Trojan-Dropper.Win32.Sysn.auuu (Kaspersky), Gen:Variant.Zusy.138130 (B) (Emsisoft), Gen:Variant.Zusy.138130 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, HackTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0b6f8cb649b3f077d78d9a6a46cc7445
SHA1: b7eb29ef8b972896099d5172db635f8555329621
SHA256: d6060cd0658f63e3e2408b34ad3a763adf98059b7b0696354391b6bc2a5369d3
SSDeep: 12288:WkIuNYzne02RjsskAUwxD8WyItMbQ540gFTUWBO:jIu6Te02Rj1RAWcbQ5BW
Size: 587776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-20 01:05:14
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
hkmsvc.exe:3716
hkmsvc.exe:2716
hkmsvc.exe:3076
hkmsvc.exe:3712
hkmsvc.exe:3496
hkmsvc.exe:3928
hkmsvc.exe:3288
hkmsvc.exe:2840
hkmsvc.exe:3048
hkmsvc.exe:2096
hkmsvc.exe:3324
hkmsvc.exe:136
hkmsvc.exe:3328
hkmsvc.exe:496
hkmsvc.exe:3808
hkmsvc.exe:2524
hkmsvc.exe:3128
hkmsvc.exe:2320
hkmsvc.exe:2612
hkmsvc.exe:3552
hkmsvc.exe:1944
hkmsvc.exe:404
hkmsvc.exe:2952
hkmsvc.exe:2244
hkmsvc.exe:932
hkmsvc.exe:1916
hkmsvc.exe:2240
hkmsvc.exe:3992
hkmsvc.exe:2408
hkmsvc.exe:3764
hkmsvc.exe:3832
hkmsvc.exe:2704
hkmsvc.exe:2852
hkmsvc.exe:2468
hkmsvc.exe:3484
hkmsvc.exe:3932
hkmsvc.exe:120
hkmsvc.exe:3332
hkmsvc.exe:4032
hkmsvc.exe:1952
hkmsvc.exe:3644
hkmsvc.exe:1068
hkmsvc.exe:2552
hkmsvc.exe:2556
hkmsvc.exe:3568
hkmsvc.exe:2492
hkmsvc.exe:2996
hkmsvc.exe:3244
hkmsvc.exe:2068
hkmsvc.exe:2804
hkmsvc.exe:2060
hkmsvc.exe:2256
hkmsvc.exe:2992
hkmsvc.exe:3000
hkmsvc.exe:3772
hkmsvc.exe:3240
hkmsvc.exe:1324
hkmsvc.exe:2872
hkmsvc.exe:3944
hkmsvc.exe:3440
hkmsvc.exe:3276
hkmsvc.exe:3144
hkmsvc.exe:396
hkmsvc.exe:3672
hkmsvc.exe:2308
hkmsvc.exe:3476
hkmsvc.exe:3472
hkmsvc.exe:2300
hkmsvc.exe:3648
hkmsvc.exe:3024
hkmsvc.exe:4048
hkmsvc.exe:2788
hkmsvc.exe:1856
hkmsvc.exe:3160
hkmsvc.exe:420
hkmsvc.exe:1400
hkmsvc.exe:3744
hkmsvc.exe:912
hkmsvc.exe:3812
hkmsvc.exe:584
hkmsvc.exe:3816
hkmsvc.exe:304
hkmsvc.exe:2448
hkmsvc.exe:2932
hkmsvc.exe:2880
hkmsvc.exe:588
hkmsvc.exe:2764
hkmsvc.exe:384
hkmsvc.exe:240
hkmsvc.exe:3848
hkmsvc.exe:3368
hkmsvc.exe:2832
hkmsvc.exe:3316
hkmsvc.exe:784
hkmsvc.exe:4056
hkmsvc.exe:2276
hkmsvc.exe:4052
hkmsvc.exe:3396
hkmsvc.exe:2576
hkmsvc.exe:3096
hkmsvc.exe:2676
hkmsvc.exe:1972
hkmsvc.exe:2372
hkmsvc.exe:516
hkmsvc.exe:2616
hkmsvc.exe:3596
hkmsvc.exe:3616
hkmsvc.exe:2476
hkmsvc.exe:3804
hkmsvc.exe:1344
hkmsvc.exe:2296
hkmsvc.exe:456
hkmsvc.exe:3756
hkmsvc.exe:3004
hkmsvc.exe:3824
hkmsvc.exe:3256
hkmsvc.exe:2196
hkmsvc.exe:1900
hkmsvc.exe:1588
hkmsvc.exe:2204
hkmsvc.exe:4064
hkmsvc.exe:2056
hkmsvc.exe:2888
hkmsvc.exe:1732
hkmsvc.exe:2564
hkmsvc.exe:3388
hkmsvc.exe:2688
hkmsvc.exe:3088
hkmsvc.exe:2684
hkmsvc.exe:1508
hkmsvc.exe:2680
hkmsvc.exe:2116
hkmsvc.exe:2816
hkmsvc.exe:2420
hkmsvc.exe:460
hkmsvc.exe:2588
hkmsvc.exe:3892
hkmsvc.exe:3072
hkmsvc.exe:2180
hkmsvc.exe:3520
hkmsvc.exe:3996
hkmsvc.exe:3724
hkmsvc.exe:4076
hkmsvc.exe:3528
hkmsvc.exe:3176
hkmsvc.exe:3688
hkmsvc.exe:3376
hkmsvc.exe:2896
hkmsvc.exe:3372
hkmsvc.exe:3684
hkmsvc.exe:3012
hkmsvc.exe:3964
hkmsvc.exe:2108
hkmsvc.exe:3960
hkmsvc.exe:1744
hkmsvc.exe:3272
hkmsvc.exe:2356
hkmsvc.exe:1632
hkmsvc.exe:2860
hkmsvc.exe:2736
hkmsvc.exe:2232
hkmsvc.exe:3900
hkmsvc.exe:600
hkmsvc.exe:3680
hkmsvc.exe:3860
hkmsvc.exe:3908
hkmsvc.exe:3220
hkmsvc.exe:2824
hkmsvc.exe:2944
hkmsvc.exe:3732
hkmsvc.exe:3068
hkmsvc.exe:2340
hkmsvc.exe:876
hkmsvc.exe:3340
hkmsvc.exe:4004
hkmsvc.exe:1136
hkmsvc.exe:3344
hkmsvc.exe:956
hkmsvc.exe:3184
hkmsvc.exe:1692
hkmsvc.exe:2508
hkmsvc.exe:2748
hkmsvc.exe:3192
hkmsvc.exe:1752
hkmsvc.exe:2500
hkmsvc.exe:2648
hkmsvc.exe:3628
hkmsvc.exe:2876
hkmsvc.exe:3624
hkmsvc.exe:2728
hkmsvc.exe:3500
hkmsvc.exe:3352
hkmsvc.exe:3236
hkmsvc.exe:1884
hkmsvc.exe:2332
hkmsvc.exe:3428
hkmsvc.exe:3420
hkmsvc.exe:3548
hkmsvc.exe:4016
hkmsvc.exe:2000
hkmsvc.exe:3576
hkmsvc.exe:2532
hkmsvc.exe:2604
hkmsvc.exe:1368
AppMgmt.exe:332
%original file name%.exe:1992
vbc.exe:3872
vbc.exe:2348
The Trojan injects its code into the following process(es):
