Trojan-Dropper.Win32.Daws.awfy (Kaspersky), Gen:Variant.Midie.6956 (B) (Emsisoft), Gen:Variant.Midie.6956 (AdAware), Virus.Win32.Sality.2.FD (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ba128a31de44701c560fcca1a050b89d
SHA1: e14b67ca4f4042536f8ca2e021d101547f06ad8a
SHA256: 7e9e05c5f40ceb38c292ba109b8b09b6915d49bcd64a60402c587c1a25484206
SSDeep: 49152:7QUFtXCEbTCNxKCnFnQXBbrtgb/iQvu0UHOJ:2E6NxvWbrtUTrUHOJ
Size: 2213565 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2012-03-05 10:37:55
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mscaps.exe:2748
wtmps.exe:2700
%original file name%.exe:1932
@AE1.tmp.exe:1116
NOTEPAD.EXE:3596
NOTEPAD.EXE:3744
NOTEPAD.EXE:3676
NOTEPAD.EXE:3568
NOTEPAD.EXE:2284
NOTEPAD.EXE:3524
NOTEPAD.EXE:3536
NOTEPAD.EXE:2240
NOTEPAD.EXE:3732
NOTEPAD.EXE:3704
netsh.exe:2472
netsh.exe:636
launch.exe:2640
WdExt.exe:2332
WINMINE.EXE:3636
WINMINE.EXE:3664
WINMINE.EXE:3608
WINMINE.EXE:3772
The Trojan injects its code into the following process(es):
360Inst_62.exe:644
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mscaps.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (406 bytes)
%System%\wtime32.dll (29045 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (0 bytes)
The process wtmps.exe:2700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\mscaps.exe (27349 bytes)
The process %original file name%.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (18098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\360Inst_62.exe (23936 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (0 bytes)
The process @AE1.tmp.exe:1116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA8B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB933_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC597_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1EE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (242745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7AA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC180_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC22C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF9C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4AD_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC113_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB79D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB897_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC624_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB878_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC12_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB82A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4EB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD79_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB66_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC5C6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2B9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8F5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0B5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC48E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC019_Rar\@AE1.tmp.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBCEC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC317_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBD3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC31_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC430_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC057_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC662_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9C0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF8C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC75C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC6F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB7DC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBABA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4CC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC038_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7CA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC336_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC568_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBF2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC151_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC45F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9EF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBFFA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC827_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC50B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0D4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB95_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9DF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC077_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC374_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0E4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC420_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC3D2_Rar\@AE1.tmp.exe (13122 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB77E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0A6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC643_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6EF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC24B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB859_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC29A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6C0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2D8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA1E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC70E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC067_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD4A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC142_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC26B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA2D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB7FB_Rar\@AE1.tmp.exe (13122 bytes)
C:\%original file name%.exe (2792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB73F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7E9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC682_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF2F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBAF8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC559_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC605_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1CE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC808_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (455744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9FE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB37_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1A0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC123_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8D6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA5C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC355_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC46E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC9E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBB4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se7.tmp (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC3B3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1BF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0C5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC20D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp6.tmp (1304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC76C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC73D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8B6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD0C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC44F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBCBE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC029_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6A1_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB914_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF7D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC49D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2F7_Rar\@AE1.tmp.exe (13122 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Se7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp6.tmp (0 bytes)
C:\cbf7d (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)
The process 360Inst_62.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_icon.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_logo.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\360net.dll (111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_title.JPG (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp (2467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\setup.ini (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\IELog.jpg (8 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_icon.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_logo.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_title.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\setup.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\IELog.jpg (0 bytes)
The process launch.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (112 bytes)
The process WdExt.exe:2332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD48_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD576_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE37F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE499_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD14F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB13_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCAC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCEDE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD72B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE17C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5F0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE62F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD854_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE40_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA38_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2C6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2A7_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD15F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE41C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpF.tmp (36444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE7A6_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA0A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDB3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpE.tmp (21164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD4D9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE65E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDF0B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD29_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD73B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6ED_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE16C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCC8C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4A8_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE52_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE01_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE370_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE15D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCD8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE600_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD084_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5E3_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCEFD_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE787_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD585_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (26548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE360_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (18508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB52_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD324_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5C2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6CD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE729_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5F3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD4BA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5C4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD362_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE322_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB90_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD71C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE796_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCC9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB32_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3C0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF6B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD41E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD864_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8CF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE777_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE479_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE12E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDBA0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE64E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1BA_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDC3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF0D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9CB_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8FE_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD98D_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8DE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC7B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE719_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD305_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD249_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE70A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD77_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE331_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF4C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF2C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD873_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC6B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD893_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6BE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE312_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD74A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE890_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE13D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (28924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2D4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6DD_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE18B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB04_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3DF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD1EB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp10.tmp (55476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD278_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2F3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF3C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8B0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCB9_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC3C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2E3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0F1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD45C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB81_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD046_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9FA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0C3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE4F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE489_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD883_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD1DC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6AE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDD07_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDD17_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3A1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD612_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD38_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF9A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD18E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC8A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5D3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1DA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB42_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCF8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD007_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2E5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDF2_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE758_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCDD5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE90D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB71_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE19B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4B8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE44B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD825_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCEA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD47C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD065_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD844_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8EE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5B4_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD44D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD566_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE7B6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCFB9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE20_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCC9C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD120_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8A2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5D1_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE43B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE46A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD49B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE610_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE42B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE30_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDD2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE341_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB61_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCE8_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0A3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE351_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE748_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE14D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8C1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE45A_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD20B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8BF_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE03_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCFA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD75A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4C8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5A5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE881_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD382_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD343_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD835_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9BB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDE2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE13_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE63F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE739_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6FC_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8A0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD816_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD595_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1CA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1AB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE91D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2C4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA29_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE32_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3EF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9DB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCFD8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5E1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE767_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD19_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (48916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA19_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD602_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCBB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC5B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD026_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8B2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA48_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE11_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE61F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF1D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB23_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA67_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD70C_Rar\WdExt.exe (13122 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpE.tmp (0 bytes)
Registry activity
The process mscaps.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ef2b00e3-19da-4e78-b118-6b6451b719f2}]
"Locale" = "*"
"StubPath" = "%System%\mscaps.exe /s /n /i:U shell32.dll"
"Version" = "1,125,2406,1"
"ComponentID" = "DirectShow"
The process %original file name%.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB C8 AA F4 12 CA 95 E8 36 32 DA B0 28 55 37 9D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process @AE1.tmp.exe:1116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Temp]
"adm0.bat" = "adm0"
"adm1.bat" = "adm1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\adm914]
"a4_0" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\adm914]
"a1_0" = "3432392762"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"
[HKCU\Software\adm914\695404737]
"43014726" = "0500687474703A2F2F6D617474666F6C6C2E65752E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F7374312E646973742E73752E6C742F6C6F676F682E67696600687474703A2F2F6C70626D782E72752F6C6F676F732E67696600687474703A2F2F626A65726D2E6D6173732E68632E72752F6C6F676F682E67696600687474703A2F2F534F536954455F41564552495F534F5369544545452E6861686168"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\adm914\695404737]
"14338242" = "0"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\adm914\695404737]
"7169121" = "36"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\adm914\695404737]
"35845605" = "169"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 F8 7C 41 A0 B7 D2 25 A1 57 96 0C C7 27 24 0F"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\adm914\695404737]
"28676484" = "35"
[HKCU\Software\adm914]
"a3_0" = "17001001"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\adm914\695404737]
"50183847" = "AB5E0738695C8F8323226F12B1D03D7D79E71A90760ACADED2B04A211637CD4145F6749BEE9023AA532184F995577060D6510DE74D26646EFEDFC32366D2CC8E7771C37E919020908A4DB60C10921A99946050DEA9E148F0FFAB69F3A9524762D4085A5E517FCB0C38FF00DB7E5CB8BFF62F51C41C88B0B67DC3FC07CB089EF3"
[HKCU\Software\adm914]
"a2_0" = "5517"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\adm914\695404737]
"21507363" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"@AE1.tmp.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\@AE1.tmp.exe:*:Enabled:ipsec"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process NOTEPAD.EXE:3596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 2C 75 B5 55 DB 14 7F F9 66 83 9E C6 0D 7A 8E"
The process NOTEPAD.EXE:3744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 3A 43 EB 5A 68 F1 3F 69 6D E7 A1 28 99 CA C6"
The process NOTEPAD.EXE:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 4C F5 BF 53 E2 2E 89 2B 97 32 89 38 4A 75 33"
The process NOTEPAD.EXE:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C B1 0D 26 80 9A 15 AD A4 E5 9E 23 90 83 C3 0A"
The process NOTEPAD.EXE:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 81 14 33 75 6C B5 42 FB CA 23 A6 5D C7 8E A3"
The process NOTEPAD.EXE:3524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 9F 77 0F 2D CF E9 A3 CF 49 91 F0 46 14 19 18"
The process NOTEPAD.EXE:3536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 0D 4E 24 68 C0 36 99 93 80 5E 4E C5 72 D5 60"
The process NOTEPAD.EXE:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 2A 29 CA 73 7B E8 5D 1E C6 30 DC 39 A2 C7 6E"
The process NOTEPAD.EXE:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 C7 AB 2A 3B 32 2B D4 A4 00 3E 42 2D 49 BE 45"
The process NOTEPAD.EXE:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 08 44 87 A7 CB 26 8D 8C 23 4D CB D7 3E F1 72"
The process 360Inst_62.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 8C 71 66 57 57 3A 03 26 33 1D DD D2 DF F8 8C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"360Install" = ""
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"360Inst_62.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\360Inst_62.exe:*:Enabled:360安全ä¸ÂÂ心"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process netsh.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 81 80 38 59 A1 8B AA 53 6F 49 48 65 F8 18 FB"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process netsh.exe:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 65 79 74 D5 AF 7E 6F AB 74 89 A0 6F FF BA 88"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The process launch.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 2C 53 6A 49 F5 F0 52 BB B5 FE 88 6F 80 3C B3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe"
The process WdExt.exe:2332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 BD 40 FB 03 75 E4 3C 2F 53 96 A8 AB 79 82 02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process WINMINE.EXE:3636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 D1 4D B5 B9 32 7C D0 C5 95 79 7F C4 14 D4 3C"
The process WINMINE.EXE:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 51 56 33 4F 18 AC BE A2 01 70 7A 6E 10 C8 E1"
The process WINMINE.EXE:3608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 A7 70 10 45 9E 9B 28 CC 8D 43 EE 4F 8C DA E8"
The process WINMINE.EXE:3772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 83 2F 45 76 60 E3 6D 17 71 F7 10 48 22 41 C2"
Dropped PE files
| MD5 | File path |
|---|---|
| f1c9f4a1f92588aeb82be5d2d4c2c730 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Caches\Files\usd.dll |
| 1fcc5b3ed6bc76d70cfa49d051e0dff6 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Common\Shared\dis.dll |
| 8d1aceca7708f6e86ec8320ee15535ed | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Defender\launch.exe |
| b658d0ed0b76421f38e9e1cd3398d411 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Messenger\Extension\WdExt.exe |
| 6a9461f260ebb2556b8ae1d0ba93858a | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Repairs\sha.dll |
| d0c9ada173da923efabb53d5a9b28d54 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Shared\Modules\fil.dll |
| fffa05401511ad2a89283c52d0c86472 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Windows\Addins\att.dll |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD816_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD835_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD844_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD854_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD864_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD873_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD883_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD893_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD8A2_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD8B2_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD8C1_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD98D_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD9BB_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD9CB_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD9DB_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CD9FA_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDA0A_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDA19_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDA29_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDA38_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDA48_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDA58_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDA67_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB04_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB13_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB23_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB32_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB42_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB52_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB61_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB71_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB81_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDB90_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDBA0_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDC3C_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDC5B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDC6B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDC7B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDC8A_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDCB9_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDCC9_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDCD8_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDCE8_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDCF8_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDD07_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDD17_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDDB3_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDDC3_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDDD2_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDDE2_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDDF2_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDE01_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDE11_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDE20_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDE30_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDE40_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDE4F_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CDF0B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE12E_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE13D_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE14D_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE15D_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE16C_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE17C_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE18B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE19B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE1AB_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE1BA_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE1CA_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE1DA_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE2C4_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE2D4_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE2E3_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE2F3_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE312_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE322_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE331_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE341_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE351_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE360_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE370_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE37F_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE41C_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE42B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE43B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE44B_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE45A_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE46A_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE479_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE489_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE499_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE4A8_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE4B8_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE4C8_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE5C2_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE5D1_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE5E1_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE5F0_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE600_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE610_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE61F_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE62F_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE63F_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE64E_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE65E_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE70A_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE719_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE729_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE739_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE748_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE758_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE767_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE777_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE787_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE796_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE7A6_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE7B6_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE881_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE890_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE8A0_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE8B0_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE8BF_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE8CF_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE8DE_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE8EE_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE8FE_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE90D_Rar\WdExt.exe |
