Skip to main content

Gen.Variant.Zusy.138130_0b6f8cb649


Trojan-Dropper.Win32.Sysn.auuu (Kaspersky), Gen:Variant.Zusy.138130 (B) (Emsisoft), Gen:Variant.Zusy.138130 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, HackTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 0b6f8cb649b3f077d78d9a6a46cc7445

SHA1: b7eb29ef8b972896099d5172db635f8555329621

SHA256: d6060cd0658f63e3e2408b34ad3a763adf98059b7b0696354391b6bc2a5369d3

SSDeep: 12288:WkIuNYzne02RjsskAUwxD8WyItMbQ540gFTUWBO:jIu6Te02Rj1RAWcbQ5BW

Size: 587776 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2015-04-20 01:05:14

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

hkmsvc.exe:3716
hkmsvc.exe:2716
hkmsvc.exe:3076
hkmsvc.exe:3712
hkmsvc.exe:3496
hkmsvc.exe:3928
hkmsvc.exe:3288
hkmsvc.exe:2840
hkmsvc.exe:3048
hkmsvc.exe:2096
hkmsvc.exe:3324
hkmsvc.exe:136
hkmsvc.exe:3328
hkmsvc.exe:496
hkmsvc.exe:3808
hkmsvc.exe:2524
hkmsvc.exe:3128
hkmsvc.exe:2320
hkmsvc.exe:2612
hkmsvc.exe:3552
hkmsvc.exe:1944
hkmsvc.exe:404
hkmsvc.exe:2952
hkmsvc.exe:2244
hkmsvc.exe:932
hkmsvc.exe:1916
hkmsvc.exe:2240
hkmsvc.exe:3992
hkmsvc.exe:2408
hkmsvc.exe:3764
hkmsvc.exe:3832
hkmsvc.exe:2704
hkmsvc.exe:2852
hkmsvc.exe:2468
hkmsvc.exe:3484
hkmsvc.exe:3932
hkmsvc.exe:120
hkmsvc.exe:3332
hkmsvc.exe:4032
hkmsvc.exe:1952
hkmsvc.exe:3644
hkmsvc.exe:1068
hkmsvc.exe:2552
hkmsvc.exe:2556
hkmsvc.exe:3568
hkmsvc.exe:2492
hkmsvc.exe:2996
hkmsvc.exe:3244
hkmsvc.exe:2068
hkmsvc.exe:2804
hkmsvc.exe:2060
hkmsvc.exe:2256
hkmsvc.exe:2992
hkmsvc.exe:3000
hkmsvc.exe:3772
hkmsvc.exe:3240
hkmsvc.exe:1324
hkmsvc.exe:2872
hkmsvc.exe:3944
hkmsvc.exe:3440
hkmsvc.exe:3276
hkmsvc.exe:3144
hkmsvc.exe:396
hkmsvc.exe:3672
hkmsvc.exe:2308
hkmsvc.exe:3476
hkmsvc.exe:3472
hkmsvc.exe:2300
hkmsvc.exe:3648
hkmsvc.exe:3024
hkmsvc.exe:4048
hkmsvc.exe:2788
hkmsvc.exe:1856
hkmsvc.exe:3160
hkmsvc.exe:420
hkmsvc.exe:1400
hkmsvc.exe:3744
hkmsvc.exe:912
hkmsvc.exe:3812
hkmsvc.exe:584
hkmsvc.exe:3816
hkmsvc.exe:304
hkmsvc.exe:2448
hkmsvc.exe:2932
hkmsvc.exe:2880
hkmsvc.exe:588
hkmsvc.exe:2764
hkmsvc.exe:384
hkmsvc.exe:240
hkmsvc.exe:3848
hkmsvc.exe:3368
hkmsvc.exe:2832
hkmsvc.exe:3316
hkmsvc.exe:784
hkmsvc.exe:4056
hkmsvc.exe:2276
hkmsvc.exe:4052
hkmsvc.exe:3396
hkmsvc.exe:2576
hkmsvc.exe:3096
hkmsvc.exe:2676
hkmsvc.exe:1972
hkmsvc.exe:2372
hkmsvc.exe:516
hkmsvc.exe:2616
hkmsvc.exe:3596
hkmsvc.exe:3616
hkmsvc.exe:2476
hkmsvc.exe:3804
hkmsvc.exe:1344
hkmsvc.exe:2296
hkmsvc.exe:456
hkmsvc.exe:3756
hkmsvc.exe:3004
hkmsvc.exe:3824
hkmsvc.exe:3256
hkmsvc.exe:2196
hkmsvc.exe:1900
hkmsvc.exe:1588
hkmsvc.exe:2204
hkmsvc.exe:4064
hkmsvc.exe:2056
hkmsvc.exe:2888
hkmsvc.exe:1732
hkmsvc.exe:2564
hkmsvc.exe:3388
hkmsvc.exe:2688
hkmsvc.exe:3088
hkmsvc.exe:2684
hkmsvc.exe:1508
hkmsvc.exe:2680
hkmsvc.exe:2116
hkmsvc.exe:2816
hkmsvc.exe:2420
hkmsvc.exe:460
hkmsvc.exe:2588
hkmsvc.exe:3892
hkmsvc.exe:3072
hkmsvc.exe:2180
hkmsvc.exe:3520
hkmsvc.exe:3996
hkmsvc.exe:3724
hkmsvc.exe:4076
hkmsvc.exe:3528
hkmsvc.exe:3176
hkmsvc.exe:3688
hkmsvc.exe:3376
hkmsvc.exe:2896
hkmsvc.exe:3372
hkmsvc.exe:3684
hkmsvc.exe:3012
hkmsvc.exe:3964
hkmsvc.exe:2108
hkmsvc.exe:3960
hkmsvc.exe:1744
hkmsvc.exe:3272
hkmsvc.exe:2356
hkmsvc.exe:1632
hkmsvc.exe:2860
hkmsvc.exe:2736
hkmsvc.exe:2232
hkmsvc.exe:3900
hkmsvc.exe:600
hkmsvc.exe:3680
hkmsvc.exe:3860
hkmsvc.exe:3908
hkmsvc.exe:3220
hkmsvc.exe:2824
hkmsvc.exe:2944
hkmsvc.exe:3732
hkmsvc.exe:3068
hkmsvc.exe:2340
hkmsvc.exe:876
hkmsvc.exe:3340
hkmsvc.exe:4004
hkmsvc.exe:1136
hkmsvc.exe:3344
hkmsvc.exe:956
hkmsvc.exe:3184
hkmsvc.exe:1692
hkmsvc.exe:2508
hkmsvc.exe:2748
hkmsvc.exe:3192
hkmsvc.exe:1752
hkmsvc.exe:2500
hkmsvc.exe:2648
hkmsvc.exe:3628
hkmsvc.exe:2876
hkmsvc.exe:3624
hkmsvc.exe:2728
hkmsvc.exe:3500
hkmsvc.exe:3352
hkmsvc.exe:3236
hkmsvc.exe:1884
hkmsvc.exe:2332
hkmsvc.exe:3428
hkmsvc.exe:3420
hkmsvc.exe:3548
hkmsvc.exe:4016
hkmsvc.exe:2000
hkmsvc.exe:3576
hkmsvc.exe:2532
hkmsvc.exe:2604
hkmsvc.exe:1368
AppMgmt.exe:332
%original file name%.exe:1992
vbc.exe:3872
vbc.exe:2348

The Trojan injects its code into the following process(es):

hkmsvc.exe:2132
AppMgmt.exe:2384
%original file name%.exe:640

Mutexes

The following mutexes were created/opened:

ShimCacheMutexRasPbFile

File activity

The process hkmsvc.exe:2132 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\AppMgmt.exe (18 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\hkmsvc.exe (0 bytes)

The process %original file name%.exe:640 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (3361 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)

The process %original file name%.exe:1992 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\AppMgmt.exe (18 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\hkmsvc.exe (3361 bytes)

The process vbc.exe:3872 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)