hkmsvc.exe:2132
AppMgmt.exe:2384
%original file name%.exe:640
Mutexes
The following mutexes were created/opened:
ShimCacheMutexRasPbFile
File activity
The process hkmsvc.exe:2132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\AppMgmt.exe (18 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\hkmsvc.exe (0 bytes)
The process %original file name%.exe:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (3361 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holdermail.txt (0 bytes)
The process %original file name%.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\AppMgmt.exe (18 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\hkmsvc.exe (3361 bytes)
The process vbc.exe:3872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes)
Registry activity
The process hkmsvc.exe:3716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 05 F0 F3 9A 7E 30 FD DD 86 32 E2 12 80 8F 80"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D2 6C 66 30 E7 8A A3 12 AB C2 1A AC D9 63 7D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 46 21 2F 8A 8F 02 36 5F 9C 25 E1 A6 EC 48 E6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 19 9F A4 22 28 52 34 8C 47 FA B5 D2 6B A3 EF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 D8 32 7E 3C 16 42 80 DF 8D 6A F5 B2 28 A5 D2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 97 23 87 64 1D 6E C0 E8 4A C6 64 A0 9D 8C C6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 90 93 C9 F3 8B 85 27 51 A6 10 A4 E0 A1 D6 BE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 F6 AB BD B0 29 E8 08 33 B6 90 A1 1D A2 48 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 4B 47 87 CB B9 8B E9 76 91 55 B9 AB 0D 07 09"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 AA EC 95 B3 86 F6 D5 AA 96 EB D6 78 0B 0A 94"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 90 57 C6 9A 93 31 C6 8E 17 22 F8 F4 86 31 72"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 19 BF 3C 5E AA 20 51 FC 7E F0 9D B9 2D 69 35"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC CD E0 41 51 FA 68 71 0A 82 8C 32 7C DD 92 2F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 6E B1 4B 81 87 90 BD 51 A0 15 CB 31 48 F9 4B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F A4 4E E3 48 75 2A 99 83 60 79 CE 1A 10 85 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 E4 25 D8 4D 90 55 E0 05 DD 08 3D D7 8B 8C 4D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 22 1F BF 96 4C 67 FD 71 1E 43 7D BB C4 36 3F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 90 62 6D 5B 1E 76 5E 5B F4 E1 D4 4E A2 B8 88"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 6F 23 D9 67 43 19 62 5C 91 12 2D F5 11 07 73"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 49 AD 11 C7 39 34 B6 CE 83 9B DF 06 8D CD 67"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 9E D7 CF E0 E9 51 1C 08 6E 12 F6 A2 38 01 F5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 9F F2 FC 3B 42 9D 3D 3E 04 87 31 26 2C 90 11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 28 B1 FA 19 96 8D D9 9E CF 0C F9 BA 96 54 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC A9 81 46 ED 74 CE 14 D3 D9 CE 01 D1 62 02 4E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 98 B5 3A C9 6B EF 9F 52 9E 93 D2 3F 0A 99 67"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 02 F8 8A 29 D2 68 6E 6F 07 AF 41 19 80 E9 60"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 41 85 DE BF 65 0A 71 10 0E D4 D0 B1 53 F4 FB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C D1 07 50 FE F4 67 F9 0E 47 9B E0 69 CE 02 EA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 7B 87 5A 3E 73 C2 A5 84 12 ED A6 92 A8 93 A0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C F9 09 39 77 09 8E C9 ED C5 44 9B 58 36 BA 85"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 49 3E AB 28 D1 B7 43 65 F7 55 5E B3 3C 81 08"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 D5 32 FF 86 31 