| 10273889600c3d79fa0fcd250e9db43d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000CE91D_Rar\WdExt.exe |
| f7fa8c04295ef519db2b8c20321a7752 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\360Inst_62.exe |
| 15c5c02f54b27d2184cb5f81cacd5d61 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\360net.dll |
| 78d3c8705f8baf7d34e6a6737d1cfa18 | c:\WINDOWS\system32\mscaps.exe |
| 978888892a1ed13e94d2fcb832a2a6b5 | c:\WINDOWS\system32\wtime32.dll |
| f2a51c32746cfcd2baa1473a965e34a8 | c:\%original file name%.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mscaps.exe:2748
wtmps.exe:2700
%original file name%.exe:1932
@AE1.tmp.exe:1116
NOTEPAD.EXE:3596
NOTEPAD.EXE:3744
NOTEPAD.EXE:3676
NOTEPAD.EXE:3568
NOTEPAD.EXE:2284
NOTEPAD.EXE:3524
NOTEPAD.EXE:3536
NOTEPAD.EXE:2240
NOTEPAD.EXE:3732
NOTEPAD.EXE:3704
netsh.exe:2472
netsh.exe:636
launch.exe:2640
WdExt.exe:2332
WINMINE.EXE:3636
WINMINE.EXE:3664
WINMINE.EXE:3608
WINMINE.EXE:3772 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\11.tmp (406 bytes)
%System%\wtime32.dll (29045 bytes)
%System%\mscaps.exe (27349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (18098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\360Inst_62.exe (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA8B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB933_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC597_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1EE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (242745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7AA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC180_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC22C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF9C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4AD_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC113_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (12549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB79D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB897_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC624_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB878_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC12_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB82A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4EB_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD79_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB66_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC5C6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2B9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8F5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0B5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC48E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC019_Rar\@AE1.tmp.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBCEC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC317_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBD3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC31_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC430_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC057_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC662_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9C0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF8C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC75C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC6F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB7DC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBABA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC4CC_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC038_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7CA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC336_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC568_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBF2_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC151_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC45F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9EF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBFFA_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC827_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC50B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0D4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB95_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9DF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC077_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC374_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0E4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC420_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC3D2_Rar\@AE1.tmp.exe (13122 bytes)
%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB77E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0A6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC643_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6EF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC24B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB859_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC29A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6C0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2D8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA1E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC70E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC067_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD4A_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC142_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC26B_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA2D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB7FB_Rar\@AE1.tmp.exe (13122 bytes)
C:\%original file name%.exe (2792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB73F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC7E9_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC682_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF2F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBAF8_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC559_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC605_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1CE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC808_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (455744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB9FE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBB37_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1A0_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.tmp (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC123_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8D6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBA5C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC355_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm1.bat (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC46E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBC9E_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBBB4_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Se7.tmp (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC3B3_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC1BF_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC0C5_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC20D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sp6.tmp (1304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC76C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC73D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB8B6_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBD0C_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC44F_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBCBE_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC029_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC6A1_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CB914_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Temp\adm0.bat (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CBF7D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC49D_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CC2F7_Rar\@AE1.tmp.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_icon.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_logo.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\360net.dll (111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\safe_title.JPG (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\setup.ini (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\!@t284.tmp.dir\IELog.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD48_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD576_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE37F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE499_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD14F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB13_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCAC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCEDE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD72B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE17C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5F0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE62F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD854_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE40_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA38_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2C6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2A7_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD15F_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE41C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpF.tmp (36444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE7A6_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA0A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDB3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpE.tmp (21164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD4D9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE65E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDF0B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD29_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD73B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6ED_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE16C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCC8C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4A8_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE52_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE01_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE370_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE15D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCD8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE600_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD084_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Repairs\sha.dll (7589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5E3_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCEFD_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE787_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD585_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpB.tmp (26548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE360_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpD.tmp (18508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB52_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD324_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5C2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6CD_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE729_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5F3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD4BA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5C4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD362_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE322_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB90_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD71C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE796_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCC9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB32_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3C0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF6B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD41E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD864_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8CF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE777_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE479_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE12E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDBA0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE64E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1BA_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDC3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF0D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9CB_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe (18077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8FE_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD98D_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8DE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC7B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE719_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD305_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD249_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE70A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD77_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE331_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF4C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF2C_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD873_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC6B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD893_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6BE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE312_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD74A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Identities\"%CurrentUserName%"\arc.dll (96316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE890_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE13D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpC.tmp (28924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2D4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6DD_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE18B_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB04_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3DF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD1EB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp10.tmp (55476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD278_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2F3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wtmps.exe (31581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF3C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8B0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCB9_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC3C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2E3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0F1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD45C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB81_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Shared\Modules\fil.dll (10805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD046_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9FA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0C3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE4F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE489_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD883_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD1DC_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6AE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDD07_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDD17_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3A1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD612_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD38_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF9A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Common\Shared\dis.dll (10077 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD18E_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC8A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5D3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1DA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB42_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCF8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD007_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD2E5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDF2_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE758_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCDD5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE90D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB71_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE19B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4B8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE44B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD825_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCEA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD47C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD065_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD844_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8EE_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5B4_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD44D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD566_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE7B6_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCFB9_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE20_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCC9C_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD120_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8A2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5D1_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE43B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE46A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD49B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE610_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE42B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE30_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDD2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE341_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB61_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDCE8_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD0A3_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE351_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE748_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE14D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8C1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE45A_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD20B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8BF_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA58_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE03_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCFA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Addins\att.dll (18829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD75A_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE4C8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD5A5_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE881_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD382_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD343_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD835_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9BB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDDE2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE13_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE63F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE739_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD6FC_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE8A0_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD816_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD595_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Caches\Files\usd.dll (7933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1CA_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE1AB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE91D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE2C4_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA29_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCE32_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD3EF_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD9DB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCFD8_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE5E1_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE767_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCD19_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpA.tmp (48916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA19_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD602_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCCBB_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDC5B_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD026_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD8B2_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA48_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDE11_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CE61F_Rar\WdExt.exe (26244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CCF1D_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDB23_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CDA67_Rar\WdExt.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000CD70C_Rar\WdExt.exe (13122 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"360Install" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Defender\launch.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: 360.cn
Product Name: 360Inst.exe
Product Version: 2.2.0.1004
Legal Copyright: Copyright (C) 360.cn Inc.All Rights Reserve
Legal Trademarks: 360????
Original Filename:
Internal Name:
File Version: 2.2.0.1004
File Description: 360??????????
Comments:
Language: English
Company Name: 360.cnProduct Name: 360Inst.exeProduct Version: 2.2.0.1004Legal Copyright: Copyright (C) 360.cn Inc.All Rights ReserveLegal Trademarks: 360????Original Filename: Internal Name: File Version: 2.2.0.1004File Description: 360??????????Comments: Language: English
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2108 | 2560 | 3.76997 | 6dbb11cce72cc16b887018dd4c34d252 |
| .rdata | 8192 | 1478 | 1536 | 3.36814 | 838666d924e8b6e9dfc84f930bd16733 |
| .data | 12288 | 172032 | 512 | 0.377955 | 7d6dcdf3bcb22dca4957ddb77c1c8cbf |
| .rsrc | 184320 | 17024 | 17408 | 4.06525 | af359578aa0a098ebcfcabe66586539a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://softm-b.update.360safe.com/360safe/safe_home.cab?value=27832 | |
| hxxp://pinst.360.cn/360safe/safe_home.cab?value=27832 | 106.120.168.93 |
| windowsupdate.microsoft.com | 65.55.50.189 |
| tr.p.360.cn | 106.120.169.158 |
| st.p.360.cn | 218.30.118.91 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /360safe/safe_home.cab?value=27832 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: pinst.360.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.8
Date: Sun, 29 May 2016 03:42:32 GMT
Content-Type: application/octet-stream
Content-Length: 24698
Last-Modified: Fri, 01 Apr 2016 08:17:31 GMT
Connection: close
Accept-Ranges: bytes
MSCF....z`......,...........................b"........\DY. .IELog.jpg.8...b"....\DY. .safe_icon.bmp..!...%....\DY. .safe_logo.jpg."....F....\DY. .safe_title.JPG......\.....HmR .setup.ini.i.Z8._.rCK...T.K.088. .....lp.....A..lp'.'...B.,....w....%..@.}.......{...'...U.U.....S..L.,..$.!..........v..x .bj..@. ......$[Kgg{~..;'fc3.....j..nl........q.76..;...- vB..5....3!J-..V.{..."...V.TT7..6.3...&.t.w....;......9...Q.2....a.J.[.gk!JQ.....29...&.bfe2e.f%.fcf.................3...s......n.......U.%.....Q.V.........h............`r..s6vg.s....8....b........&P.g!J.?T..WP.......-...N..`......a.fQ.;A].M.0t..,..I..0i...!.M1.........e..(a3.f.3~QNQ.v.7.$.#!...&......)!...*.......E...q.r...H.`...b|....b.b....\\.....99...........?.......PGu(....P..:C.,... 5.r-.......9...;B\.f..P[.[..C......w.f.g,......\..!....?........`...v0nv.......a...f...@EFFFAFEAA....`....c........{................G...Sb.?......},"\\.'......O.M#..: .P...........M .&........."2.*..........X...... .p...Q..Q...>.. S.=D..CU1.tx.......W4.j....E..G.8..M.)N.R..$A...............v.....!2.....1%;>..jr.........>.L..H..".<.@.C.)..`..Z......i_.0y......%..'.t..8....X*..b..'.v.klaZ...Q..`.....o......A.=.'...fb{|k...A..A..:.H.*......o.1.s|..$.......e3.Ie...FPH3A....(.....1[v5d......q.M..0H.%......S.12#..g4p2F..H"}..Th........B...8..5k....W.y..3...&7j..../...2"...,."O.PV@A.{A,f..N9L..._...&.`^2....t..F-.......[.f.3..(.c.PL.Y1.`..}..F.T..............o..<.....qH;..n.......%$.r....e.D..YNG...)..|.....v1.&..&6.......'...2|v..0.8.....f..b.i...R.U..IG<1.A.6...&
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
360Inst_62.exe_644:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
SRPQSSh
SRPQSSh
1.2.3
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
DES part of OpenSSL 0.9.7c 30 Sep 2003
DES part of OpenSSL 0.9.7c 30 Sep 2003
libdes part of OpenSSL 0.9.7c 30 Sep 2003
libdes part of OpenSSL 0.9.7c 30 Sep 2003
MD5 part of OpenSSL 0.9.7c 30 Sep 2003
MD5 part of OpenSSL 0.9.7c 30 Sep 2003
MD4 part of OpenSSL 0.9.7c 30 Sep 2003
MD4 part of OpenSSL 0.9.7c 30 Sep 2003
SHLWAPI.dll
SHLWAPI.dll
VERSION.dll
VERSION.dll
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
MSIMG32.dll
MSIMG32.dll
MSVCP60.dll
MSVCP60.dll
WS2_32.dll
WS2_32.dll
SETUPAPI.dll
SETUPAPI.dll
HttpQueryInfoW
HttpQueryInfoW
InternetOpenUrlW
InternetOpenUrlW
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
MSVCRT.dll
MSVCRT.dll
_wcmdln
_wcmdln
PSAPI.DLL
PSAPI.DLL
iphlpapi.dll
iphlpapi.dll
Secur32.dll
Secur32.dll
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WINHTTP.dll
WINHTTP.dll
GetProcessHeap
GetProcessHeap
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
.?AV?$CDialogImpl@VCCancelMsgBox@@VCWindow@ATL@@@ATL@@
.?AV?$CDialogImpl@VCCancelMsgBox@@VCWindow@ATL@@@ATL@@
.?AVCCancelMsgBox@@
.?AVCCancelMsgBox@@
.?AVCHttpDownload@@
.?AVCHttpDownload@@
HttpGetLastError
HttpGetLastError
HttpGetReceivedLength
HttpGetReceivedLength
HttpGetContentLength
HttpGetContentLength
HttpGetConnectState
HttpGetConnectState
HttpGetState
HttpGetState
HttpResetAll
HttpResetAll
HttpWait
HttpWait
HttpCancel
HttpCancel
HttpDownload
HttpDownload
HttpInitDownPara
HttpInitDownPara
HttpDeleteDownloadObj
HttpDeleteDownloadObj
HttpCreateDownloadObj
HttpCreateDownloadObj
ag.p.360.cn
ag.p.360.cn
tr.p.360.cn
tr.p.360.cn
221.194.134.221
221.194.134.221
220.181.126.81
220.181.126.81
error %d
error %d
124.238.243.54
124.238.243.54
,
,
[%s] %s
[%s] %s
%u/%u-%u/%u-%u/%u-%u/%u-%d%%>,
%u/%u-%u/%u-%u/%u-%u/%u-%d%%>,
function shExpMatch(host, domain) {var c = domain.charAt(0); if(c == "\*") {var str = host.charAt(0) domain; var exp1 = new RegExp(str); return host.match(exp1);} else {var exp2 = new RegExp(domain); return host.match(exp2);} }
function shExpMatch(host, domain) {var c = domain.charAt(0); if(c == "\*") {var str = host.charAt(0) domain; var exp1 = new RegExp(str); return host.match(exp1);} else {var exp2 = new RegExp(domain); return host.match(exp2);} }
function dnsDomainLevels(host) {var idx = host.indexOf(".");if(idx == -1) return 0; var substr = host.substring(idx 1); return 1 dnsDomainLevels(substr);}
function dnsDomainLevels(host) {var idx = host.indexOf(".");if(idx == -1) return 0; var substr = host.substring(idx 1); return 1 dnsDomainLevels(substr);}
function myIpAddress() { return "127.0.0.1"; }
function myIpAddress() { return "127.0.0.1"; }
function dnsResolve(host) { return "127.0.0.1"; }
function dnsResolve(host) { return "127.0.0.1"; }
function localHostOrDomainIs(host, hostdom) {if(hostdom.match(host)) return true; else return false; }
function localHostOrDomainIs(host, hostdom) {if(hostdom.match(host)) return true; else return false; }
function dnsDomainIs(host, domain) {if(host.match(domain)) return true; else return false; }
function dnsDomainIs(host, domain) {if(host.match(domain)) return true; else return false; }
function isPlainHostName(host) {if(host.match(".")) return false; else return true; }
function isPlainHostName(host) {if(host.match(".")) return false; else return true; }
%sX
%sX
360Pd2I64X
360Pd2I64X
360Pd%s
360Pd%s
%s-%s
%s-%s
HTTP/1.0 200 OK
HTTP/1.0 200 OK
%s%s%s
%s%s%s
GET /index.html HTTP/1.0
GET /index.html HTTP/1.0
127.0.0.1
127.0.0.1
TCP Port
TCP Port
st.p.360.cn
st.p.360.cn
stun01.sipphone.com
stun01.sipphone.com
%s%s-%s
%s%s-%s
Referer: %s
Referer: %s
Content-Length: %d
Content-Length: %d
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Host: %s
Host: %s
User-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)
User-Agent: Mozilla/4.0(compatible;MSIE 5.00;Windows 98)
User-Agent: %s
User-Agent: %s
%s %s HTTP/1.1
%s %s HTTP/1.1
ku6.com
ku6.com
fastweb
fastweb
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
Corrupted file or wrong key
Corrupted file or wrong key
M-SEARCH * HTTP/1.1
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
HOST: 239.255.255.250:1900
controlURL
controlURL
hXXp://
hXXp://
URLBase
URLBase
HTTP/1.1
HTTP/1.1
s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">
s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">
xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"
xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"
AddPortMapping
AddPortMapping
NewPortMappingDescription
NewPortMappingDescription
NewInternalPort
NewInternalPort
NewExternalPort
NewExternalPort
DeletePortMapping
DeletePortMapping
External NAT port in use
External NAT port in use
External NAT port in use: Too many retries
External NAT port in use: Too many retries
Error getting StaticPortMappingCollection
Error getting StaticPortMappingCollection
Port mapping not owned by this class
Port mapping not owned by this class
RemoveNatPortMapping
RemoveNatPortMapping
%s:%d-ID(%s)-NAT(%d)-VER(%d)-STAT(%d)-FULL(%d%%)-DNVOL(%u)-UPVOL(%u),
%s:%d-ID(%s)-NAT(%d)-VER(%d)-STAT(%d)-FULL(%d%%)-DNVOL(%u)-UPVOL(%u),
Cid[%u] %s
Cid[%u] %s
HOST%d(%s)-PRI(%d)-ZONE(%d)-VOL(%u)-CNT(%d),
HOST%d(%s)-PRI(%d)-ZONE(%d)-VOL(%u)-CNT(%d),
%s:%d-HOST(%s)-VOL(%u)-OK(%d)-ERR(%d),
%s:%d-HOST(%s)-VOL(%u)-OK(%d)-ERR(%d),
HTTP/
HTTP/
%s %s
%s %s
0|2008-10-08|15:04:02|QHErrObj.cpp|1||MEM|1|
0|2008-10-08|15:04:02|QHErrObj.cpp|1||MEM|1|
version="1.0.0.0"
version="1.0.0.0"
360Inst.exe
360Inst.exe
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
@ /URL:
@ /URL:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HttpDownLib
HttpDownLib
%s360net.dll
%s360net.dll
%s\%s
%s\%s
%s\*.*
%s\*.*
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
?value=%d
?value=%d
kernel32.dll
kernel32.dll
%d.%d.%d.%d
%d.%d.%d.%d
%s.exe
%s.exe
@PDown://b7=1|b2=%d|p2=%s|p3=%d|p4=%d|%s|h1=%s|h3=%d|b9=%d
@PDown://b7=1|b2=%d|p2=%s|p3=%d|p4=%d|%s|h1=%s|h3=%d|b9=%d
PDown://b7=1|b2=%d|p3=%d|p4=%d|%s|h1=%s|h3=%d|b9=%d
PDown://b7=1|b2=%d|p3=%d|p4=%d|%s|h1=%s|h3=%d|b9=%d
mod=Installer&ver=%s&t_pidpro=%s_%s
mod=Installer&ver=%s&t_pidpro=%s_%s
%s /S /D=%s
%s /S /D=%s
%s /D=%s
%s /D=%s
1.2.0.1004
1.2.0.1004
hXXp://pdown.stat.360safe.com/dimana.htm
hXXp://pdown.stat.360safe.com/dimana.htm
@ddrawex.dll
@ddrawex.dll
ddraw.dll
ddraw.dll
d3d9.dll
d3d9.dll
d3d8thk.dll
d3d8thk.dll
d3d8.dll
d3d8.dll
@,%s,
@,%s,
MainWindowSize
MainWindowSize
Description%d
Description%d
Urls
Urls
HTTPTimeup
HTTPTimeup
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
pdown://p2=%s|b5=%s|b6=%s|p4=%d;%s;%s;%u;
pdown://p2=%s|b5=%s|b6=%s|p4=%d;%s;%s;%u;
%sNUList.ini
%sNUList.ini
HNetCfg.FwAuthorizedApplication
HNetCfg.FwAuthorizedApplication
HNetCfg.FwMgr
HNetCfg.FwMgr
[Login] ---------- end ----------
[Login] ---------- end ----------
[Login] ---------- start ----------
[Login] ---------- start ----------
----------[CreateP2SPTask] ID:%d, pdonw:%s, file:%s----------
----------[CreateP2SPTask] ID:%d, pdonw:%s, file:%s----------
----------[StartTask] ID:%d----------
----------[StartTask] ID:%d----------
----------[StopTask] ID:%d----------
----------[StopTask] ID:%d----------
----------[GetFinishMessage] ID:%d----------
----------[GetFinishMessage] ID:%d----------
[DiskScheduler] type:%d, taskid:%d, cost:%dms, msg:%d.
[DiskScheduler] type:%d, taskid:%d, cost:%dms, msg:%d.