Registry activity

The process hkmsvc.exe:3716 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 05 F0 F3 9A 7E 30 FD DD 86 32 E2 12 80 8F 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2716 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D2 6C 66 30 E7 8A A3 12 AB C2 1A AC D9 63 7D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3076 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 46 21 2F 8A 8F 02 36 5F 9C 25 E1 A6 EC 48 E6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3712 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 19 9F A4 22 28 52 34 8C 47 FA B5 D2 6B A3 EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 D8 32 7E 3C 16 42 80 DF 8D 6A F5 B2 28 A5 D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 97 23 87 64 1D 6E C0 E8 4A C6 64 A0 9D 8C C6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3288 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 90 93 C9 F3 8B 85 27 51 A6 10 A4 E0 A1 D6 BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2840 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 F6 AB BD B0 29 E8 08 33 B6 90 A1 1D A2 48 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3048 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 4B 47 87 CB B9 8B E9 76 91 55 B9 AB 0D 07 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2096 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 AA EC 95 B3 86 F6 D5 AA 96 EB D6 78 0B 0A 94"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3324 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 90 57 C6 9A 93 31 C6 8E 17 22 F8 F4 86 31 72"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:136 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 19 BF 3C 5E AA 20 51 FC 7E F0 9D B9 2D 69 35"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3328 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC CD E0 41 51 FA 68 71 0A 82 8C 32 7C DD 92 2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 6E B1 4B 81 87 90 BD 51 A0 15 CB 31 48 F9 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3808 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F A4 4E E3 48 75 2A 99 83 60 79 CE 1A 10 85 74"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2524 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E4 25 D8 4D 90 55 E0 05 DD 08 3D D7 8B 8C 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3128 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 22 1F BF 96 4C 67 FD 71 1E 43 7D BB C4 36 3F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2320 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 90 62 6D 5B 1E 76 5E 5B F4 E1 D4 4E A2 B8 88"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2612 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 6F 23 D9 67 43 19 62 5C 91 12 2D F5 11 07 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3552 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 49 AD 11 C7 39 34 B6 CE 83 9B DF 06 8D CD 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 9E D7 CF E0 E9 51 1C 08 6E 12 F6 A2 38 01 F5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 9F F2 FC 3B 42 9D 3D 3E 04 87 31 26 2C 90 11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 28 B1 FA 19 96 8D D9 9E CF 0C F9 BA 96 54 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC A9 81 46 ED 74 CE 14 D3 D9 CE 01 D1 62 02 4E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 98 B5 3A C9 6B EF 9F 52 9E 93 D2 3F 0A 99 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 02 F8 8A 29 D2 68 6E 6F 07 AF 41 19 80 E9 60"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 41 85 DE BF 65 0A 71 10 0E D4 D0 B1 53 F4 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3992 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C D1 07 50 FE F4 67 F9 0E 47 9B E0 69 CE 02 EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2408 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 7B 87 5A 3E 73 C2 A5 84 12 ED A6 92 A8 93 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3764 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C F9 09 39 77 09 8E C9 ED C5 44 9B 58 36 BA 85"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 49 3E AB 28 D1 B7 43 65 F7 55 5E B3 3C 81 08"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2704 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 D5 32 FF 86 31 80 DB 64 D5 EE 34 34 7E 7B 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2852 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD AA F9 67 76 6E D1 EC 59 44 E2 E4 B4 65 91 E2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2468 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 CA 74 9D 4A B9 8E C7 66 D2 4B 6B 8C 19 E4 C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3484 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 15 EB EE 15 81 2D 9F 64 10 07 89 D1 DA 52 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 9B 6D 34 CF 83 8F 75 B5 34 C1 11 8F 76 C5 6D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:120 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 47 CA 3E 96 8D 54 E9 8A 1A 3E AE DE 91 36 CD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 69 58 0F B8 27 E5 A0 63 C5 F5 CE 1B 29 3A 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4032 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AF 5D 0D C4 B2 40 04 8C EB 5C 21 F0 1B 42 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1952 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 7B 62 9B A9 D9 48 41 7F E1 D1 1A 9A 52 AF 19"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3644 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 0A 80 98 D6 36 A3 14 4C 41 B2 8A A2 F8 E1 E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1068 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 6F 39 12 3F CA 14 9B FD 88 F5 33 37 27 40 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2552 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 47 DA 3B D3 A5 34 3C 67 2A 93 BE EB 9D D0 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2556 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B FD 01 1E B9 A1 29 03 0A 34 3E 6D 13 1F C7 AB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3568 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 7D 94 70 FE 57 2D DA DC DC F0 8D 4A 6E FC 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2492 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 0E BE AD B8 40 FB 7A DB 50 06 32 86 6A 31 3D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2996 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 6C A6 96 F0 56 96 94 E0 26 9D 7D FB 3C 55 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 7D 6A C1 82 0F 20 E5 ED F2 B2 96 63 72 E8 DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2068 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 5B 9B D7 C0 D6 C1 5C 1B 1C 5A 8E 02 FC 66 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2804 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 20 D4 AD A9 70 F2 37 A4 B1 2F EA A5 D2 BA 48"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2060 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 B6 58 EF 37 85 02 23 90 66 50 26 2E B4 70 E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2256 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 B8 B4 A2 D4 84 F6 10 B1 A1 FA B5 81 EE B2 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2992 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 3E A0 C3 ED B9 34 83 FC F7 4E F3 F3 D7 E4 17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3000 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 2A E8 B3 CD C7 8B 59 EF 2D D9 56 A9 66 12 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3772 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 11 90 FE 8C 75 AC 82 AF 45 E5 17 C3 8E AC 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 3B 11 AC 8E F6 A9 CC 2F 73 66 55 BC 63 2C 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1324 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F E4 97 C1 FA 2A 6B B3 5B 8F 00 2D DC CB 6C 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2872 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 BF BD B9 C0 0A 2E 6E 74 73 E1 54 9B 8C 52 B5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A C7 79 32 13 4D 93 89 5E 3C C8 EA C1 43 2B 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3440 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 99 D1 0B D1 17 E7 9C A3 BB BD 32 57 BF 6D 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3276 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 55 A8 C9 D3 1F 31 99 C6 4E 7E C5 AD 37 C6 9F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3144 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 27 0E DB 87 CE EF C6 51 C5 FE 38 21 CE 4A E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:396 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 68 B7 DA 43 9F 94 9B AC B1 54 2D D5 BC 83 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3672 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 DC D9 55 A9 E4 66 EA EA 86 62 7C 8D CC B9 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2308 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B FC 98 87 C6 DC BF 35 A9 10 CC 94 36 BF 7F 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D AA 97 3D 9E 4D 4C 8B 1E 2C 40 83 F3 67 5E 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3472 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 08 60 FF 3E 9D 98 F6 2F 5C BB 58 D5 C7 4F 3D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2300 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE B9 77 7B A2 13 6D AE 3C 0A 65 44 09 F3 98 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 8E 48 AA 23 4E D8 EB 32 4C DE 11 A4 35 E7 C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3024 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB CF 01 05 36 09 C6 17 16 11 C1 CC 1C 78 16 B5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4048 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 E2 E0 12 CF CB C8 A5 C4 AD 07 AF 29 8E 3F 45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2788 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 16 0D 61 C0 DD BB 84 90 CA 04 A7 BB 67 47 94"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1856 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 53 84 B7 A8 60 2D 32 3B F8 02 F8 C1 9E AC E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3160 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 53 32 44 58 B0 C7 46 1F 17 BE C1 64 AA 91 E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:420 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 96 34 CE 93 91 D3 47 38 43 57 D3 96 E7 CD 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1400 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC B1 48 05 FC 0E 9C 0D 45 36 FC 8F 71 41 41 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3744 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 03 B4 57 65 22 7C 4B 46 9B EF 41 F5 15 BB 79"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:912 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 14 AB C8 3E 37 C0 A6 C5 E4 2E 4E 52 27 6A EA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3812 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 A1 D1 0C 84 5D 6A DF E5 EF 72 AA DB A6 80 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:584 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 FF 72 56 33 6E 16 93 69 9F 0E 07 21 33 A0 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3816 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 5E C3 E1 5F A8 BD 6D E0 66 A9 B0 1E 02 7F 88"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE EB E5 B8 F2 E5 6B B5 6B 45 2F 70 D7 FE 40 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2448 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC A2 FA DD C0 E4 45 24 EF 3E 31 E8 5F 42 CC 2A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2932 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 33 FC 66 77 69 16 7F 94 21 F9 A9 B8 14 D2 17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2880 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 B5 51 9C 9B 50 EF 61 4E A9 7A 40 5E A4 A0 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 DF 13 8E EF D8 B3 14 74 01 29 B6 7B 4F AD 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2764 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C B9 12 E4 94 B0 63 36 B5 A6 90 71 AD C3 96 C5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:384 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 E8 10 D3 DE 71 BB 85 CD 6D 21 DC 6F CE 4D 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:240 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 2B A0 FF 2B 8F 97 F6 52 8A B0 4E 78 A7 27 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3848 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C A5 67 51 CF 07 B1 06 57 BA FD 03 87 85 04 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 5A 36 60 ED B9 0D F1 12 36 06 A3 3B 13 D9 E2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 04 DE 63 8C 78 E4 4E 7F F9 CE B5 BB DC 33 CC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3316 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 19 6A DE 3B 68 AA AD EB A0 0F 71 9D 8F D1 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:784 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 7E 92 8D 7A 74 D3 86 AA 49 7F E7 63 A8 77 FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 44 76 36 E3 BD 4B 4E 0B C2 76 BC E3 8A 50 BB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2276 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 B4 41 B4 85 CE C1 C3 EF 46 F0 FB 97 AD 57 4C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4052 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C E6 C2 A6 DD 94 B0 D4 89 00 17 1C 3C CE A4 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3396 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 AD 16 A4 BF 92 61 0F BE 1E 81 D6 F3 77 63 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2576 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 A7 27 02 8C 2D 32 16 2E FC 5C 02 99 B4 46 AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3096 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 28 DC 76 4E 27 4C 61 1F FA BA A2 77 82 8A AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2676 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC AF 94 00 1D F5 37 AF 64 EB 65 FC 1C DB AA 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1972 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 AE 9C F0 C3 27 03 DE 8F 1B 5E 18 D6 8C 2D 26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2372 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 DC 5B 70 7B 55 FE F5 CE 09 44 AD 16 B7 42 EE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:516 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 2A 37 26 B4 89 BC 53 ED 92 00 E4 63 C9 19 AB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2616 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F E9 4C 0B A9 25 CE BF 47 36 BC C8 12 75 B3 12"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 78 62 F8 80 E2 ED 17 35 9E 72 C3 6E 6A 35 5C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3616 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 ED 0B 94 95 EE CF B7 DA BF DE 05 1A 25 F9 CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C DE DD 84 84 34 36 1E 10 6A A3 AC F2 5E 66 E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3804 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 2F 59 CA 14 3D E8 72 F4 CF 3A F6 13 8B 9E 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 D7 0A 51 ED BF 86 FF B0 B0 85 15 36 61 CA 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2296 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 FD 34 9C 9B D7 9E 0E 86 E0 12 B9 EA 25 5A 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 2C 2F 4A 37 89 6C DD 89 5D 8E 6D 28 60 FE 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3756 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 B5 B6 8E 6B 56 57 66 39 E6 34 C0 3D DF 5B DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3004 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 0A 89 CF F0 9E 12 BF B1 DB 01 BF DF D6 E1 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3824 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 40 F7 7C EF 20 6A 25 AF A7 54 06 92 CA DD FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3256 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D2 F6 7B 53 97 48 C7 B4 9C 6A 5F CF A4 8C 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2196 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 8F 40 FA 83 12 98 BB 30 07 5A 35 88 EC 8D 20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1900 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B F1 A1 5F C0 85 BF 6D 1B DB 76 D6 BA F8 00 48"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 11 B0 BD 7B E7 BA 3D 27 F3 52 B4 CE E8 BF 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2204 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 5F AD 02 75 7F FD E9 22 EC FC FD 83 31 8E 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4064 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA FE 72 70 1B 56 54 8F B6 19 06 D4 4F AA 4D F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2056 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA B9 B2 9B 94 3D FC 26 D9 B5 56 89 FD 74 CF 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2888 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 F1 76 6B 82 99 FC F9 DF B7 75 B6 35 7C 49 C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1732 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 0A 3C 06 5E D3 56 58 E3 1A 3E D7 4D 6D A7 FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2564 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 45 24 D4 00 84 75 E6 81 D2 D8 22 67 14 B4 AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3388 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 A5 3F E5 79 60 46 F4 9F D9 B9 7D 92 3B F1 FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2688 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 37 E3 58 B6 36 86 B2 06 07 6E 56 A0 05 DA 25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3088 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 5D BC 1E 83 34 72 F4 A1 D5 EB 45 48 02 C1 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2684 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A C3 E9 68 5B E6 A3 13 3D D9 11 3B 79 7F 88 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 8E 5D 55 86 7F E5 A0 AB 5C EF 2F 61 D3 75 06"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2680 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 43 C7 59 95 34 2E BA 3C 9B AA CB 95 70 D5 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2116 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 35 55 B2 B6 65 3F FD 40 F4 FC A6 F5 24 D4 BB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2816 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 65 4B AB CC 6E 2B 14 33 91 B9 48 AE 2C 03 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2420 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 13 05 36 62 56 B2 A1 35 69 74 8B 95 B9 DA 63"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:460 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 A2 EF AF 6C 09 7B 5C 85 BC D4 3D B6 6E 2F C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 DE FA E4 89 DB AE AB 6D 9F EB 3B 5D C9 A7 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3892 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 28 7C 63 FA 63 FE 7D DA 73 C2 0F 67 74 AB B2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3072 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F D3 AC 73 3E 9D 2D EC 67 2D A6 FB 6F EA 5C 4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2180 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D BB 2E 63 93 3A 88 FA 78 82 41 23 14 E5 D6 A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3520 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 FC 1E 8B BC 7C 75 BB 84 D9 09 7E DB 91 17 BD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3996 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 66 5D 45 FF DA E1 8F D3 B3 78 EB 09 B3 74 C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3724 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 0F 42 6D 7E 1A 50 33 C3 C6 0F 84 74 4A ED EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4076 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 E0 5F E6 8E 01 3D F5 37 B7 8E CE EE EA 59 43"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3528 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 20 85 E1 B8 B7 47 E9 1E 1C 94 E5 B9 62 22 12"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 78 27 E1 74 AC CF 46 D8 9D 87 E9 F3 BE B7 25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3688 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C F7 72 06 10 34 4C 46 2F EE CE 82 4B FD E5 CF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B7 40 53 1B 9F 77 12 46 EE 93 43 20 DB FA 81"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2896 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 9D FC 35 05 5D B0 2E 90 B4 00 84 1C 74 DE 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3372 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 47 43 7A B6 EC A0 9E 16 56 B5 2B 6E 75 23 8B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3684 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 43 7B 7E A5 5D FF C5 DB 4D BC 4B 28 54 65 74"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 B7 78 BC 12 01 CA FC C2 D8 94 66 C0 3B E9 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3964 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 04 24 9A AA CC 71 E9 4F 7F E6 17 0A 63 F1 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2108 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 F3 14 9C 3A 7F 47 81 A0 36 3F EF C9 63 96 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 4C CA 8C 06 AD 91 A0 17 59 41 24 7E 3E 0C 23"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1744 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 AF 08 5B 43 95 2A 83 FE 63 10 E6 24 AF 60 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3272 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 E8 DC C2 5C 6C FF 5F A0 F3 BC 73 FB B5 6B F7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2356 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 19 2E C5 37 60 69 F6 2D 73 DC C9 85 42 0F B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1632 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB FE 0E A0 C7 C7 76 31 48 16 E4 AC 40 DC 03 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2860 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E F7 C4 1F 8F 43 D0 4F 35 86 D6 4A A6 CA E5 AC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2736 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 38 B5 59 2F 4F 5C 7E 54 06 84 BF 95 65 73 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2232 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 B7 85 8D B2 95 22 14 65 3C 06 32 E7 11 FF 96"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3900 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 76 9E 3E E1 F7 DB FA AB B2 B3 1C 10 A4 36 E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:600 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 CC 61 A2 AF 3F C9 D5 AD B3 28 6C 73 0F 22 DE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3680 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 80 5E B3 19 F1 1C B4 D2 61 6E 9B 32 3E 03 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3860 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 95 B8 71 61 59 DC 47 50 03 75 82 07 23 C8 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF B1 4E 1B ED 5B 51 51 2E C1 66 2F BC FF B1 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3220 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 99 75 14 4C 96 F3 0E F5 EE DF 95 73 82 69 5F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2824 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 DB 2D 1E 2F 9F 66 84 6B 99 8C 0C DC E6 65 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 EC 0E 13 9E DC 9B 4F F5 EB 94 50 75 F3 C0 FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3732 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 04 C5 A0 24 F2 DC 4D 8A DF 61 2B 00 73 04 EE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3068 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 AC 5A 42 FD 25 7F D1 94 88 6A 71 6B 6C B8 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2132 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 A3 CE 1A 3F B4 05 96 9D 03 8C 04 5A 8D 1A 0B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process hkmsvc.exe:2340 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 96 4B 15 3A AB 3A D2 EB C5 D5 68 9D C7 16 8B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:876 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 11 AF 81 7E C9 7B B7 B7 53 9B 2C DA 00 D5 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3340 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 6D 9E C4 E0 E2 62 8C C2 E4 56 37 8A E4 16 AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4004 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA CC A4 80 82 EB B2 FA 6F E6 96 86 A5 CD 79 F4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1136 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 C2 73 79 1C 5E 74 48 E7 2A 5B 91 37 4E D2 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 82 D5 7F E2 64 A7 95 FB F0 75 DD EB 36 EA 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:956 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 4C A8 DB 68 8D 51 AB 45 28 27 63 D6 2B B7 22"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3184 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 A9 69 A1 16 3A 51 0F 4E F8 E1 E0 01 D1 1F A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1692 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 B4 29 64 94 EB 0B B6 A7 0E E7 0E 81 E4 86 7A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 CA D5 FA 8A D2 20 F6 D7 8E 73 89 AB 3B CC D1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2748 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A A9 45 A2 12 F6 5F 9F 29 24 88 E0 42 6F 5E 59"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3192 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 85 A9 B0 94 F1 67 63 6C 5E 08 BA EB ED 11 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1752 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 62 F3 25 2B 4F F4 43 36 A7 87 B8 61 17 71 E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 AF 1F A2 FD D5 29 83 65 99 6D BC B1 3D 2E 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2648 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 B6 24 21 68 37 35 FF 41 C6 CB 32 9D 75 A2 CE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3628 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 FD 91 1F 03 95 54 60 9C AB 7B 25 FC 7C C8 D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2876 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 12 01 0E B6 ED E2 92 92 AA F8 40 8B BC 03 B0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3624 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 F3 80 03 03 B5 69 24 D3 04 21 01 D4 3D 4D 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2728 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA A2 46 22 CD DC AE C8 D7 DE 13 6C 68 1C 22 24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3500 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 EF CB 53 8F A5 60 D3 70 CA 73 D8 14 DA 6D 3E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3352 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 80 F1 61 EC F4 DC 63 C1 3B 37 8A 0D 8B AE AC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3236 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E AC F0 94 9F 86 BE F9 64 9E DA 10 3B 63 88 DE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 1F CA 1E 0B FE A0 A7 2D 4F EB D7 F5 19 10 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A C9 71 B7 AE 48 27 6C 40 E4 D1 4F F6 D0 F3 F0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3428 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 A3 8E F2 23 80 43 13 06 37 93 AE 28 2E 0F A5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3420 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA E4 66 BC 5C B3 C7 2E BB 94 DB 69 F1 A8 E6 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3548 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 CE C7 33 E6 D4 B6 33 BB B8 20 20 9C D6 58 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:4016 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 45 DA 8E 9E 63 86 F6 AD 04 24 9B 0C CA B0 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2000 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 FB B9 6F D9 9D 42 2A 4A 48 DA D0 3B 4D D9 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:3576 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 41 39 38 BD D5 37 E7 5F 9B 2C 3D 00 15 B2 B8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2532 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 C2 9C 29 E0 45 2E 5B FC A1 C4 9D BB A0 75 83"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:2604 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 DA 97 9A 63 45 49 97 33 A8 5F 26 9D C1 AD 44"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process hkmsvc.exe:1368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 55 48 20 99 4D E8 94 CC CD 98 B2 13 A8 3C 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process AppMgmt.exe:2384 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 8B 90 75 AB D3 86 78 1C 7C 80 B3 92 32 E1 99"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process AppMgmt.exe:332 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 E0 D5 C9 1D 72 58 8A B6 EA 70 03 2B 1B CA 0A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft\Windows]
"hkmsvc.exe" = " Health Key and Certificate Management"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:640 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\0b6f8cb649b3f077d78d9a6a46cc7445\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 38 85 15 2E 50 A0 9D BE 27 5C 14 C1 10 7B 93"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\0b6f8cb649b3f077d78d9a6a46cc7445\DEBUG]
"Trace Level"