80 DB 64 D5 EE 34 34 7E 7B 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD AA F9 67 76 6E D1 EC 59 44 E2 E4 B4 65 91 E2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 CA 74 9D 4A B9 8E C7 66 D2 4B 6B 8C 19 E4 C0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 15 EB EE 15 81 2D 9F 64 10 07 89 D1 DA 52 DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 9B 6D 34 CF 83 8F 75 B5 34 C1 11 8F 76 C5 6D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 47 CA 3E 96 8D 54 E9 8A 1A 3E AE DE 91 36 CD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 69 58 0F B8 27 E5 A0 63 C5 F5 CE 1B 29 3A 40"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AF 5D 0D C4 B2 40 04 8C EB 5C 21 F0 1B 42 AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 7B 62 9B A9 D9 48 41 7F E1 D1 1A 9A 52 AF 19"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 0A 80 98 D6 36 A3 14 4C 41 B2 8A A2 F8 E1 E1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 6F 39 12 3F CA 14 9B FD 88 F5 33 37 27 40 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 47 DA 3B D3 A5 34 3C 67 2A 93 BE EB 9D D0 54"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B FD 01 1E B9 A1 29 03 0A 34 3E 6D 13 1F C7 AB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 7D 94 70 FE 57 2D DA DC DC F0 8D 4A 6E FC 42"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 0E BE AD B8 40 FB 7A DB 50 06 32 86 6A 31 3D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 6C A6 96 F0 56 96 94 E0 26 9D 7D FB 3C 55 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 7D 6A C1 82 0F 20 E5 ED F2 B2 96 63 72 E8 DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 5B 9B D7 C0 D6 C1 5C 1B 1C 5A 8E 02 FC 66 3C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 20 D4 AD A9 70 F2 37 A4 B1 2F EA A5 D2 BA 48"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 B6 58 EF 37 85 02 23 90 66 50 26 2E B4 70 E9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 B8 B4 A2 D4 84 F6 10 B1 A1 FA B5 81 EE B2 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 3E A0 C3 ED B9 34 83 FC F7 4E F3 F3 D7 E4 17"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 2A E8 B3 CD C7 8B 59 EF 2D D9 56 A9 66 12 68"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 11 90 FE 8C 75 AC 82 AF 45 E5 17 C3 8E AC 67"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 3B 11 AC 8E F6 A9 CC 2F 73 66 55 BC 63 2C 41"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F E4 97 C1 FA 2A 6B B3 5B 8F 00 2D DC CB 6C 86"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 BF BD B9 C0 0A 2E 6E 74 73 E1 54 9B 8C 52 B5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A C7 79 32 13 4D 93 89 5E 3C C8 EA C1 43 2B 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 99 D1 0B D1 17 E7 9C A3 BB BD 32 57 BF 6D 68"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 55 A8 C9 D3 1F 31 99 C6 4E 7E C5 AD 37 C6 9F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 27 0E DB 87 CE EF C6 51 C5 FE 38 21 CE 4A E0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 68 B7 DA 43 9F 94 9B AC B1 54 2D D5 BC 83 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 DC D9 55 A9 E4 66 EA EA 86 62 7C 8D CC B9 53"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B FC 98 87 C6 DC BF 35 A9 10 CC 94 36 BF 7F 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D AA 97 3D 9E 4D 4C 8B 1E 2C 40 83 F3 67 5E 2C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 08 60 FF 3E 9D 98 F6 2F 5C BB 58 D5 C7 4F 3D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE B9 77 7B A2 13 6D AE 3C 0A 65 44 09 F3 98 51"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 8E 48 AA 23 4E D8 EB 32 4C DE 11 A4 35 E7 C1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB CF 01 05 36 09 C6 17 16 11 C1 CC 1C 78 16 B5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4048 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 E2 E0 12 CF CB C8 A5 C4 AD 07 AF 29 8E 3F 45"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 