[DiskFile] set file valid data failed file:%s %d
[DiskFile] set file valid data failed file:%s %d
[CDiskFile::RenameFile] MoveFile fail, error code is %d
[CDiskFile::RenameFile] MoveFile fail, error code is %d
[CDiskFile::RenameFile] file(%s) already exist
[CDiskFile::RenameFile] file(%s) already exist
%s.%u
%s.%u
[__check_piece_hash] id:%d, piece:%d
[__check_piece_hash] id:%d, piece:%d
[CDiskFile::__write_disk] WriteFile fail, error code is %d
[CDiskFile::__write_disk] WriteFile fail, error code is %d
[CDiskFile::__write_disk] SetFilePointer fail, error code is %d
[CDiskFile::__write_disk] SetFilePointer fail, error code is %d
[CDiskFile::__read_disk] ReadFile fail, error code is %d
[CDiskFile::__read_disk] ReadFile fail, error code is %d
[CDiskFile::__read_disk] SetFilePointer fail, error code is %d
[CDiskFile::__read_disk] SetFilePointer fail, error code is %d
[CDiskFile::__open_file] create file(%s) fail! error code is %d
[CDiskFile::__open_file] create file(%s) fail! error code is %d
Kernel32.dll
Kernel32.dll
n[Use Tcp Proxy]:Tcp %s, %d
n[Use Tcp Proxy]:Tcp %s, %d
[change tracker ip]: udp: %s ,tcpproxy:%s %d
[change tracker ip]: udp: %s ,tcpproxy:%s %d
Drop result %s:%d
Drop result %s:%d
Receive result %s:%d %I64u flag %d
Receive result %s:%d %I64u flag %d
Registering %s:%d %I64u
Registering %s:%d %I64u
tracker Udp dns resolve: %s:%d
tracker Udp dns resolve: %s:%d
[Use Udp Server]
[Use Udp Server]
login server , public ip %s:%d private ip %s:%d peerid: %s
login server , public ip %s:%d private ip %s:%d peerid: %s
ReDirect Server ,Relogin
ReDirect Server ,Relogin
PeerId Exist, ReLogin
PeerId Exist, ReLogin
share: taskid %d hash %s result %d
share: taskid %d hash %s result %d
GetPeer: taskid %d hash %s result %d
GetPeer: taskid %d hash %s result %d
[TaskScheduler] type:%d, taskid:%d, cost:%dms, msg:%d.
[TaskScheduler] type:%d, taskid:%d, cost:%dms, msg:%d.
360P2SP.dll
360P2SP.dll
\LiveUpdateLog\P2SP.log
\LiveUpdateLog\P2SP.log
PolicyControl%d
PolicyControl%d
[CTaskMgr] DNS proxy: %s
[CTaskMgr] DNS proxy: %s
\livep.dat
\livep.dat
[CTaskMgr::__update_config] update livep.dat
[CTaskMgr::__update_config] update livep.dat
[CTaskMgr::__check_load] traffic control stop! load:%d disk:%d , taskmgr:%d
[CTaskMgr::__check_load] traffic control stop! load:%d disk:%d , taskmgr:%d
[CTaskMgr::__check_load] traffic control start! load:%d disk:%d , taskmgr:%d
[CTaskMgr::__check_load] traffic control start! load:%d disk:%d , taskmgr:%d
[CTaskMgr::__CreateTask] Init task fail. Id:%d, Pdown:%s, File:%s
[CTaskMgr::__CreateTask] Init task fail. Id:%d, Pdown:%s, File:%s
[CTaskMgr::__sendmsg_knl] type:%d, taskid:%d, cost:%dms, msg:%d.
[CTaskMgr::__sendmsg_knl] type:%d, taskid:%d, cost:%dms, msg:%d.
[CTaskMgr::__sendmsg_knl] send fail! current load: %d
[CTaskMgr::__sendmsg_knl] send fail! current load: %d
sd-d-d d:d:d:=[%s]-->%s
sd-d-d d:d:d:=[%s]-->%s
>hXXp://pstat.p.360.cn/uplog.php
>hXXp://pstat.p.360.cn/uplog.php
pstat.p.360.cn
pstat.p.360.cn
%s\LiveUpdateLog\track-dddddd.d.log
%s\LiveUpdateLog\track-dddddd.d.log
FindProxyForURL
FindProxyForURL
[P2SP_FindProxyForURL]
[P2SP_FindProxyForURL]
. Result: %s.
. Result: %s.
. URL: %s, Host: %s.
. URL: %s, Host: %s.
[CProxyMgr::GetProxyAddrW] P2SP_FindProxyForURL fail
[CProxyMgr::GetProxyAddrW] P2SP_FindProxyForURL fail
%s_%d
%s_%d
[NotifyWinPop] %d , %s ,%s ,%s
[NotifyWinPop] %d , %s ,%s ,%s
%s;%d;%s;%s
%s;%d;%s;%s
customhttp
customhttp
%s;%d;%s;%s;%d
%s;%d;%s;%s;%d
HTTP Proxy Authorization
HTTP Proxy Authorization
http=
http=
hXXp://wpad.%s/wpad.dat
hXXp://wpad.%s/wpad.dat
hXXp://%s/wpad.dat
hXXp://%s/wpad.dat
HTTPMINPIECE
HTTPMINPIECE
MAXHTTPCONN
MAXHTTPCONN
MAXCONNMSG
MAXCONNMSG
HTTPTIMEOUT
HTTPTIMEOUT
%u.%u.%u.%u
%u.%u.%u.%u
KICKHTTP
KICKHTTP
MSGQUEUE
MSGQUEUE
HTTPDATA
HTTPDATA
HTTPHDR
HTTPHDR
HTTPCONN
HTTPCONN
[UdpListing] Port :%d
[UdpListing] Port :%d
[UdpListing] Err: %d
[UdpListing] Err: %d
[TcpListing] Nattype =%d , Port = %d
[TcpListing] Nattype =%d , Port = %d
[TcpListing] Err: %d
[TcpListing] Err: %d
[UPnp] is Open :NatType:%d, port: %d
[UPnp] is Open :NatType:%d, port: %d
StunRecv:Type %d Count:%d
StunRecv:Type %d Count:%d
mStunt Dns resolve: %s:%d
mStunt Dns resolve: %s:%d
Net Type StunTypePortRestrictedNat
Net Type StunTypePortRestrictedNat
Nat Test again,Relogin %d
Nat Test again,Relogin %d
Begin Login
Begin Login
tudp %6s
tudp %6s
tudp %6s flag:%d seq:Â ack:Â len M
tudp %6s flag:%d seq:Â ack:Â len M
passive
passive
tudp send action:%6s
tudp send action:%6s
tudp send action:%s
tudp send action:%s
tudp action:%6s ini ack:%d ack:%d
tudp action:%6s ini ack:%d ack:%d
tracker rsp not login
tracker rsp not login
Disconnect from %s:%d , reason %d , api_reason %d
Disconnect from %s:%d , reason %d , api_reason %d
[=]connect to %s:%d
[=]connect to %s:%d
[=]Requesting Meta %s:%d
[=]Requesting Meta %s:%d
[=]Send request index %d begin %d lenth %d
[=]Send request index %d begin %d lenth %d
[=]connected from %s:%d
[=]connected from %s:%d
[=]Handshake with %s:%d %d
[=]Handshake with %s:%d %d
[=]recv bitfield s:%d, %d bytes
[=]recv bitfield s:%d, %d bytes
[=]recv meta req s:%d, %s
[=]recv meta req s:%d, %s
[=]recv Meta File from %s :%d , %d
[=]recv Meta File from %s :%d , %d
[=]recv have %s :%d , %d
[=]recv have %s :%d , %d
[=]recv piece request %s :%d , index %d begin %d length %d
[=]recv piece request %s :%d , index %d begin %d length %d
[=]recv piece data %s :%d , index %d begin %d length %d
[=]recv piece data %s :%d , index %d begin %d length %d
[=]recv cancel %s :%d , index %d begin %d length %d
[=]recv cancel %s :%d , index %d begin %d length %d
[=]recv interest %s :%d
[=]recv interest %s :%d
[=]recv unchoke %s :%d
[=]recv unchoke %s :%d
[=]Disconnect s:%d, status %d , Reason %d , api %d
[=]Disconnect s:%d, status %d , Reason %d , api %d
>
>
>
>
TaskID = %u FileName=%s ErrorCode= %d
TaskID = %u FileName=%s ErrorCode= %d