The process %original file name%.exe:1992 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 73 BB 2B 77 D5 AB 48 95 66 C1 63 B0 55 FB EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft\Windows]
"AppMgmt.exe" = " Application Management"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process vbc.exe:3872 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 2C C8 5E 1F A4 44 29 2E A3 A1 2F F9 FB 80 38"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The process vbc.exe:2348 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 9F DE 25 F4 A6 C9 76 2B 2E 6E 17 7D EE 90 C8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5 File path
679838bb0e4719d456eac27d910c847ec:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Windows\AppMgmt.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    hkmsvc.exe:3716
    hkmsvc.exe:2716
    hkmsvc.exe:3076
    hkmsvc.exe:3712
    hkmsvc.exe:3496
    hkmsvc.exe:3928
    hkmsvc.exe:3288
    hkmsvc.exe:2840
    hkmsvc.exe:3048
    hkmsvc.exe:2096
    hkmsvc.exe:3324
    hkmsvc.exe:136
    hkmsvc.exe:3328
    hkmsvc.exe:496
    hkmsvc.exe:3808
    hkmsvc.exe:2524
    hkmsvc.exe:3128
    hkmsvc.exe:2320
    hkmsvc.exe:2612
    hkmsvc.exe:3552
    hkmsvc.exe:1944
    hkmsvc.exe:404
    hkmsvc.exe:2952
    hkmsvc.exe:2244
    hkmsvc.exe:932
    hkmsvc.exe:1916
    hkmsvc.exe:2240
    hkmsvc.exe:3992
    hkmsvc.exe:2408
    hkmsvc.exe:3764
    hkmsvc.exe:3832
    hkmsvc.exe:2704
    hkmsvc.exe:2852
    hkmsvc.exe:2468
    hkmsvc.exe:3484
    hkmsvc.exe:3932
    hkmsvc.exe:120
    hkmsvc.exe:3332
    hkmsvc.exe:4032
    hkmsvc.exe:1952
    hkmsvc.exe:3644
    hkmsvc.exe:1068
    hkmsvc.exe:2552
    hkmsvc.exe:2556
    hkmsvc.exe:3568
    hkmsvc.exe:2492
    hkmsvc.exe:2996
    hkmsvc.exe:3244
    hkmsvc.exe:2068
    hkmsvc.exe:2804
    hkmsvc.exe:2060
    hkmsvc.exe:2256
    hkmsvc.exe:2992
    hkmsvc.exe:3000
    hkmsvc.exe:3772
    hkmsvc.exe:3240
    hkmsvc.exe:1324
    hkmsvc.exe:2872
    hkmsvc.exe:3944
    hkmsvc.exe:3440
    hkmsvc.exe:3276
    hkmsvc.exe:3144
    hkmsvc.exe:396
    hkmsvc.exe:3672
    hkmsvc.exe:2308
    hkmsvc.exe:3476
    hkmsvc.exe:3472
    hkmsvc.exe:2300
    hkmsvc.exe:3648
    hkmsvc.exe:3024
    hkmsvc.exe:4048
    hkmsvc.exe:2788
    hkmsvc.exe:1856
    hkmsvc.exe:3160
    hkmsvc.exe:420
    hkmsvc.exe:1400
    hkmsvc.exe:3744
    hkmsvc.exe:912
    hkmsvc.exe:3812
    hkmsvc.exe:584
    hkmsvc.exe:3816
    hkmsvc.exe:304
    hkmsvc.exe:2448
    hkmsvc.exe:2932
    hkmsvc.exe:2880
    hkmsvc.exe:588
    hkmsvc.exe:2764
    hkmsvc.exe:384
    hkmsvc.exe:240
    hkmsvc.exe:3848
    hkmsvc.exe:3368
    hkmsvc.exe:2832
    hkmsvc.exe:3316
    hkmsvc.exe:784
    hkmsvc.exe:4056
    hkmsvc.exe:2276
    hkmsvc.exe:4052
    hkmsvc.exe:3396
    hkmsvc.exe:2576
    hkmsvc.exe:3096
    hkmsvc.exe:2676
    hkmsvc.exe:1972
    hkmsvc.exe:2372
    hkmsvc.exe:516
    hkmsvc.exe:2616
    hkmsvc.exe:3596
    hkmsvc.exe:3616
    hkmsvc.exe:2476
    hkmsvc.exe:3804
    hkmsvc.exe:1344
    hkmsvc.exe:2296
    hkmsvc.exe:456
    hkmsvc.exe:3756
    hkmsvc.exe:3004
    hkmsvc.exe:3824
    hkmsvc.exe:3256
    hkmsvc.exe:2196
    hkmsvc.exe:1900
    hkmsvc.exe:1588
    hkmsvc.exe:2204
    hkmsvc.exe:4064
    hkmsvc.exe:2056
    hkmsvc.exe:2888
    hkmsvc.exe:1732
    hkmsvc.exe:2564
    hkmsvc.exe:3388
    hkmsvc.exe:2688
    hkmsvc.exe:3088
    hkmsvc.exe:2684
    hkmsvc.exe:1508
    hkmsvc.exe:2680
    hkmsvc.exe:2116
    hkmsvc.exe:2816
    hkmsvc.exe:2420
    hkmsvc.exe:460
    hkmsvc.exe:2588
    hkmsvc.exe:3892
    hkmsvc.exe:3072
    hkmsvc.exe:2180
    hkmsvc.exe:3520
    hkmsvc.exe:3996
    hkmsvc.exe:3724
    hkmsvc.exe:4076
    hkmsvc.exe:3528
    hkmsvc.exe:3176
    hkmsvc.exe:3688
    hkmsvc.exe:3376
    hkmsvc.exe:2896
    hkmsvc.exe:3372
    hkmsvc.exe:3684
    hkmsvc.exe:3012
    hkmsvc.exe:3964
    hkmsvc.exe:2108
    hkmsvc.exe:3960
    hkmsvc.exe:1744
    hkmsvc.exe:3272
    hkmsvc.exe:2356
    hkmsvc.exe:1632
    hkmsvc.exe:2860
    hkmsvc.exe:2736
    hkmsvc.exe:2232
    hkmsvc.exe:3900
    hkmsvc.exe:600
    hkmsvc.exe:3680
    hkmsvc.exe:3860
    hkmsvc.exe:3908
    hkmsvc.exe:3220
    hkmsvc.exe:2824
    hkmsvc.exe:2944
    hkmsvc.exe:3732
    hkmsvc.exe:3068
    hkmsvc.exe:2340
    hkmsvc.exe:876
    hkmsvc.exe:3340
    hkmsvc.exe:4004
    hkmsvc.exe:1136
    hkmsvc.exe:3344
    hkmsvc.exe:956
    hkmsvc.exe:3184
    hkmsvc.exe:1692
    hkmsvc.exe:2508
    hkmsvc.exe:2748
    hkmsvc.exe:3192
    hkmsvc.exe:1752
    hkmsvc.exe:2500
    hkmsvc.exe:2648
    hkmsvc.exe:3628
    hkmsvc.exe:2876
    hkmsvc.exe:3624
    hkmsvc.exe:2728
    hkmsvc.exe:3500
    hkmsvc.exe:3352
    hkmsvc.exe:3236
    hkmsvc.exe:1884
    hkmsvc.exe:2332
    hkmsvc.exe:3428
    hkmsvc.exe:3420
    hkmsvc.exe:3548
    hkmsvc.exe:4016
    hkmsvc.exe:2000
    hkmsvc.exe:3576
    hkmsvc.exe:2532
    hkmsvc.exe:2604
    hkmsvc.exe:1368
    AppMgmt.exe:332
    %original file name%.exe:1992
    vbc.exe:3872
    vbc.exe:2348