16 0D 61 C0 DD BB 84 90 CA 04 A7 BB 67 47 94"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 53 84 B7 A8 60 2D 32 3B F8 02 F8 C1 9E AC E5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 53 32 44 58 B0 C7 46 1F 17 BE C1 64 AA 91 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 96 34 CE 93 91 D3 47 38 43 57 D3 96 E7 CD 09"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC B1 48 05 FC 0E 9C 0D 45 36 FC 8F 71 41 41 DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 03 B4 57 65 22 7C 4B 46 9B EF 41 F5 15 BB 79"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 14 AB C8 3E 37 C0 A6 C5 E4 2E 4E 52 27 6A EA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 A1 D1 0C 84 5D 6A DF E5 EF 72 AA DB A6 80 13"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 FF 72 56 33 6E 16 93 69 9F 0E 07 21 33 A0 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 5E C3 E1 5F A8 BD 6D E0 66 A9 B0 1E 02 7F 88"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE EB E5 B8 F2 E5 6B B5 6B 45 2F 70 D7 FE 40 AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC A2 FA DD C0 E4 45 24 EF 3E 31 E8 5F 42 CC 2A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 33 FC 66 77 69 16 7F 94 21 F9 A9 B8 14 D2 17"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 B5 51 9C 9B 50 EF 61 4E A9 7A 40 5E A4 A0 62"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 DF 13 8E EF D8 B3 14 74 01 29 B6 7B 4F AD 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C B9 12 E4 94 B0 63 36 B5 A6 90 71 AD C3 96 C5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 E8 10 D3 DE 71 BB 85 CD 6D 21 DC 6F CE 4D 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 2B A0 FF 2B 8F 97 F6 52 8A B0 4E 78 A7 27 54"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C A5 67 51 CF 07 B1 06 57 BA FD 03 87 85 04 5E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 5A 36 60 ED B9 0D F1 12 36 06 A3 3B 13 D9 E2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 04 DE 63 8C 78 E4 4E 7F F9 CE B5 BB DC 33 CC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 19 6A DE 3B 68 AA AD EB A0 0F 71 9D 8F D1 DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 7E 92 8D 7A 74 D3 86 AA 49 7F E7 63 A8 77 FA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 44 76 36 E3 BD 4B 4E 0B C2 76 BC E3 8A 50 BB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 B4 41 B4 85 CE C1 C3 EF 46 F0 FB 97 AD 57 4C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C E6 C2 A6 DD 94 B0 D4 89 00 17 1C 3C CE A4 09"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 AD 16 A4 BF 92 61 0F BE 1E 81 D6 F3 77 63 76"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 A7 27 02 8C 2D 32 16 2E FC 5C 02 99 B4 46 AE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 28 DC 76 4E 27 4C 61 1F FA BA A2 77 82 8A AD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC AF 94 00 1D F5 37 AF 64 EB 65 FC 1C DB AA 6A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 AE 9C F0 C3 27 03 DE 8F 1B 5E 18 D6 8C 2D 26"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 DC 5B 70 7B 55 FE F5 CE 09 44 AD 16 B7 42 EE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 2A 37 26 B4 89 BC 53 ED 92 00 E4 63 C9 19 AB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F E9 4C 0B A9 25 CE BF 47 36 BC C8 12 75 B3 12"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 78 62 F8 80 E2 ED 17 35 9E 72 C3 6E 6A 35 5C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 ED 0B 94 95 EE CF B7 DA BF DE 05 1A 25 F9 CB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C DE DD 84 84 34 36 1E 10 6A A3 AC F2 5E 66 E1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 2F 59 CA 14 3D E8 72 F4 CF 3A F6 13 8B 9E 2C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 D7 0A 51 ED BF 86 FF B0 B0 85 15 36 61 CA 1D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 FD 34 9C 9B D7 9E 0E 86 E0 12 B9 EA 25 5A 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 