TaskID = %u ErrorCode = %d
TaskID = %u ErrorCode = %d
TaskID = %u ErrorCode = %d PDownURL = %s
TaskID = %u ErrorCode = %d PDownURL = %s
TaskID = %u URL = %s File=%s
TaskID = %u URL = %s File=%s
TaskID = %u Start
TaskID = %u Start
TaskID = %u File = %s
TaskID = %u File = %s
TaskID = %u FileName = %s
TaskID = %u FileName = %s
TaskID = %u Pause
TaskID = %u Pause
TaskID = %u StopSeed
TaskID = %u StopSeed
TaskID = %u Stop
TaskID = %u Stop
,IP|%u,ER|%u
,IP|%u,ER|%u
TaskID|%u,ErrorCode|%d,LineNo|%d,DnCount|%d,HttpNum|%d,DnFailCount|%d,FStatus|%d,IsTorrent|%d,Peers|%d,Seeds|%d,P2SS|%I64d,P2PS|%I64d,PDMode|%d,Dup|%I64d,P2SDUP|%I64d,P2PDUP|%I64d,P2PTS|%I64d,P2PUS|%I64d,P2PTDS|%I64d,P2PUDS|%I64d,Proxy|%d,DNSTime|%u,ConTime|%u,HeadTime|%u,DataTime|%u,61Err|%d,60Err|%d,54Err|%d,53Err|%d,DNS|%u,416Code|%u,502Code|%u,503Code|%u,ElsNum|%u,Nat|%d,HttpMgrFail|%d
TaskID|%u,ErrorCode|%d,LineNo|%d,DnCount|%d,HttpNum|%d,DnFailCount|%d,FStatus|%d,IsTorrent|%d,Peers|%d,Seeds|%d,P2SS|%I64d,P2PS|%I64d,PDMode|%d,Dup|%I64d,P2SDUP|%I64d,P2PDUP|%I64d,P2PTS|%I64d,P2PUS|%I64d,P2PTDS|%I64d,P2PUDS|%I64d,Proxy|%d,DNSTime|%u,ConTime|%u,HeadTime|%u,DataTime|%u,61Err|%d,60Err|%d,54Err|%d,53Err|%d,DNS|%u,416Code|%u,502Code|%u,503Code|%u,ElsNum|%u,Nat|%d,HttpMgrFail|%d
Cid = %u TaskID = %u PieceMgr InitCid Ok
Cid = %u TaskID = %u PieceMgr InitCid Ok
Cid = %u TaskID = %u PieceMgr InitCid fail
Cid = %u TaskID = %u PieceMgr InitCid fail
Cid = %u TaskID = %u GetHttpStatInfo fail
Cid = %u TaskID = %u GetHttpStatInfo fail
Cid = %u TaskID = %u HttpConnnect fail
Cid = %u TaskID = %u HttpConnnect fail
Cid = %u TaskID = %u m_nFinishStatus not working Delete
Cid = %u TaskID = %u m_nFinishStatus not working Delete
Cid = %u TaskID = %u SetFileLen %I64d
Cid = %u TaskID = %u SetFileLen %I64d
Cid = %u TaskID = %u Httpcode = %u Delete
Cid = %u TaskID = %u Httpcode = %u Delete
Cid = %u TaskID = %u IsContinueDownload fail Delete
Cid = %u TaskID = %u IsContinueDownload fail Delete
Cid = %u TaskID = %u WriteRange fail ErrorCode = %u, Delete
Cid = %u TaskID = %u WriteRange fail ErrorCode = %u, Delete
Cid = %u TaskID = %u
Cid = %u TaskID = %u
Cid = %u TaskID = %u OnNotifyHttpData fail Delete
Cid = %u TaskID = %u OnNotifyHttpData fail Delete
Cid = %u TaskID = %u IsContinueDownload fail Delete
Cid = %u TaskID = %u IsContinueDownload fail Delete
Cid = %u TaskID = %u Delete Reason = %u HttpCode = %d
Cid = %u TaskID = %u Delete Reason = %u HttpCode = %d
TaskID = %u Cid = %u
TaskID = %u Cid = %u
TaskID = %u Cid = %u ErrorCode = %d
TaskID = %u Cid = %u ErrorCode = %d
Cid = %u TaskID = %u Delete Reason = %u
Cid = %u TaskID = %u Delete Reason = %u
Cid = %u TaskID = %u OnNotifyHttpRelease Delete
Cid = %u TaskID = %u OnNotifyHttpRelease Delete
%u-%s
%u-%s
TaskID = %u ErrorCode = %u
TaskID = %u ErrorCode = %u
TaskID = %u Index = %u ErrorCode = %d
TaskID = %u Index = %u ErrorCode = %d
[P2SPLOG] Taskid:%d, Filelen:%I64d(Byte), Time:%d(ms), Avgrate:%d(KBps), P2S:%I64d(%d%%), P2P:%I64d(%d%%) Dup %I64u, P2S Dup %I64u, P2P Dup %I64u, MaxConNum:%d
[P2SPLOG] Taskid:%d, Filelen:%I64d(Byte), Time:%d(ms), Avgrate:%d(KBps), P2S:%I64d(%d%%), P2P:%I64d(%d%%) Dup %I64u, P2S Dup %I64u, P2P Dup %I64u, MaxConNum:%d
Cid = %u TaskID = %u WriteSlice fail, Delete
Cid = %u TaskID = %u WriteSlice fail, Delete
Cid = %u TaskID = %u Delete
Cid = %u TaskID = %u Delete
Cid = %u TaskID = %u Read FilePos Error Offset= %I64d FileLen = %I64d
Cid = %u TaskID = %u Read FilePos Error Offset= %I64d FileLen = %I64d
Cid = %u TaskID = %u DataReq Index Error Index = %d MaxIndex = %d
Cid = %u TaskID = %u DataReq Index Error Index = %d MaxIndex = %d
TaskID = %u Load TorrentData fail ErrorCode = %d
TaskID = %u Load TorrentData fail ErrorCode = %d
ERR(%u)-Cid(%u)
ERR(%u)-Cid(%u)
Cid = %u TaskID = %u AsyncStartHttp fail ErrorCode = %d
Cid = %u TaskID = %u AsyncStartHttp fail ErrorCode = %d
Cid = %u TaskID = %u AllocRange fail
Cid = %u TaskID = %u AllocRange fail
TaskID = %u SetFileLen %I64d
TaskID = %u SetFileLen %I64d
TaskID = %u Delay = %d
TaskID = %u Delay = %d
Cid = %u TaskID = %u SendRequest fail ErrorCode = %d
Cid = %u TaskID = %u SendRequest fail ErrorCode = %d
Cid = %u TaskID = %u AllocSlice fail
Cid = %u TaskID = %u AllocSlice fail
TaskID = %u Downlaod fail ErrorCode = %d
TaskID = %u Downlaod fail ErrorCode = %d
TaskID = %u httpMrg Downlaod fail ErrorCode = %d
TaskID = %u httpMrg Downlaod fail ErrorCode = %d
TaskID = %u Downlaod fail ErrorCode = %d
TaskID = %u Downlaod fail ErrorCode = %d
Cid = %u TaskID = %u Torrent Http Start
Cid = %u TaskID = %u Torrent Http Start
TaskID = %u AsyncConnect fail
TaskID = %u AsyncConnect fail
TaskID = %u http init fail
TaskID = %u http init fail
TaskID = %u SetProxy fail
TaskID = %u SetProxy fail
%s:%d-PType(%u)-AType(%u)
%s:%d-PType(%u)-AType(%u)
sd.p.360.cn
sd.p.360.cn
hXXp://sd.p.360.cn/%s.trt
hXXp://sd.p.360.cn/%s.trt
Cid = %u TaskID = %u Torrent Delete
Cid = %u TaskID = %u Torrent Delete
TaskID = %u Download Torret fail
TaskID = %u Download Torret fail
TaskID = %u Cid = %u Dataoffset is bigger than filelen
TaskID = %u Cid = %u Dataoffset is bigger than filelen
TaskID = %u Cid = %u TorrentBuffer is NULL
TaskID = %u Cid = %u TorrentBuffer is NULL
TaskID = %u Cid = %u NOT INIT
TaskID = %u Cid = %u NOT INIT
TaskID = %u Cid = %u Proxy Auth fail
TaskID = %u Cid = %u Proxy Auth fail
TaskID = %u Cid = %u Auth type unknown
TaskID = %u Cid = %u Auth type unknown
Cid = %u TaskID = %u Error = %u
Cid = %u TaskID = %u Error = %u
Cid = %u TaskID = %u OnNotifyTorrentRelease
Cid = %u TaskID = %u OnNotifyTorrentRelease
TaskID = %u Rename start
TaskID = %u Rename start
TaskID = %u CheckFile Start
TaskID = %u CheckFile Start
TaskID = %u change Auth type = %d
TaskID = %u change Auth type = %d
ID(%u)-TYPE(http)-IP(%s)-PORT(%d)
ID(%u)-TYPE(http)-IP(%s)-PORT(%d)
ID(%u)-Host(%s)-IP(%s)-INFO(%s/%s)-TYPE(http)-REASON(%s)-ERRCODE(%u)-ERRPARA(%u)-REDIRECT(%d)-PROXY(%u)-AUTH(%u)-Begin(%I64d)-End(%I64d)-Vol(%I64d)-Rate(%u)-ConnMs(%d)-GetMs(%d)