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\AppMgmt.exe (18 bytes)
    %Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
    %Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (3361 bytes)
    %System%\wbem\Logs\wbemprox.log (150 bytes)
    %Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\hkmsvc.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: hkmsvc
Product Version: 15.0.30373.5119
Legal Copyright: Copyright (c) 2013 - 2015
Legal Trademarks:
Original Filename: hkmsvc.exe
Internal Name: hkmsvc
File Version: 15.0.30274.5111
File Description: Health Key and Certificate Management
Comments:
Language: English (United States)

Company Name: Product Name: hkmsvcProduct Version: 15.0.30373.5119Legal Copyright: Copyright (c) 2013 - 2015Legal Trademarks: Original Filename: hkmsvc.exe Internal Name: hkmsvc File Version: 15.0.30274.5111File Description: Health Key and Certificate Management Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text81925849005852165.30553f96e2718ba0d82cd8328ce1982cd7842
.rsrc598016153615362.87134c8887e386014e9110e621f231590eeac
.reloc606208125120.05651901b67511afc005f180c4c785361f5051

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://whatismyipaddress.com/66.171.248.172

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Host: whatismyipaddress.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 12 May 2015 23:20:29 GMT

Server: Apache/2.2.29 (Unix) DAV/2 PHP/5.4.38 mod_ssl/2.2.29 OpenSSL/0.9.8zd

Set-Cookie: pt=cfea4c912e46fcc1fad199940d30783d; expires=Wed, 13-May-2015 23:20:29 GMT

Cache-Control: max-age=15

MS-Author-Via: DAV

Vary: Accept-Encoding

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

217f..<!doctype html>.<html lang="en">.<head>..<meta charset="windows-1252">..<meta name="robots" content="noarchive">..<title>What Is My IP Address? IP Address Tools and More</title>..<meta name="description" content="IP address lookup, location, proxy detection, email tracing, IP hiding tips, blacklist check, speed test, and forums. Find, get, and show my IP address.">..<meta name="keywords" content="my ip ,ip, address, adress, my, what, is, find, get, show, locate, change, location, how, do, i, ip address, proxy, server, anonymous, hide, conceal, stealth, surf, web, anonymizer, anonymize, changer, privacy, geolocation, geolocate, lookup, look up, locate, trace, track, email, source, headers">..<meta property="fb:admins" content="607824267">..<meta name="thumbnail" content="hXXp://cdn.whatismyipaddress.com/images-v4/globe.png">..<link rel="image_src" type="image/png" href="hXXp://cdn.whatismyipaddress.com/images-v4/globe.png">..<link rel="shortcut icon" href="hXXp://cdn.whatismyipaddress.com/favicon.ico">...<link rel="stylesheet" type="text/css" href="hXXp://cdn.whatismyipaddress.com/css/myip_v4_5.css">..<link rel="publisher" href="hXXps://plus.google.com/ whatismyipaddress">..<link rel="canonical" href="hXXp://whatismyipaddress.com">..<link rel="alternate" hreflang="fr" href="hXXp://whatismyipaddress.com/fr/mon-ip">..<link rel="alternate" hreflang="de" href="hXXp://whatismyipaddress.com/de/meine-ip">.

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_640:

.text

.text

`.rsrc

`.rsrc

@.reloc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

v2.0.50727

CMemoryExecute.dll

CMemoryExecute.dll

CMemoryExecute

CMemoryExecute

PAGE_EXECUTE_READWRITE

PAGE_EXECUTE_READWRITE

.ctor

.ctor

System.Reflection

System.Reflection

System.Runtime.InteropServices

System.Runtime.InteropServices

System.Security.Permissions

System.Security.Permissions

System.Diagnostics

System.Diagnostics

System.Runtime.CompilerServices

System.Runtime.CompilerServices

DllImportAttribute

DllImportAttribute

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

System.Security

System.Security

$8fcd4931-91a2-4e18-849b-70de34ab75df

$8fcd4931-91a2-4e18-849b-70de34ab75df

1.0.0.0

1.0.0.0

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

mscoree.dll

mscoree.dll

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

D$.SPf

D$.SPf

2 34 567

2 34 567

com.apple.Safari

com.apple.Safari

com.apple.WebKit2WebProcess

com.apple.WebKit2WebProcess

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

"Account","Login Name","Password","Web Site","Comments"

"Account","Login Name","Password","Web Site","Comments"

3.7.5

3.7.5

SQLite format 3

SQLite format 3

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

large file support is disabled

large file support is disabled

unknown operation

unknown operation

SQL logic error or missing database

SQL logic error or missing database

foreign_keys

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_source_id

sqlite_source_id

sqlite_version

sqlite_version

sqlite_attach

sqlite_attach

sqlite_detach

sqlite_detach

sqlite_stat1

sqlite_stat1

sqlite_rename_parent

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_table

sqlite_rename_table

%Y-%m-%d %H:%M:%S

%Y-%m-%d %H:%M:%S

%Y-%m-%d

%Y-%m-%d

%H:%M:%S

%H:%M:%S

SQLITE_

SQLITE_

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

922337203685477580

922337203685477580

API call with %s database connection pointer

API call with %s database connection pointer

%s-shm

%s-shm

%s\etilqs_

%s\etilqs_

OsError 0x%x (%u)

OsError 0x%x (%u)

Recovered %d frames from WAL file %s

Recovered %d frames from WAL file %s

%s-mjX

%s-mjX

foreign key constraint failed

foreign key constraint failed

unable to use function %s in the requested context

unable to use function %s in the requested context

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s.%s

%s: %s.%s

%s: %s

%s: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

too many SQL variables

too many SQL variables

too many columns in %s

too many columns in %s

oversized integer: %s%s

oversized integer: %s%s

misuse of aggregate: %s()

misuse of aggregate: %s()

%.*s"%w"%s

%.*s"%w"%s

%s%.*s"%w"

%s%.*s"%w"

%s OR name=%Q

%s OR name=%Q

type='trigger' AND (%s)

type='trigger' AND (%s)

there is already another table or index with this name: %s

there is already another table or index with this name: %s

sqlite_

sqlite_

table %s may not be altered

table %s may not be altered

view %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

invalid name: "%s"

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

no such database: %s

no such database: %s

cannot detach database %s

cannot detach database %s

database %s is locked

database %s is locked

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

object name reserved for internal use: %s

object name reserved for internal use: %s

there is already an index named %s

there is already an index named %s

too many columns on %s

too many columns on %s

duplicate column name: %s

duplicate column name: %s

default value of column [%s] is not constant

default value of column [%s] is not constant

table "%s" has more than one primary key

table "%s" has more than one primary key

no such collation sequence: %s

no such collation sequence: %s

CREATE %s %.*s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

view %s is circularly defined

view %s is circularly defined

table %s may not be dropped

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

views may not be indexed

views may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

there is already a table named %s

there is already a table named %s

index %s already exists

index %s already exists

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

table %s has no column named %s

table %s has no column named %s

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

table %s may not be modified

table %s may not be modified

cannot modify %s because it is a view

cannot modify %s because it is a view

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

%d values for %d columns

%d values for %d columns

table %S has no column named %s

table %S has no column named %s

%s.%s may not be NULL

%s.%s may not be NULL

PRIMARY KEY must be unique

PRIMARY KEY must be unique

automatic extension loading failed: %s

automatic extension loading failed: %s

foreign_key_list

foreign_key_list

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

unsupported file format

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

%s.%s

%s.%s

%s:%d

%s:%d

no such index: %s

no such index: %s

sqlite_subquery_%p_

sqlite_subquery_%p_

no such table: %s

no such table: %s

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

no such trigger: %S

no such column: %s

no such column: %s

cannot VACUUM - SQL statements in progress

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

no such module: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

at most %d tables in a join

cannot use index: %s

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

unknown database: %s

unknown database: %s

no such vfs: %s

no such vfs: %s

database corruption at line %d of [%.10s]