2C 2F 4A 37 89 6C DD 89 5D 8E 6D 28 60 FE 39"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 B5 B6 8E 6B 56 57 66 39 E6 34 C0 3D DF 5B DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 0A 89 CF F0 9E 12 BF B1 DB 01 BF DF D6 E1 B7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 40 F7 7C EF 20 6A 25 AF A7 54 06 92 CA DD FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D2 F6 7B 53 97 48 C7 B4 9C 6A 5F CF A4 8C 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 8F 40 FA 83 12 98 BB 30 07 5A 35 88 EC 8D 20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B F1 A1 5F C0 85 BF 6D 1B DB 76 D6 BA F8 00 48"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 11 B0 BD 7B E7 BA 3D 27 F3 52 B4 CE E8 BF 51"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 5F AD 02 75 7F FD E9 22 EC FC FD 83 31 8E 67"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA FE 72 70 1B 56 54 8F B6 19 06 D4 4F AA 4D F9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA B9 B2 9B 94 3D FC 26 D9 B5 56 89 FD 74 CF 65"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 F1 76 6B 82 99 FC F9 DF B7 75 B6 35 7C 49 C9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 0A 3C 06 5E D3 56 58 E3 1A 3E D7 4D 6D A7 FA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 45 24 D4 00 84 75 E6 81 D2 D8 22 67 14 B4 AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 A5 3F E5 79 60 46 F4 9F D9 B9 7D 92 3B F1 FA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 37 E3 58 B6 36 86 B2 06 07 6E 56 A0 05 DA 25"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 5D BC 1E 83 34 72 F4 A1 D5 EB 45 48 02 C1 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A C3 E9 68 5B E6 A3 13 3D D9 11 3B 79 7F 88 1B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 8E 5D 55 86 7F E5 A0 AB 5C EF 2F 61 D3 75 06"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 43 C7 59 95 34 2E BA 3C 9B AA CB 95 70 D5 76"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 35 55 B2 B6 65 3F FD 40 F4 FC A6 F5 24 D4 BB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 65 4B AB CC 6E 2B 14 33 91 B9 48 AE 2C 03 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 13 05 36 62 56 B2 A1 35 69 74 8B 95 B9 DA 63"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 A2 EF AF 6C 09 7B 5C 85 BC D4 3D B6 6E 2F C9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 DE FA E4 89 DB AE AB 6D 9F EB 3B 5D C9 A7 DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 28 7C 63 FA 63 FE 7D DA 73 C2 0F 67 74 AB B2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F D3 AC 73 3E 9D 2D EC 67 2D A6 FB 6F EA 5C 4A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D BB 2E 63 93 3A 88 FA 78 82 41 23 14 E5 D6 A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 FC 1E 8B BC 7C 75 BB 84 D9 09 7E DB 91 17 BD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 66 5D 45 FF DA E1 8F D3 B3 78 EB 09 B3 74 C1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 0F 42 6D 7E 1A 50 33 C3 C6 0F 84 74 4A ED EF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 E0 5F E6 8E 01 3D F5 37 B7 8E CE EE EA 59 43"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 20 85 E1 B8 B7 47 E9 1E 1C 94 E5 B9 62 22 12"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 78 27 E1 74 AC CF 46 D8 9D 87 E9 F3 BE B7 25"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C F7 72 06 10 34 4C 46 2F EE CE 82 4B FD E5 CF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B7 40 53 1B 9F 77 12 46 EE 93 43 20 DB FA 81"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 9D FC 35 05 5D B0 2E 90 B4 00 84 1C 74 DE 13"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 47 43 7A B6 EC A0 9E 16 56 B5 2B 6E 75 23 8B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 43 7B 7E A5 5D FF C5 DB 4D BC 4B 28 54 65 74"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 B7 78 BC 12 01 CA FC C2 D8 94 66 C0 3B E9 02"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 