ID(%u)-Host(%s)-IP(%s)-INFO(%s/%s)-TYPE(http)-REASON(%s)-ERRCODE(%u)-ERRPARA(%u)-REDIRECT(%d)-PROXY(%u)-AUTH(%u)-Begin(%I64d)-End(%I64d)-Vol(%I64d)-Rate(%u)-ConnMs(%d)-GetMs(%d)
%s-Timeout(%d)-Quota(%d)
%s-Timeout(%d)-Quota(%d)
HttpDup
HttpDup
HttpData
HttpData
CID[=] %s(%s) disconnected, reason %d, api %d, state %d, downloaded %I64d, %d ms
CID[=] %s(%s) disconnected, reason %d, api %d, state %d, downloaded %I64d, %d ms
CID[=] %s(%s) closed, error code %d, api %d, state %d, downloaded %I64d, %d ms
CID[=] %s(%s) closed, error code %d, api %d, state %d, downloaded %I64d, %d ms
CID[=] %s(%s) connect ok,cost %d ms
CID[=] %s(%s) connect ok,cost %d ms
CID[=] %s(%s) connect failed, %d
CID[=] %s(%s) connect failed, %d
CID[=] %s(%s) Receive Header Completed , %d bytes , status code:%d , Content-Length : %I64d
CID[=] %s(%s) Receive Header Completed , %d bytes , status code:%d , Content-Length : %I64d
CID[=] %s(%s) Connecting to %s:%d pending %d ms
CID[=] %s(%s) Connecting to %s:%d pending %d ms
CID[=] %s(%s) Connecting to %s:%d failed, error code:%d %d ms
CID[=] %s(%s) Connecting to %s:%d failed, error code:%d %d ms
DNS Result :%s
DNS Result :%s
DNS Error %d
DNS Error %d
CID[=] Connecting to %s:%d
CID[=] Connecting to %s:%d
CID[=] %s(%s) Connecting to %s:%d
CID[=] %s(%s) Connecting to %s:%d
============addportmap success
============addportmap success
HTTP://
HTTP://
TaskID = %u exception raised in method CFileMgr::Read, read from file fail(call ReadFile), error code is %d
TaskID = %u exception raised in method CFileMgr::Read, read from file fail(call ReadFile), error code is %d
TaskID = %u exception raised in method CFileMgr::GetSize, file size is too huge
TaskID = %u exception raised in method CFileMgr::GetSize, file size is too huge
TaskID = %u exception raised in method CFileMgr::GetSize, get file size fail(call GetFileSize), error code is %d
TaskID = %u exception raised in method CFileMgr::GetSize, get file size fail(call GetFileSize), error code is %d
TaskID = %u exception raised in method CFileMgr::LoadMemFile, open file fail, error code is %d
TaskID = %u exception raised in method CFileMgr::LoadMemFile, open file fail, error code is %d
TaskID = %u exception raised in method CFileMgr::LoadMemFile, parameter nNumber must greater than zero
TaskID = %u exception raised in method CFileMgr::LoadMemFile, parameter nNumber must greater than zero
TaskID = %u exception raised in method CFileMgr::LoadMemFile, parameter pBuffer can not be NULL
TaskID = %u exception raised in method CFileMgr::LoadMemFile, parameter pBuffer can not be NULL
TaskID = %u exception raised in method CFileMgr::SetMemFile, read from file fail(call WriteFile), error code is %d
TaskID = %u exception raised in method CFileMgr::SetMemFile, read from file fail(call WriteFile), error code is %d
TaskID = %u exception raised in method CFileMgr::SetMemFile, open file fail, error code is %d
TaskID = %u exception raised in method CFileMgr::SetMemFile, open file fail, error code is %d
TaskID = %u exception raised in method CFileMgr::SetMemFile, error code is %d
TaskID = %u exception raised in method CFileMgr::SetMemFile, error code is %d
TaskID = %u exception raised in method CFileMgr::SetMemFile, parameter nNumber must greater than zero
TaskID = %u exception raised in method CFileMgr::SetMemFile, parameter nNumber must greater than zero
TaskID = %u ,exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL
TaskID = %u ,exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL
TaskID = %u exception raised in method CFileMgr::GetMemSize, open file fail, error code is %d
TaskID = %u exception raised in method CFileMgr::GetMemSize, open file fail, error code is %d
TaskID = %u exception raised in method CFileMgr::LoadTorrentFile, parameter nNumber must greater than zero
TaskID = %u exception raised in method CFileMgr::LoadTorrentFile, parameter nNumber must greater than zero
TaskID = %u exception raised in method CFileMgr::LoadTorrentFile, parameter pBuffer can not be NULL
TaskID = %u exception raised in method CFileMgr::LoadTorrentFile, parameter pBuffer can not be NULL
TaskID = %u exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL
TaskID = %u exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL
TaskID = %u exception raised in method CFileMgr::GetTorrentSize, file size is too huge
TaskID = %u exception raised in method CFileMgr::GetTorrentSize, file size is too huge
TaskID = %u exception raised in method CFileMgr::GetTorrentSize, get file size fail(call GetFileSize), error code is %d
TaskID = %u exception raised in method CFileMgr::GetTorrentSize, get file size fail(call GetFileSize), error code is %d
TaskID = %u exception raised in method CFileMgr::GetTorrentSize, open file fail, error code is %d
TaskID = %u exception raised in method CFileMgr::GetTorrentSize, open file fail, error code is %d
IsFileExisting Error = %d
IsFileExisting Error = %d
[AllocRange] cid(%d) fail, errcode:0XX. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[AllocRange] cid(%d) fail, errcode:0XX. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[AllocRange] cid(%d) ok, from %I64d to %I64d. (%I64d) length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[AllocRange] cid(%d) ok, from %I64d to %I64d. (%I64d) length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[WriteRange] cid(%d) fail. from %I64d to %I64d, errcode:X. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[WriteRange] cid(%d) fail. from %I64d to %I64d, errcode:X. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[AllocSlice] cid(%d) fail, errcode:0XX. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[AllocSlice] cid(%d) fail, errcode:0XX. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[AllocSlice] cid(%d) ok, index(%d) from %d to %d. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[AllocSlice] cid(%d) ok, index(%d) from %d to %d. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[WriteSlice] cid(%d) fail. index(%d) from %d to %d, errcode:X. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[WriteSlice] cid(%d) fail. index(%d) from %d to %d, errcode:X. length:%I64d, restore:%I64d, download:%I64d, errlen:%I64d, Pduplen:%I64d, Sduplen:%I64d