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

cannot open file at line %d of [%.10s]

sqlite3_open

sqlite3_open

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_text

sqlite3_column_text

sqlite3_column_int

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_close

sqlite3_close

sqlite3_exec

sqlite3_exec

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

msvcrt.dll

msvcrt.dll

_wcmdln

_wcmdln

COMCTL32.dll

COMCTL32.dll

VERSION.dll

VERSION.dll

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

WININET.dll

WININET.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

comdlg32.dll

comdlg32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

5JEw%Xg

5JEw%Xg

hXXp://VVV.usertrust.com1

hXXp://VVV.usertrust.com1

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

hXXp://ocsp.usertrust.com0

hXXp://ocsp.usertrust.com0

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

hXXps://secure.comodo.net/CPS0A

hXXps://secure.comodo.net/CPS0A

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

hXXp://ocsp.comodoca.com0

hXXp://ocsp.comodoca.com0

support@nirsoft.net0

support@nirsoft.net0

t{SSh

t{SSh

v%SSW

v%SSW

Mail PassView

Mail PassView

Mozilla\Profiles

Mozilla\Profiles

Software\Mozilla\Mozilla Thunderbird

Software\Mozilla\Mozilla Thunderbird

%s\Main

%s\Main

sqlite3.dll

sqlite3.dll

nss3.dll

nss3.dll

%programfiles%\Mozilla Thunderbird

%programfiles%\Mozilla Thunderbird

AddExportHeaderLine

AddExportHeaderLine

%s %s %s

%s %s %s

HTTPMail User Name

HTTPMail User Name

SMTP USer Name

SMTP USer Name

HTTPMail Server

HTTPMail Server

SMTP Server

SMTP Server

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Port

POP3 Port

IMAP Port

IMAP Port

HTTPMail Port

HTTPMail Port

SMTP Port

SMTP Port

HTTPMail Secure Connection

HTTPMail Secure Connection

SMTP Secure Connection

SMTP Secure Connection

SMTP Display Name

SMTP Display Name

SMTP Email Address

SMTP Email Address

POP3 Password

POP3 Password

IMAP Password

IMAP Password

HTTP Password

HTTP Password

SMTP Password

SMTP Password

HTTP User

HTTP User

SMTP User

SMTP User

HTTP Server URL

HTTP Server URL

HTTP Port

HTTP Port

HTTPMail Use SSL

HTTPMail Use SSL

SMTP Use SSL

SMTP Use SSL

%s\%s

%s\%s

PopPort

PopPort

PopPassword

PopPassword

SMTPAccount

SMTPAccount

SMTPServer

SMTPServer

SMTPPort

SMTPPort

SMTPLogSecure

SMTPLogSecure

SMTPPassword

SMTPPassword

%s\Accounts

%s\Accounts

LoginName

LoginName

SavePasswordText

SavePasswordText

ESMTPUsername

ESMTPUsername

ESMTPPassword

ESMTPPassword

POP3Password

POP3Password

fb.dat

fb.dat

%s@gmail.com

%s@gmail.com

%s@yahoo.com

%s@yahoo.com

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles


%s %s


%s %s

smtp

smtp

advapi32.dll

advapi32.dll

comctl32.dll

comctl32.dll

*.ini

*.ini

netmsg.dll

netmsg.dll

Error %d: %s

Error %d: %s

%s (%s)

%s (%s)

menu_%d

menu_%d

dialog_%d

dialog_%d

TranslatorURL

TranslatorURL

_lng.ini

_lng.ini

%-18s: %s

%-18s: %s

%%-%d.%ds

%%-%d.%ds

%s

%s

%s

%s

%s%s

%s%s

bgcolor="%s"

bgcolor="%s"

%s

%s

%s%s>

%s%s>

%s>

%s>

report.html

report.html

*.txt

*.txt

*.htm;*.html

*.htm;*.html

*.xml

*.xml

*.csv

*.csv

Software\NirSoft\MailPassView

Software\NirSoft\MailPassView

MailPassView

MailPassView

/skeepass

/skeepass

/deleteregkey

/deleteregkey

Failed to load the executable file !

Failed to load the executable file !

mail.account.account

mail.account.account

mail.server

mail.server

port

port

mail.identity

mail.identity

signon.signonfilename

signon.signonfilename

mailbox://%s@%s

mailbox://%s@%s

imap://%s@%s

imap://%s@%s

mailbox://%s

mailbox://%s

imap://%s

imap://%s

signons.txt

signons.txt

signons.sqlite

signons.sqlite

prefs.js

prefs.js

Password.NET Messenger Service

Password.NET Messenger Service

User.NET Messenger Service

User.NET Messenger Service

Passport.Net\*

Passport.Net\*

ps:password

ps:password

windowslive:name=

windowslive:name=

Exception %8.8X at address %8.8X in module %s

Exception %8.8X at address %8.8X in module %s

Stack Data: %s

Stack Data: %s

Code Data: %s

Code Data: %s

mozsqlite3.dll

mozsqlite3.dll

psapi.dll

psapi.dll

pstorec.dll

pstorec.dll

5e7e8100-9138-11d1-945a-00c04fc308ff

5e7e8100-9138-11d1-945a-00c04fc308ff

00000000-0000-0000-0000-000000000000

00000000-0000-0000-0000-000000000000

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

shell32.dll

shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shlwapi.dll

shlwapi.dll

%s%s

%s%s

%s

%s

%s

%s

size="%d"

size="%d"

color="#%s"

color="#%s"

width="%s"

width="%s"

