTCPI

ctHTTPFilter

Not supported!

ydllhttponly

.r.log

.s.log

chrome.exe

safari.exe

webkit2webprocess.exe

ffcert

tiexplore.exe

/forcehttp

tcpinc

udpinc

DulcumOff.ini

certdebug

Data\profile\cert8.db

\Application Data\Mozilla\Firefox\Profiles\

\AppData\Roaming\Mozilla\Firefox\Profiles\

\cert8.db

\StringFileInfo\xx\OriginalFilename

c:\program files\microsoft visual studio 12.0\common7\ide\devenv.exe

\vmms.exe

c:\program files (x86)\microsoft visual studio 12.0\common7\ide\devenv.exe

c:\program files\microsoft sql server\110\tools\binn\managementstudio\ssms.exe

c:\program files (x86)\microsoft sql server\110\tools\binn\managementstudio\ssms.exe

\vmwp.exe

c:\program Files\microsoft office\office15\lync.exe

c:\program Files (x86)\microsoft office\office15\lync.exe

\inetsrv\w3wp.exe

%Program Files%\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

\vmconnect.exe

ssl3.dll

OLEAUT32.DLL

MCUI32.exe

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock*

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinSock*

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock*

tcpip

ekernel32.dll

KERNEL32.DLL

mscoree.dll

WUSER32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

Assertion failed: %s, file %s, line %d

ijiewacy.exe_2416:

.text

`.rdata

@.data

.rsrc

PSSh3

NtDll.dll

%s%s.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExW

RegEnumKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyW

ADVAPI32.dll

ole32.dll

PSAPI.DLL

GetCPInfo

zcÃ

gboostwebapp

g%s%s.dat

"%s" %s

ijieaacy.exe

reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=/ts2=1

%s.exe

reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=-cms

Soft%sicro%sdows\Cur%sion\R%s

B%sLow

%s\Volatile Environment

S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu

.default

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiewacy.exe

ijieaacy.exe_2588:

.text

`.rdata

@.data

.rsrc

@.reloc

SSShd

Mj.hL

WhH%F

8%u,j

xSSSh

FTPjKS

FtPj;S

C.PjRV

NtDll.dll

%s%s.exe

RegDeleteKeyA

RegDeleteKeyExA

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\

%s/%s

%s/sho%sn

st.bi

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

FRegDeleteKeyExW

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

un@cybluuk.com

2.0.3

Visual C CRT: Not enough memory to complete call to strerror.

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExW

RegEnumKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyW

RegCreateKeyExA

RegOpenKeyA

RegDeleteKeyW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

VERSION.dll

IPHLPAPI.DLL

gdiplus.dll

PSAPI.DLL

WinHttpReadData

WinHttpQueryDataAvailable

WinHttpCrackUrl

WinHttpQueryHeaders

WinHttpReceiveResponse

WinHttpOpenRequest

WinHttpSendRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpSetTimeouts

WinHttpOpen

WINHTTP.dll

GetCPInfo

PeekNamedPipe

zcÃ

3034383

8(9,90949

0$1(1,1014181

>0>4>8>

5"53585=5

= =$=(=,=

5*6064686

9,:2:<:2>

=#='= =/=3=@=

7,787\7|7

:$:,:8:\:|:

0 0$0,0@0`0

C%d.%d.%d.%d

g%s\%s

boostwebapp

explorer.exe

Google Chrome

SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command

\chrome.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

PathToExe

Software\Mozilla\Mozilla Firefox

iexplore.exe

\Internet Explorer\iexplore.exe

112233445566

mac=XXXXXX

SbieDll.dll

{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

B%s%s.dat

%s%sb%s

advapi32.dll

A%sLow

%s\Volatile Environment

S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu

.default

"%s" %s

ijieaacy.exe

kernel32.dll

"%s%s64.exe" -f

"%s%s.exe" -f

"%s%s.exe" /Unregserver

remove scn=%s

stop scn=%s

start scn=%s

"%s%s.exe" /Service

"%s%s64.exe" -b -d "%s%s64.dll"

"%s%s.exe" -b -d "%s%s.dll"

%s.exe

%SystemDrive%

hXXp://%s/%s

%s?type=install_start&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&mac=%s&dsr=%s&pgd=%s&bid=%s&buid=%d&av=%s&vm=%u&ltm=%s&cb=%d&x=172

%d&avname=%s

ws%s.

10110101

1.1.0.31

%Y%m%d

%d_%m_%H_%M_%S

%s%saffId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&manu=%s&ff=%s&ch=%s&ie=%s&mac=%s&buid=%d&wktm=%d&ltm=%s&cb=%d&x=408

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&manu=%s&ff=%s&ch=%s&ie=%s&mac=%s&dsr=%s&pgd=%s&bid=%s&buid=%d&vm=%u&wktm=%d&ltm=%s&cb=%d&x=175

%s %s

?type=active&cnt=%d&prvtm=%s&dl=%d

?type=updstat&kind=%s&old=%d&id=%s&down=%d&run=%d&ecode=%d&edcode=%d&runby=%d&tskerr=%d&tskst=%d&lpath=%s

Tempo %s Runner

?type=klld&id=%d&pidb=%d&susb=%d&pidrt=%d&pidrs=%d&count=%d

taskkill /F /T /IM %s

Tempo Runner %s

/dgad="%s"

?type=rstrt&id=%d&count=%d

Start Following: %s.exe

%s\tmp%d\%s%d.exe

https:

%s\tmp%d

ru%sce

%sdonce

%s?type=update&cnt=%d&prvtm=%s

%s un=NT AUTH

ORITY\SYSTEM cl=%s

es.ini

%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d&ltm=%s&cb=%d

hXXp://s3.zawss.info/client-cmd/cr.html

?type=map_open&id=%d&err=%d

Content-Type: application/x-www-form-urlencoded

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

hXXp://%s/nr/%s

%s/%s/v%s/report.html

%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%Y_%m_%d

Software\Microsoft\Windows\CurrentVersion\Uninstall\{DAFAC5F3-B290-40FE-8773-15CE53BF5CE7}

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ijie6acy.dll

ijie3acy.dll

jeboiiw.dat

oabilgu64.exe

oabilgu.exe

Dulcum.exe

utils.exe

uninstaller.exe

Od.sys

d.sys

?type=str%s

AM%sCS

mscoree.dll

cmd.exe

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijieaacy.exe

HiowlEkhwor.exe_3196:

.text

`.rdata

@.data

.rsrc

xSSSh

FTPjKS

FtPj;S

C.PjRV

NtDll.dll

%s%s.exe

[%u:%u - %s %s (%d)] %s: %s

HKEY_LOCAL_MACHINE\SOFTWARE\

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Services\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\network\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\minimal\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet???\Control\SafeBoot\minimal\

Line %d, Column %d

report

{"%s": [ { "time": "%d", "count": "1", "report": "no", "active": "no" } ] }

hXXps://kle.austries.com/amm/rapps/%s_%s/%s/loader.js?d=t

hXXp://kle.austries.com/amm/rapps/%s_%s/%s/loader.js?d=t

%sfish

RegDeleteKeyExW

RegDeleteKeyTransactedW

RegCreateKeyTransactedW

RegOpenKeyTransactedW

password

port

RegDeleteKeyA

RegDeleteKeyExA

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

C:\webwork\boostwebapp\Agent\ProxyCmd\Release\ProxyCmd.pdb

VERSION.dll

GetProcessHeap

SetNamedPipeHandleState

WaitNamedPipeA

CreateIoCompletionPort

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExW

RegEnumKeyExW

RegCreateKeyExA

RegOpenKeyA

RegDeleteKeyW

RegCreateKeyExW

RegQueryInfoKeyW

RegOpenKeyW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

IPHLPAPI.DLL

PSAPI.DLL

WinHttpCrackUrl

WinHttpQueryHeaders

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpOpenRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpSetTimeouts

WinHttpOpen

WinHttpReadData

WinHttpQueryDataAvailable

WINHTTP.dll

GetCPInfo

.?AVCMD5@@

zcÃ

boostwebapp

iexplore.exe

\Internet Explorer\iexplore.exe

PathToExe

Software\Mozilla\Mozilla Firefox

Google Chrome

SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command

\chrome.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

%d.%d.%d.%d

112233445566

mac=XXXXXX

SbieDll.dll

svchost.exe

winlogon.exe

explorer.exe

{3E62AA7C-52DA-49B0-a552-6E7D9A7B30FD}

%s\%s

Shell32.dll

{A520A1A4-1780-4FF6-BD18-167343C5AF16}

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

g\\.\pipe\7B4E5745-3859-41C7-93A6-6B4AA2C98C4D

%s%s.dat

B%s%sb%s

\agentlog.txt

"%s" %s

ijieaacy.exe

kernel32.dll

?type=ma%sown&rep=%d&id=%d&merr=%d&fst=%d

?type=ma%sec&id=%d

?type=ma%sct&id=%d&pidb=%d&pida=%d&pidrt=%d&pidrs=%d&susb=%d&susa=%d

taskkill /F /T /IM %s

%s.exe

%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d&ltm=%s&cb=%d

10110101

1.1.0.31

%Y%m%d

%d_%m_%H_%M_%S

hXXp://s3.zawss.info/client-cmd/cr.html

?type=map_open&id=%d&err=%d

Content-Type: application/x-www-form-urlencoded

reinstall scn=%s sp=%s un=NT AUTHORITY\SYSTEM cl=-cmd

Copera.exe

webkit2webprocess.exe

safari.exe

chrome.exe

firefox.exe

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

WAdvapi32.dll

advapi32.dll

S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu

.default

%sLow

%s\Volatile Environment

mscoree.dll

cmd.exe

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

ADVAPI32.DLL

WUSER32.DLL

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\HiowlEkhwor.exe

ijiedacy.exe_3404:

.text

`.rdata

@.data

.rsrc

@.reloc

(WSSh

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

FRegDeleteKeyExW

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

GetProcessHeap

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExW

RegOpenKeyW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

ijiedacyu.dll

IPHLPAPI.DLL

gdiplus.dll

WinHttpReadData

WinHttpQueryDataAvailable

WinHttpCrackUrl

WinHttpQueryHeaders

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpOpenRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpSetTimeouts

WinHttpOpen

WINHTTP.dll

GetCPInfo

zcÃ

6x7f7p8

1*2024282

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

rboostwebapp

112233445566

mac=XXXXXX

g%s%s.dat

B%sLow

%s\Volatile Environment

S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu

.default

@%s&affId=%s&pubId=%s&appId=%s&agver=%s&guid=%s&os=%s&mac=%s&buid=%d&wktm=%d&ltm=%s&cb=%d

10110101

1.1.0.31

%Y%m%d

%d_%m_%H_%M_%S

hXXp://s3.zawss.info/client-cmd/cr.html

?type=map_open&id=%d&err=%d

Content-Type: application/x-www-form-urlencoded

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

BKERNEL32.DLL

WUSER32.DLL

%Documents and Settings%\All Users\Application Data\boostwebapp\1.1.0.31\ijiedacy.exe