[__LoadTorrent] invalid torrent file! errcode:x
[__LoadTorrent] invalid torrent file! errcode:x
ID(%u)-TYPE(p2p)-REASON(%s)-ERRCODE(%u)-Vol(%I64d)-Rate(%u)-ConnMs(%d)-BitMs(%d)
ID(%u)-TYPE(p2p)-REASON(%s)-ERRCODE(%u)-Vol(%I64d)-Rate(%u)-ConnMs(%d)-BitMs(%d)
ID(%u)-TYPE(p2p)-IP(%s)-PORT(%d)-NAT(%d)
ID(%u)-TYPE(p2p)-IP(%s)-PORT(%d)-NAT(%d)
TaskID = %u
TaskID = %u
TaskID = %u result = %d
TaskID = %u result = %d
RES(%d)-CNT(%d)
RES(%d)-CNT(%d)
ID(%u)-TYPE(http)-IP(0)-PORT(0)
ID(%u)-TYPE(http)-IP(0)-PORT(0)
Ip = %s
Ip = %s
Cid = %u TaskID = %u Rate = %u MaxRate = %u ,
Cid = %u TaskID = %u Rate = %u MaxRate = %u ,
Cid = %u TaskID = %u ConnectNum = %d
Cid = %u TaskID = %u ConnectNum = %d
Cid = %u TaskID = %u Ip = %s
Cid = %u TaskID = %u Ip = %s
TaskID = %u proxy=%d,Errcode = %u
TaskID = %u proxy=%d,Errcode = %u
TaskID = %u proxy=%d,Errcode = %u
TaskID = %u proxy=%d,Errcode = %u
TaskID = %u Errcode = %u
TaskID = %u Errcode = %u
TaskID = %u ErrorCode = %d,
TaskID = %u ErrorCode = %d,
TaskID = %u ErrorCode = %d ,
TaskID = %u ErrorCode = %d ,
Cid = %u TaskID = %u AsyncStartDownload from =%I64d to = %I64d HttpNum = %d
Cid = %u TaskID = %u AsyncStartDownload from =%I64d to = %I64d HttpNum = %d
TaskID = %u ErrorCode =%d,
TaskID = %u ErrorCode =%d,
Cid = %u TaskID = %u StopHttp
Cid = %u TaskID = %u StopHttp
Cid = %u TaskID = %u Http connect ok
Cid = %u TaskID = %u Http connect ok
OLDIP(%s)-OLDURL(%s)-NEWURL(%s)
OLDIP(%s)-OLDURL(%s)-NEWURL(%s)
Cid = %u TaskID = %u Recv Http Head Msg ,httpcode= %u
Cid = %u TaskID = %u Recv Http Head Msg ,httpcode= %u
Cid = %u TaskID = %u OnNotifyHttpData can not http
Cid = %u TaskID = %u OnNotifyHttpData can not http
TaskID = %u Cid = %u Proxy Fail Errcode = %u Ip = %s
TaskID = %u Cid = %u Proxy Fail Errcode = %u Ip = %s
TaskID = %u Cid = %u HttpErrcode = %u ip = %s
TaskID = %u Cid = %u HttpErrcode = %u ip = %s
TaskID = %u Cid = %u HttpCode = %u Ip = %s,
TaskID = %u Cid = %u HttpCode = %u Ip = %s,
TaskID = %u Cid = %u Fail Errcode = %u Ip = %s
TaskID = %u Cid = %u Fail Errcode = %u Ip = %s
TaskID = %u,Cid = %u change Auth type = %d
TaskID = %u,Cid = %u change Auth type = %d
Cid = %u TaskID = %u by DeleteHttp
Cid = %u TaskID = %u by DeleteHttp
Cid = %u TaskID = %u By DeleteConnect
Cid = %u TaskID = %u By DeleteConnect
Cid = %u TaskID = %u By DeleteAllHttp
Cid = %u TaskID = %u By DeleteAllHttp
Cid = %u TaskID = %u By DeleteAllConnect
Cid = %u TaskID = %u By DeleteAllConnect
ID(%u)-Host(%s)-IP(%s)-TYPE(http)-REASON(PRECONN)-ERRCODE(%u)-ERRPARA(%u)
ID(%u)-Host(%s)-IP(%s)-TYPE(http)-REASON(PRECONN)-ERRCODE(%u)-ERRPARA(%u)
%s->%s:%d-PType(%u)-AType(%u)
%s->%s:%d-PType(%u)-AType(%u)
Ip = %s Url
Ip = %s Url
Ip = %s url= %s
Ip = %s url= %s
Cid = %u TaskID = %u proxy fail
Cid = %u TaskID = %u proxy fail
Cid = %u TaskID = %u ProcHttpUnKnowncode ,HttpCode = %u
Cid = %u TaskID = %u ProcHttpUnKnowncode ,HttpCode = %u
Cid[%u] AuthType[%d:%d] ProxyHost[%s:%d]
Cid[%u] AuthType[%d:%d] ProxyHost[%s:%d]
Cid[%u] AuthType[%d] ProxyHost[%s:%d]
Cid[%u] AuthType[%d] ProxyHost[%s:%d]
TaskID = %u Cid = %u Httpcode = %d Ip = %s
TaskID = %u Cid = %u Httpcode = %d Ip = %s
TaskID = %u Cid = %u Httpcode = %d Ip = %s,
TaskID = %u Cid = %u Httpcode = %d Ip = %s,
TaskID = %u Cid = %u Httpcode = %d Url= %s
TaskID = %u Cid = %u Httpcode = %d Url= %s
TaskID = %u Cid = %u Httpcode = %d Ip = %s ,
TaskID = %u Cid = %u Httpcode = %d Ip = %s ,
TaskID = %u Cid = %u Httpcode = %d Ip = %s
TaskID = %u Cid = %u Httpcode = %d Ip = %s
[P2SPHOST::__addurl] %s
[P2SPHOST::__addurl] %s
[P2SPHOST::AddIplist] %s - %s
[P2SPHOST::AddIplist] %s - %s
[P2SPHOST::AddIplist] reparse host:%s
[P2SPHOST::AddIplist] reparse host:%s
[P2SPHOST::BlockUrl] URL: %s
[P2SPHOST::BlockUrl] URL: %s
[P2SPHOST::BlockUrl] invalid URL: %s
[P2SPHOST::BlockUrl] invalid URL: %s
[P2SPHOST::BlockIp] invalid IP: %s
[P2SPHOST::BlockIp] invalid IP: %s
[P2SPHOST::BlockIp] IP: %s
[P2SPHOST::BlockIp] IP: %s
[P2SPHOST::BlockIp] mask error(%d-%d). IP: %s
[P2SPHOST::BlockIp] mask error(%d-%d). IP: %s
[P2SPHOST::BlockIp] too much error(%d-%d). IP: %s
[P2SPHOST::BlockIp] too much error(%d-%d). IP: %s
[P2SPHOST::PickIp] IP: %s, traffic: %d, file: %s
[P2SPHOST::PickIp] IP: %s, traffic: %d, file: %s
[P2SPHOST::UpdateCidTraffic] ip(%s) not mapped!
[P2SPHOST::UpdateCidTraffic] ip(%s) not mapped!
D:\root.d\dev\360\C \360PubSrc\360Base\QHMD5.cpp
D:\root.d\dev\360\C \360PubSrc\360Base\QHMD5.cpp
netmsg.dll
netmsg.dll
mqutil.dll
mqutil.dll
wininet.dll
wininet.dll
__crt
__crt
|hu-hu-hu|hu:hu:hu|%s|%d|%s|%s|%d|%s
|hu-hu-hu|hu:hu:hu|%s|%d|%s|%s|%d|%s
%x:%x
%x:%x
%s %u
%s %u
1830B7BD-F7A3-4c4d-989B-C004DE465EDE
1830B7BD-F7A3-4c4d-989B-C004DE465EDE
D:\ROOT.D\DEV\360\C \360PUBSRC\360GPUB\INCLUDE\QHTL.h
D:\ROOT.D\DEV\360\C \360PUBSRC\360GPUB\INCLUDE\QHTL.h
HTTPDOWNLIB
HTTPDOWNLIB
360.cn
360.cn
2, 2, 0, 1004
2, 2, 0, 1004
Copyright (C) 360.cn Inc.All Rights Reserve
Copyright (C) 360.cn Inc.All Rights Reserve
)hXXp://pinst.360.cn/360safe/safe_home.cab
)hXXp://pinst.360.cn/360safe/safe_home.cab
%s\360\
%s\360\
'hXXp://VVV.360.cn/custom/xukexieyi.html
'hXXp://VVV.360.cn/custom/xukexieyi.html
%s...
%s...
: %dMB
: %dMB
: %dKB/S
: %dKB/S
setup.ini
setup.ini
360Inst_62.exe_644_rwx_00DF0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
360Inst_62.exe_644_rwx_00E00000_00001000:
|360inst_62.exeM_644_
|360inst_62.exeM_644_
Explorer.EXE_532_rwx_00FF0000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.text
.text
Explorer.EXE_532_rwx_01E20000_00001000:
|explorer.exeM_532_
|explorer.exeM_532_