%s%s%s

%s%s%s

SOFTWARE\Mozilla

SOFTWARE\Mozilla

mozilla

mozilla

%s\bin

%s\bin

PathToExe

PathToExe

\sqlite3.dll

\sqlite3.dll

\mozsqlite3.dll

\mozsqlite3.dll

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

SMTP_Server

SMTP_Server

SMTP_User_Name

SMTP_User_Name

POP3_Password2

POP3_Password2

IMAP_Password2

IMAP_Password2

NNTP_Password2

NNTP_Password2

SMTP_Password2

SMTP_Password2

SMTP_Email_Address

SMTP_Email_Address

SMTP_Port

SMTP_Port

NNTP_Port

NNTP_Port

IMAP_Port

IMAP_Port

POP3_Port

POP3_Port

SMTP_Secure_Connection

SMTP_Secure_Connection

*.oeaccount

*.oeaccount

\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

_acmdln

_acmdln

RPCRT4.dll

RPCRT4.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

RegEnumKeyA

RegEnumKeyA

RegEnumKeyExA

RegEnumKeyExA

ShellExecuteA

ShellExecuteA

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

Debugger.exe

Debugger.exe

Microsoft.VisualBasic

Microsoft.VisualBasic

System.Windows.Forms

System.Windows.Forms

System.Drawing

System.Drawing

System.Management

System.Management

tapi32.dll

tapi32.dll

rtm.dll

rtm.dll

user32.dll

user32.dll

Debugger.Debugger.resources

Debugger.Debugger.resources

Debugger.Resources.resources

Debugger.Resources.resources

Debugger.My

Debugger.My

WindowsFormsApplicationBase

WindowsFormsApplicationBase

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.ApplicationServices

System.ComponentModel

System.ComponentModel

System.CodeDom.Compiler

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

m_MyWebServicesObjectProvider

m_MyWebServicesObjectProvider

.cctor

.cctor

get_WebServices

get_WebServices

HelpKeywordAttribute

HelpKeywordAttribute

System.ComponentModel.Design

System.ComponentModel.Design

WebServices

WebServices

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

System.Collections

System.Collections

ContainsKey

ContainsKey

InvalidOperationException

InvalidOperationException

MyWebServices

MyWebServices

encryptedpassstring

encryptedpassstring

encryptedsmtpstring

encryptedsmtpstring

portstring

portstring

fakeMSGholder

fakeMSGholder

encryptedftphost

encryptedftphost

encryptedftpuser

encryptedftpuser

encryptedftppass

encryptedftppass

useftp

useftp

websitevisitor

websitevisitor

websiteblocker

websiteblocker

passstring

passstring

smtpstring

smtpstring

ftphost

ftphost

ftpuser

ftpuser

ftppass

ftppass

WM_KEYUP

WM_KEYUP

WM_KEYDOWN

WM_KEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYUP

WM_SYSKEYUP

KeyboardHandle

KeyboardHandle

KeyLog

KeyLog

CleanedPasswordsMAIL

CleanedPasswordsMAIL

CleanedPasswordsWB

CleanedPasswordsWB

System.IO

System.IO

get_ExecutablePath

get_ExecutablePath

set_WindowState

set_WindowState

FormWindowState

FormWindowState

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookEx

SetWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

GetAsyncKeyState

GetAsyncKeyState

vKey

vKey

HookKeyboard

HookKeyboard

UnhookKeyboard

UnhookKeyboard

Operators

Operators

get_Keyboard

get_Keyboard

Keyboard

Keyboard

get_CtrlKeyDown

get_CtrlKeyDown

get_AltKeyDown

get_AltKeyDown

KeyboardCallback

KeyboardCallback

System.Threading

System.Threading

System.Collections.Generic

System.Collections.Generic

Microsoft.VisualBasic.MyServices

Microsoft.VisualBasic.MyServices

System.Collections.ObjectModel

System.Collections.ObjectModel

MsgBox

MsgBox

MsgBoxResult

MsgBoxResult

MsgBoxStyle

MsgBoxStyle

ForceSteamLogin

ForceSteamLogin

System.Net.NetworkInformation

System.Net.NetworkInformation

get_OperationalStatus

get_OperationalStatus

OperationalStatus

OperationalStatus

FakemsgInstall

FakemsgInstall

System.Net.Mail

System.Net.Mail

SmtpClient

SmtpClient

System.Globalization

System.Globalization

set_Port

set_Port

System.Net

System.Net

Microsoft.Win32

Microsoft.Win32

RegistryKey

RegistryKey

OpenSubKey

OpenSubKey

System.Security.Cryptography

System.Security.Cryptography

System.Text

System.Text

set_Key

set_Key

stealWebroswers

stealWebroswers

WebClient

WebClient

readweb

readweb

System.IO.Compression

System.IO.Compression

SendLogsFTP

SendLogsFTP

FtpWebRequest

FtpWebRequest

WebRequest

WebRequest

UploadFTP

UploadFTP

secretKey

secretKey

set_KeySize

set_KeySize

get_KeySize

get_KeySize

System.Net.Sockets

System.Net.Sockets

virtualKey

virtualKey

KeyboardHookDelegate

KeyboardHookDelegate

get_Msg

get_Msg

Debugger.My.Resources

Debugger.My.Resources

System.Resources

System.Resources

get_CMemoryExecute

get_CMemoryExecute

get_WebBrowserPassView

get_WebBrowserPassView

WebBrowserPassView

WebBrowserPassView

System.Configuration

System.Configuration

8.0.0.0

8.0.0.0

My.Computer

My.Computer

My.Application

My.Application

My.User

My.User

My.Forms

My.Forms

My.WebServices

My.WebServices

System.Windows.Forms.Form

System.Windows.Forms.Form

My.MyProject.Forms

My.MyProject.Forms

4System.Web.Services.Protocols.SoapHttpClientProtocol

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

10.0.0.0

10.0.0.0

My.Settings

My.Settings

$e48811ca-8af8-4e73-85dd-2045b9cca73a

$e48811ca-8af8-4e73-85dd-2045b9cca73a

_CorExeMain

_CorExeMain

%%0.ß

%%0.ß

Apple Computer\Preferences\keychain.plist

Apple Computer\Preferences\keychain.plist

LoadPasswordsIE

LoadPasswordsIE

LoadPasswordsFirefox

LoadPasswordsFirefox

LoadPasswordsChrome

LoadPasswordsChrome

LoadPasswordsOpera

LoadPasswordsOpera

LoadPasswordsSafari

LoadPasswordsSafari

LoadPasswordsSeaMonkey

LoadPasswordsSeaMonkey

UseFirefoxProfileFolder

UseFirefoxProfileFolder

UseFirefoxInstallFolder

UseFirefoxInstallFolder

UseChromeProfileFolder

UseChromeProfileFolder

UseOperaPasswordFile

UseOperaPasswordFile

FirefoxProfileFolder

FirefoxProfileFolder

FirefoxInstallFolder

FirefoxInstallFolder

ChromeProfileFolder

ChromeProfileFolder

OperaPasswordFile

OperaPasswordFile

Aadvapi32.dll

Aadvapi32.dll

crypt32.dll

crypt32.dll

777705555443332

777705555443332

5555443332

5555443332

5555443332

5555443332

wand.dat

wand.dat

@nss3.dll

@nss3.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

%programfiles%\Sea Monkey

%programfiles%\Sea Monkey

%programfiles%\Mozilla Firefox

%programfiles%\Mozilla Firefox

-signons.txt

-signons.txt

signons2.txt

signons2.txt

signons3.txt

signons3.txt

@dllhost.exe

@dllhost.exe

taskhost.exe

taskhost.exe

taskhostex.exe

taskhostex.exe

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

index.dat

index.dat

hXXps://VVV.google.com/accounts/servicelogin

hXXps://VVV.google.com/accounts/servicelogin

hXXp://VVV.facebook.com/

hXXp://VVV.facebook.com/

hXXps://login.yahoo.com/config/login

hXXps://login.yahoo.com/config/login

hXXp://

hXXp://

hXXps://

hXXps://

PTF://

PTF://

@history.dat

@history.dat

places.sqlite

places.sqlite

Mozilla\Firefox\Profiles

Mozilla\Firefox\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey

Mozilla\SeaMonkey

Mozilla\Firefox

Mozilla\Firefox

profiles.ini

profiles.ini

Profile%d

Profile%d

tntdll.dll

tntdll.dll

sWeb Data

sWeb Data

Login Data

Login Data

Google\Chrome\User Data

Google\Chrome\User Data

Google\Chrome SxS\User Data

Google\Chrome SxS\User Data

Opera\Opera\wand.dat

Opera\Opera\wand.dat

Opera\Opera7\profile\wand.dat

Opera\Opera7\profile\wand.dat

Opera

Opera

@"%s"

@"%s"

Ashell32.dll

Ashell32.dll

\nss3.dll

\nss3.dll

.save

.save

vaultcli.dll

vaultcli.dll

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

Copy &Password

Copy &Password

&HTML Report - All Items

&HTML Report - All Items

HTML R&eport - Selected Items

HTML R&eport - Selected Items

HTML Report - All Items

HTML Report - All Items

HTML Report - Selected Items

HTML Report - Selected Items

Load Passwords From...

Load Passwords From...

Google Chrome

Google Chrome

Mozilla Firefox

Mozilla Firefox

SeaMonkey

SeaMonkey

Firefox Options

Firefox Options

Master password:

Master password:

Firefox Profile:

Firefox Profile:

Firefox Installation:

Firefox Installation:

Chrome Options

Chrome Options

Opera Options

Opera Options

wand.dat file:

wand.dat file:

%d Passwords

%d Passwords

, %d Selected

, %d Selected

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Loading... %d

Loading... %d

KeePass csv file

KeePass csv file

Opera Password File

Opera Password File

Firefox 1.x

Firefox 1.x

Firefox 2.x

Firefox 2.x

Firefox 3.0

Firefox 3.0

Firefox

Firefox

Chrome

Chrome

Web Browser

Web Browser

Password

Password

Password Strength

Password Strength

Password Field

Password Field

WebBrowserPassView.exe

WebBrowserPassView.exe

VVV.google.com/Please log in to your Gmail account

VVV.google.com/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com/Please log in to your Google Account

VVV.google.com/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com

VVV.google.com

dWindowsLive:name=*

dWindowsLive:name=*

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

Copy Password

Copy Password

%d items

%d items

Select Eudora.ini filename/Select the location of Thunderbird installation

Select Eudora.ini filename/Select the location of Thunderbird installation

Eudora.ini file

Eudora.ini file

SMTP

SMTP

Windows Mail

Windows Mail

Windows Live Mail

Windows Live Mail

Server Port

Server Port

SMTP Server Port

SMTP Server Port

Mail Password Recovery

Mail Password Recovery

mailpv.exe

mailpv.exe

3, 7 #,)

3, 7 #,)

2400000

2400000

MessageBoxIcon.Error

MessageBoxIcon.Error

noftp

noftp

filename.exe

filename.exe

hXXp://VVV.example.com/directory/file.exe

hXXp://VVV.example.com/directory/file.exe

Disablecmd

Disablecmd

\Windows Update.exe

\Windows Update.exe

\WindowsUpdate.exe

\WindowsUpdate.exe

SysInfo.txt

SysInfo.txt

\pid.txt

\pid.txt

\pidloc.txt

\pidloc.txt

\Mozilla\Firefox\Profiles

\Mozilla\Firefox\Profiles

127.0.0.1

127.0.0.1

\SteamAppData.vdf

\SteamAppData.vdf

\ClientRegistry.blob

\ClientRegistry.blob

MessageBoxIcon.Exclamation

MessageBoxIcon.Exclamation

Keylogger Enabled:

Keylogger Enabled:

Operating System:

Operating System:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

autorun.inf

autorun.inf

open=Sys.exe

open=Sys.exe

Sys.exe

Sys.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Windows Update

Windows Update

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Microsoft.NET\Framework\v2.0.50727\vbc.exe

Microsoft.NET\Framework\v2.0.50727\vbc.exe

holdermail.txt"

holdermail.txt"

holdermail.txt

holdermail.txt

Operating System Intel Recovery

Operating System Intel Recovery

Operating System Platform:

Operating System Platform:

Operating System Version:

Operating System Version:

WEB Browser Password Recovery

WEB Browser Password Recovery

Mail Messenger Password Recovery

Mail Messenger Password Recovery

Jdownloader Password Recovery

Jdownloader Password Recovery

holderwb.txt"

holderwb.txt"

holderwb.txt

holderwb.txt

\.minecraft\lastlogin

\.minecraft\lastlogin

There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor

There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor

Logger - Key Recorder - [

Logger - Key Recorder - [

Keylogger Log

Keylogger Log

.jpeg

.jpeg

Logger_KeyLog_

Logger_KeyLog_

hXXp://whatismyipaddress.com/

hXXp://whatismyipaddress.com/

Debugger.Resources

Debugger.Resources

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

%original file name%.exe_640_rwx_00400000_00084000:

.text

.text

`.rsrc

`.rsrc

@.reloc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

v2.0.50727

CMemoryExecute.dll

CMemoryExecute.dll

CMemoryExecute

CMemoryExecute

PAGE_EXECUTE_READWRITE

PAGE_EXECUTE_READWRITE

.ctor

.ctor

System.Reflection

System.Reflection

System.Runtime.InteropServices

System.Runtime.InteropServices

System.Security.Permissions

System.Security.Permissions

System.Diagnostics

System.Diagnostics

System.Runtime.CompilerServices

System.Runtime.CompilerServices

DllImportAttribute

DllImportAttribute

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

System.Security

System.Security

$8fcd4931-91a2-4e18-849b-70de34ab75df

$8fcd4931-91a2-4e18-849b-70de34ab75df

1.0.0.0

1.0.0.0

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb

mscoree.dll

mscoree.dll

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

D$.SPf

D$.SPf

2 34 567

2 34 567

com.apple.Safari

com.apple.Safari

com.apple.WebKit2WebProcess

com.apple.WebKit2WebProcess

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins

"Account","Login Name","Password","Web Site","Comments"

"Account","Login Name","Password","Web Site","Comments"

3.7.5

3.7.5

SQLite format 3

SQLite format 3

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins

PK11_GetInternalKeySlot

PK11_GetInternalKeySlot

PK11_CheckUserPassword

PK11_CheckUserPassword

large file support is disabled

large file support is disabled

unknown operation

unknown operation

SQL logic error or missing database

SQL logic error or missing database

foreign_keys

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_source_id

sqlite_source_id

sqlite_version

sqlite_version

sqlite_attach

sqlite_attach

sqlite_detach

sqlite_detach

sqlite_stat1

sqlite_stat1

sqlite_rename_parent

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_table

sqlite_rename_table

%Y-%m-%d %H:%M:%S

%Y-%m-%d %H:%M:%S

%Y-%m-%d

%Y-%m-%d

%H:%M:%S

%H:%M:%S

SQLITE_

SQLITE_

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

922337203685477580

922337203685477580

API call with %s database connection pointer

API call with %s database connection pointer

%s-shm

%s-shm

%s\etilqs_

%s\etilqs_

OsError 0x%x (%u)

OsError 0x%x (%u)

Recovered %d frames from WAL file %s

Recovered %d frames from WAL file %s

%s-mjX

%s-mjX

foreign key constraint failed

foreign key constraint failed

unable to use function %s in the requested context

unable to use function %s in the requested context

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot change %s wal mode from within a transaction

cannot change %s wal mode from within a transaction

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s.%s

%s: %s.%s

%s: %s

%s: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

too many SQL variables

too many SQL variables

too many columns in %s

too many columns in %s

oversized integer: %s%s

oversized integer: %s%s

misuse of aggregate: %s()

misuse of aggregate: %s()

%.*s"%w"%s

%.*s"%w"%s

%s%.*s"%w"

%s%.*s"%w"

%s OR name=%Q

%s OR name=%Q

type='trigger' AND (%s)

type='trigger' AND (%s)

there is already another table or index with this name: %s

there is already another table or index with this name: %s

sqlite_

sqlite_

table %s may not be altered

table %s may not be altered

view %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

invalid name: "%s"

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

no such database: %s

no such database: %s

cannot detach database %s

cannot detach database %s

database %s is locked

database %s is locked

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

object name reserved for internal use: %s

object name reserved for internal use: %s

there is already an index named %s

there is already an index named %s

too many columns on %s

too many columns on %s

duplicate column name: %s

duplicate column name: %s

default value of column [%s] is not constant

default value of column [%s] is not constant

table "%s" has more than one primary key

table "%s" has more than one primary key

no such collation sequence: %s

no such collation sequence: %s

CREATE %s %.*s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

view %s is circularly defined

view %s is circularly defined

table %s may not be dropped

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

views may not be indexed

views may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

there is already a table named %s

there is already a table named %s

index %s already exists

index %s already exists

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

table %s has no column named %s

table %s has no column named %s

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

table %s may not be modified

table %s may not be modified

cannot modify %s because it is a view

cannot modify %s because it is a view

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

%d values for %d columns

%d values for %d columns

table %S has no column named %s

table %S has no column named %s

%s.%s may not be NULL

%s.%s may not be NULL

PRIMARY KEY must be unique

PRIMARY KEY must be unique

automatic extension loading failed: %s

automatic extension loading failed: %s

foreign_key_list

foreign_key_list

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

unsupported file format

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

%s.%s

%s.%s

%s:%d

%s:%d

no such index: %s

no such index: %s

sqlite_subquery_%p_

sqlite_subquery_%p_

no such table: %s

no such table: %s

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

no such trigger: %S

no such column: %s

no such column: %s

cannot VACUUM - SQL statements in progress

cannot VACUUM - SQL statements in progress

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

no such module: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

at most %d tables in a join

cannot use index: %s

cannot use index: %s

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

unknown database: %s

unknown database: %s

no such vfs: %s

no such vfs: %s

database corruption at line %d of [%.10s]

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

cannot open file at line %d of [%.10s]

sqlite3_open

sqlite3_open

sqlite3_prepare

sqlite3_prepare

sqlite3_step

sqlite3_step

sqlite3_column_text

sqlite3_column_text

sqlite3_column_int

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_int64

sqlite3_finalize

sqlite3_finalize

sqlite3_close

sqlite3_close

sqlite3_exec

sqlite3_exec

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb

msvcrt.dll

msvcrt.dll

_wcmdln

_wcmdln

COMCTL32.dll

COMCTL32.dll

VERSION.dll

VERSION.dll

FindCloseUrlCache

FindCloseUrlCache

FindNextUrlCacheEntryW

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryW

WININET.dll

WININET.dll

GetWindowsDirectoryW

GetWindowsDirectoryW

KERNEL32.dll

KERNEL32.dll

EnumChildWindows

EnumChildWindows

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

comdlg32.dll

comdlg32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegEnumKeyExW

RegEnumKeyExW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

5JEw%Xg

5JEw%Xg

hXXp://VVV.usertrust.com1

hXXp://VVV.usertrust.com1

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05

hXXp://ocsp.usertrust.com0

hXXp://ocsp.usertrust.com0

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

hXXps://secure.comodo.net/CPS0A

hXXps://secure.comodo.net/CPS0A

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

hXXp://ocsp.comodoca.com0

hXXp://ocsp.comodoca.com0

support@nirsoft.net0

support@nirsoft.net0

t{SSh

t{SSh

v%SSW

v%SSW

Mail PassView

Mail PassView

Mozilla\Profiles

Mozilla\Profiles

Software\Mozilla\Mozilla Thunderbird

Software\Mozilla\Mozilla Thunderbird

%s\Main

%s\Main

sqlite3.dll

sqlite3.dll

nss3.dll

nss3.dll

%programfiles%\Mozilla Thunderbird

%programfiles%\Mozilla Thunderbird

AddExportHeaderLine

AddExportHeaderLine

%s %s %s

%s %s %s

HTTPMail User Name

HTTPMail User Name

SMTP USer Name

SMTP USer Name

HTTPMail Server

HTTPMail Server

SMTP Server

SMTP Server

POP3 Password2

POP3 Password2

IMAP Password2

IMAP Password2

HTTPMail Password2

HTTPMail Password2

SMTP Password2

SMTP Password2

POP3 Port

POP3 Port

IMAP Port

IMAP Port

HTTPMail Port

HTTPMail Port

SMTP Port

SMTP Port

HTTPMail Secure Connection

HTTPMail Secure Connection

SMTP Secure Connection

SMTP Secure Connection

SMTP Display Name

SMTP Display Name

SMTP Email Address

SMTP Email Address

POP3 Password

POP3 Password

IMAP Password

IMAP Password

HTTP Password

HTTP Password

SMTP Password

SMTP Password

HTTP User

HTTP User

SMTP User

SMTP User

HTTP Server URL

HTTP Server URL

HTTP Port

HTTP Port

HTTPMail Use SSL

HTTPMail Use SSL

SMTP Use SSL

SMTP Use SSL

%s\%s

%s\%s

PopPort

PopPort

PopPassword

PopPassword

SMTPAccount

SMTPAccount

SMTPServer

SMTPServer

SMTPPort

SMTPPort

SMTPLogSecure

SMTPLogSecure

SMTPPassword

SMTPPassword

%s\Accounts

%s\Accounts

LoginName

LoginName

SavePasswordText

SavePasswordText

ESMTPUsername

ESMTPUsername

ESMTPPassword

ESMTPPassword

POP3Password

POP3Password

fb.dat

fb.dat

%s@gmail.com

%s@gmail.com

%s@yahoo.com

%s@yahoo.com

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles


%s %s


%s %s

smtp

smtp

advapi32.dll

advapi32.dll

comctl32.dll

comctl32.dll

*.ini

*.ini

netmsg.dll

netmsg.dll

Error %d: %s

Error %d: %s

%s (%s)

%s (%s)

menu_%d

menu_%d

dialog_%d

dialog_%d

TranslatorURL

TranslatorURL

_lng.ini

_lng.ini

%-18s: %s

%-18s: %s

%%-%d.%ds

%%-%d.%ds

%s

%s

%s

%s

%s%s

%s%s

bgcolor="%s"

bgcolor="%s"

%s

%s

%s%s>

%s%s>

%s>

%s>

report.html

report.html

*.txt

*.txt

*.htm;*.html

*.htm;*.html

*.xml

*.xml

*.csv

*.csv

Software\NirSoft\MailPassView

Software\NirSoft\MailPassView

MailPassView

MailPassView

/skeepass

/skeepass

/deleteregkey

/deleteregkey

Failed to load the executable file !

Failed to load the executable file !

mail.account.account

mail.account.account

mail.server

mail.server

port

port

mail.identity

mail.identity

signon.signonfilename

signon.signonfilename

mailbox://%s@%s

mailbox://%s@%s

imap://%s@%s

imap://%s@%s

mailbox://%s

mailbox://%s

imap://%s

imap://%s

signons.txt

signons.txt

signons.sqlite

signons.sqlite

prefs.js

prefs.js

Password.NET Messenger Service

Password.NET Messenger Service

User.NET Messenger Service

User.NET Messenger Service

Passport.Net\*

Passport.Net\*

ps:password

ps:password

windowslive:name=

windowslive:name=

Exception %8.8X at address %8.8X in module %s

Exception %8.8X at address %8.8X in module %s

Stack Data: %s

Stack Data: %s

Code Data: %s

Code Data: %s

mozsqlite3.dll

mozsqlite3.dll

psapi.dll

psapi.dll

pstorec.dll

pstorec.dll

5e7e8100-9138-11d1-945a-00c04fc308ff

5e7e8100-9138-11d1-945a-00c04fc308ff

00000000-0000-0000-0000-000000000000

00000000-0000-0000-0000-000000000000

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD0-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CD1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

220D5CC1-853A-11D0-84BC-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

417E2D75-84BD-11D0-84BB-00C04FD43F8F

shell32.dll

shell32.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

shlwapi.dll

shlwapi.dll

%s%s

%s%s

%s

%s

%s

%s

size="%d"

size="%d"

color="#%s"

color="#%s"

width="%s"

width="%s"

%s%s%s

%s%s%s

SOFTWARE\Mozilla

SOFTWARE\Mozilla

mozilla

mozilla

%s\bin

%s\bin

PathToExe

PathToExe

\sqlite3.dll

\sqlite3.dll

\mozsqlite3.dll

\mozsqlite3.dll

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Mail

Software\Microsoft\Windows Live Mail

Software\Microsoft\Windows Live Mail

SMTP_Server

SMTP_Server

SMTP_User_Name

SMTP_User_Name

POP3_Password2

POP3_Password2

IMAP_Password2

IMAP_Password2

NNTP_Password2

NNTP_Password2

SMTP_Password2

SMTP_Password2

SMTP_Email_Address

SMTP_Email_Address

SMTP_Port

SMTP_Port

NNTP_Port

NNTP_Port

IMAP_Port

IMAP_Port

POP3_Port

POP3_Port

SMTP_Secure_Connection

SMTP_Secure_Connection

*.oeaccount

*.oeaccount

\Microsoft\Windows Mail

\Microsoft\Windows Mail

\Microsoft\Windows Live Mail

\Microsoft\Windows Live Mail

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

f:\Projects\VS2005\mailpv\Release\mailpv.pdb

_acmdln

_acmdln

RPCRT4.dll

RPCRT4.dll

GetWindowsDirectoryA

GetWindowsDirectoryA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

RegEnumKeyA

RegEnumKeyA

RegEnumKeyExA

RegEnumKeyExA

ShellExecuteA

ShellExecuteA

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

Debugger.exe

Debugger.exe

Microsoft.VisualBasic

Microsoft.VisualBasic

System.Windows.Forms

System.Windows.Forms

System.Drawing

System.Drawing

System.Management

System.Management

tapi32.dll

tapi32.dll

rtm.dll

rtm.dll

user32.dll

user32.dll

Debugger.Debugger.resources

Debugger.Debugger.resources

Debugger.Resources.resources

Debugger.Resources.resources

Debugger.My

Debugger.My

WindowsFormsApplicationBase

WindowsFormsApplicationBase

Microsoft.VisualBasic.ApplicationServices

Microsoft.VisualBasic.ApplicationServices

System.ComponentModel

System.ComponentModel

System.CodeDom.Compiler

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

m_MyWebServicesObjectProvider

m_MyWebServicesObjectProvider

.cctor

.cctor

get_WebServices

get_WebServices

HelpKeywordAttribute

HelpKeywordAttribute

System.ComponentModel.Design

System.ComponentModel.Design

WebServices

WebServices

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

System.Collections

System.Collections

ContainsKey

ContainsKey

InvalidOperationException

InvalidOperationException

MyWebServices

MyWebServices

encryptedpassstring

encryptedpassstring

encryptedsmtpstring

encryptedsmtpstring

portstring

portstring

fakeMSGholder

fakeMSGholder

encryptedftphost

encryptedftphost

encryptedftpuser

encryptedftpuser

encryptedftppass

encryptedftppass

useftp

useftp

websitevisitor

websitevisitor

websiteblocker

websiteblocker

passstring

passstring

smtpstring

smtpstring

ftphost

ftphost

ftpuser

ftpuser

ftppass

ftppass

WM_KEYUP

WM_KEYUP

WM_KEYDOWN

WM_KEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYDOWN

WM_SYSKEYUP

WM_SYSKEYUP

KeyboardHandle

KeyboardHandle

KeyLog

KeyLog

CleanedPasswordsMAIL

CleanedPasswordsMAIL

CleanedPasswordsWB

CleanedPasswordsWB

System.IO

System.IO

get_ExecutablePath

get_ExecutablePath

set_WindowState

set_WindowState

FormWindowState

FormWindowState

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookEx

SetWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

GetAsyncKeyState

GetAsyncKeyState

vKey

vKey

HookKeyboard

HookKeyboard

UnhookKeyboard

UnhookKeyboard

Operators

Operators

get_Keyboard

get_Keyboard

Keyboard

Keyboard

get_CtrlKeyDown

get_CtrlKeyDown

get_AltKeyDown

get_AltKeyDown

KeyboardCallback

KeyboardCallback

System.Threading

System.Threading

System.Collections.Generic

System.Collections.Generic

Microsoft.VisualBasic.MyServices

Microsoft.VisualBasic.MyServices

System.Collections.ObjectModel

System.Collections.ObjectModel

MsgBox

MsgBox

MsgBoxResult

MsgBoxResult

MsgBoxStyle

MsgBoxStyle

ForceSteamLogin

ForceSteamLogin

System.Net.NetworkInformation

System.Net.NetworkInformation

get_OperationalStatus

get_OperationalStatus

OperationalStatus

OperationalStatus

FakemsgInstall

FakemsgInstall

System.Net.Mail

System.Net.Mail

SmtpClient

SmtpClient

System.Globalization

System.Globalization

set_Port

set_Port

System.Net

System.Net

Microsoft.Win32

Microsoft.Win32

RegistryKey

RegistryKey

OpenSubKey

OpenSubKey

System.Security.Cryptography

System.Security.Cryptography

System.Text

System.Text

set_Key

set_Key

stealWebroswers

stealWebroswers

WebClient

WebClient

readweb

readweb

System.IO.Compression

System.IO.Compression

SendLogsFTP

SendLogsFTP

FtpWebRequest

FtpWebRequest

WebRequest

WebRequest

UploadFTP

UploadFTP

secretKey

secretKey

set_KeySize

set_KeySize

get_KeySize

get_KeySize

System.Net.Sockets

System.Net.Sockets

virtualKey

virtualKey

KeyboardHookDelegate

KeyboardHookDelegate

get_Msg

get_Msg

Debugger.My.Resources

Debugger.My.Resources

System.Resources

System.Resources

get_CMemoryExecute

get_CMemoryExecute

get_WebBrowserPassView

get_WebBrowserPassView

WebBrowserPassView

WebBrowserPassView

System.Configuration

System.Configuration

8.0.0.0

8.0.0.0

My.Computer

My.Computer

My.Application

My.Application

My.User

My.User

My.Forms

My.Forms

My.WebServices

My.WebServices

System.Windows.Forms.Form

System.Windows.Forms.Form

My.MyProject.Forms

My.MyProject.Forms

4System.Web.Services.Protocols.SoapHttpClientProtocol

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

10.0.0.0

10.0.0.0

My.Settings

My.Settings

$e48811ca-8af8-4e73-85dd-2045b9cca73a

$e48811ca-8af8-4e73-85dd-2045b9cca73a

_CorExeMain

_CorExeMain

%%0.ß

%%0.ß

Apple Computer\Preferences\keychain.plist

Apple Computer\Preferences\keychain.plist

LoadPasswordsIE

LoadPasswordsIE

LoadPasswordsFirefox

LoadPasswordsFirefox

LoadPasswordsChrome

LoadPasswordsChrome

LoadPasswordsOpera

LoadPasswordsOpera

LoadPasswordsSafari

LoadPasswordsSafari

LoadPasswordsSeaMonkey

LoadPasswordsSeaMonkey

UseFirefoxProfileFolder

UseFirefoxProfileFolder

UseFirefoxInstallFolder

UseFirefoxInstallFolder

UseChromeProfileFolder

UseChromeProfileFolder

UseOperaPasswordFile

UseOperaPasswordFile

FirefoxProfileFolder

FirefoxProfileFolder

FirefoxInstallFolder

FirefoxInstallFolder

ChromeProfileFolder

ChromeProfileFolder

OperaPasswordFile

OperaPasswordFile

Aadvapi32.dll

Aadvapi32.dll

crypt32.dll

crypt32.dll

777705555443332

777705555443332

5555443332

5555443332

5555443332

5555443332

wand.dat

wand.dat

@nss3.dll

@nss3.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe

%programfiles%\Sea Monkey

%programfiles%\Sea Monkey

%programfiles%\Mozilla Firefox

%programfiles%\Mozilla Firefox

-signons.txt

-signons.txt

signons2.txt

signons2.txt

signons3.txt

signons3.txt

@dllhost.exe

@dllhost.exe

taskhost.exe

taskhost.exe

taskhostex.exe

taskhostex.exe

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV01.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

Microsoft\Windows\WebCache\WebCacheV24.dat

index.dat

index.dat

hXXps://VVV.google.com/accounts/servicelogin

hXXps://VVV.google.com/accounts/servicelogin

hXXp://VVV.facebook.com/

hXXp://VVV.facebook.com/

hXXps://login.yahoo.com/config/login

hXXps://login.yahoo.com/config/login

hXXp://

hXXp://

hXXps://

hXXps://

PTF://

PTF://

@history.dat

@history.dat

places.sqlite

places.sqlite

Mozilla\Firefox\Profiles

Mozilla\Firefox\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey\Profiles

Mozilla\SeaMonkey

Mozilla\SeaMonkey

Mozilla\Firefox

Mozilla\Firefox

profiles.ini

profiles.ini

Profile%d

Profile%d

tntdll.dll

tntdll.dll

sWeb Data

sWeb Data

Login Data

Login Data

Google\Chrome\User Data

Google\Chrome\User Data

Google\Chrome SxS\User Data

Google\Chrome SxS\User Data

Opera\Opera\wand.dat

Opera\Opera\wand.dat

Opera\Opera7\profile\wand.dat

Opera\Opera7\profile\wand.dat

Opera

Opera

@"%s"

@"%s"

Ashell32.dll

Ashell32.dll

\nss3.dll

\nss3.dll

.save

.save

vaultcli.dll

vaultcli.dll

abe2869f-9b47-4cd9-a358-c22904dba7f7

abe2869f-9b47-4cd9-a358-c22904dba7f7

Copy &Password

Copy &Password

&HTML Report - All Items

&HTML Report - All Items

HTML R&eport - Selected Items

HTML R&eport - Selected Items

HTML Report - All Items

HTML Report - All Items

HTML Report - Selected Items

HTML Report - Selected Items

Load Passwords From...

Load Passwords From...

Google Chrome

Google Chrome

Mozilla Firefox

Mozilla Firefox

SeaMonkey

SeaMonkey

Firefox Options

Firefox Options

Master password:

Master password:

Firefox Profile:

Firefox Profile:

Firefox Installation:

Firefox Installation:

Chrome Options

Chrome Options

Opera Options

Opera Options

wand.dat file:

wand.dat file:

%d Passwords

%d Passwords

, %d Selected

, %d Selected

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)

Loading... %d

Loading... %d

KeePass csv file

KeePass csv file

Opera Password File

Opera Password File

Firefox 1.x

Firefox 1.x

Firefox 2.x

Firefox 2.x

Firefox 3.0

Firefox 3.0

Firefox

Firefox

Chrome

Chrome

Web Browser

Web Browser

Password

Password

Password Strength

Password Strength

Password Field

Password Field

WebBrowserPassView.exe

WebBrowserPassView.exe

VVV.google.com/Please log in to your Gmail account

VVV.google.com/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com:443/Please log in to your Gmail account

VVV.google.com/Please log in to your Google Account

VVV.google.com/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com:443/Please log in to your Google Account

VVV.google.com

VVV.google.com

dWindowsLive:name=*

dWindowsLive:name=*

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

82BD0E67-9FEA-4748-8672-D5EFE5B779B0

Copy Password

Copy Password

%d items

%d items

Select Eudora.ini filename/Select the location of Thunderbird installation

Select Eudora.ini filename/Select the location of Thunderbird installation

Eudora.ini file

Eudora.ini file

SMTP

SMTP

Windows Mail

Windows Mail

Windows Live Mail

Windows Live Mail

Server Port

Server Port

SMTP Server Port

SMTP Server Port

Mail Password Recovery

Mail Password Recovery

mailpv.exe

mailpv.exe

3, 7 #,)

3, 7 #,)

2400000

2400000

MessageBoxIcon.Error

MessageBoxIcon.Error

noftp

noftp

filename.exe

filename.exe

hXXp://VVV.example.com/directory/file.exe

hXXp://VVV.example.com/directory/file.exe

Disablecmd

Disablecmd

\Windows Update.exe

\Windows Update.exe

\WindowsUpdate.exe

\WindowsUpdate.exe

SysInfo.txt

SysInfo.txt

\pid.txt

\pid.txt

\pidloc.txt

\pidloc.txt

\Mozilla\Firefox\Profiles

\Mozilla\Firefox\Profiles

127.0.0.1

127.0.0.1

\SteamAppData.vdf

\SteamAppData.vdf

\ClientRegistry.blob

\ClientRegistry.blob

MessageBoxIcon.Exclamation

MessageBoxIcon.Exclamation

Keylogger Enabled:

Keylogger Enabled:

Operating System:

Operating System:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

autorun.inf

autorun.inf

open=Sys.exe

open=Sys.exe

Sys.exe

Sys.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Windows Update

Windows Update

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Microsoft.NET\Framework\v2.0.50727\vbc.exe

Microsoft.NET\Framework\v2.0.50727\vbc.exe

holdermail.txt"

holdermail.txt"

holdermail.txt

holdermail.txt

Operating System Intel Recovery

Operating System Intel Recovery

Operating System Platform:

Operating System Platform:

Operating System Version:

Operating System Version:

WEB Browser Password Recovery

WEB Browser Password Recovery

Mail Messenger Password Recovery

Mail Messenger Password Recovery

Jdownloader Password Recovery

Jdownloader Password Recovery

holderwb.txt"

holderwb.txt"

holderwb.txt

holderwb.txt

\.minecraft\lastlogin

\.minecraft\lastlogin

There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor

There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor

Logger - Key Recorder - [

Logger - Key Recorder - [

Keylogger Log

Keylogger Log

.jpeg

.jpeg

Logger_KeyLog_

Logger_KeyLog_

hXXp://whatismyipaddress.com/

hXXp://whatismyipaddress.com/

Debugger.Resources

Debugger.Resources

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

%original file name%.exe_640_rwx_00A2A000_00003000:

okEy

okEy

%original file name%.exe_640_rwx_675A6000_00003000:

.Qg

.Qg

*Rg`.Rg|)RgL Rg

*Rg`.Rg|)RgL Rg