04 24 9A AA CC 71 E9 4F 7F E6 17 0A 63 F1 57"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 F3 14 9C 3A 7F 47 81 A0 36 3F EF C9 63 96 9E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 4C CA 8C 06 AD 91 A0 17 59 41 24 7E 3E 0C 23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 AF 08 5B 43 95 2A 83 FE 63 10 E6 24 AF 60 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 E8 DC C2 5C 6C FF 5F A0 F3 BC 73 FB B5 6B F7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 19 2E C5 37 60 69 F6 2D 73 DC C9 85 42 0F B4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB FE 0E A0 C7 C7 76 31 48 16 E4 AC 40 DC 03 77"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E F7 C4 1F 8F 43 D0 4F 35 86 D6 4A A6 CA E5 AC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 38 B5 59 2F 4F 5C 7E 54 06 84 BF 95 65 73 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 B7 85 8D B2 95 22 14 65 3C 06 32 E7 11 FF 96"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 76 9E 3E E1 F7 DB FA AB B2 B3 1C 10 A4 36 E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 CC 61 A2 AF 3F C9 D5 AD B3 28 6C 73 0F 22 DE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 80 5E B3 19 F1 1C B4 D2 61 6E 9B 32 3E 03 D6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 95 B8 71 61 59 DC 47 50 03 75 82 07 23 C8 3C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF B1 4E 1B ED 5B 51 51 2E C1 66 2F BC FF B1 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 99 75 14 4C 96 F3 0E F5 EE DF 95 73 82 69 5F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 DB 2D 1E 2F 9F 66 84 6B 99 8C 0C DC E6 65 86"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 EC 0E 13 9E DC 9B 4F F5 EB 94 50 75 F3 C0 FC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 04 C5 A0 24 F2 DC 4D 8A DF 61 2B 00 73 04 EE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 AC 5A 42 FD 25 7F D1 94 88 6A 71 6B 6C B8 73"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 A3 CE 1A 3F B4 05 96 9D 03 8C 04 5A 8D 1A 0B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process hkmsvc.exe:2340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 96 4B 15 3A AB 3A D2 EB C5 D5 68 9D C7 16 8B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 11 AF 81 7E C9 7B B7 B7 53 9B 2C DA 00 D5 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 6D 9E C4 E0 E2 62 8C C2 E4 56 37 8A E4 16 AE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA CC A4 80 82 EB B2 FA 6F E6 96 86 A5 CD 79 F4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 C2 73 79 1C 5E 74 48 E7 2A 5B 91 37 4E D2 1D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 82 D5 7F E2 64 A7 95 FB F0 75 DD EB 36 EA 58"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 4C A8 DB 68 8D 51 AB 45 28 27 63 D6 2B B7 22"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 A9 69 A1 16 3A 51 0F 4E F8 E1 E0 01 D1 1F A3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 B4 29 64 94 EB 0B B6 A7 0E E7 0E 81 E4 86 7A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 CA D5 FA 8A D2 20 F6 D7 8E 73 89 AB 3B CC D1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A A9 45 A2 12 F6 5F 9F 29 24 88 E0 42 6F 5E 59"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 85 A9 B0 94 F1 67 63 6C 5E 08 BA EB ED 11 A3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 62 F3 25 2B 4F F4 43 36 A7 87 B8 61 17 71 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 AF 1F A2 FD D5 29 83 65 99 6D BC B1 3D 2E 67"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 B6 24 21 68 37 35 FF 41 C6 CB 32 9D 75 A2 CE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 FD 91 1F 03 95 54 60 9C AB 7B 25 FC 7C C8 D2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 12 01 0E B6 ED E2 92 92 AA F8 40 8B BC 03 B0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 F3 80 03 03 B5 69 24 D3 04 21 01 D4 3D 4D 58"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA A2 46 22 CD DC AE C8 D7 DE 13 6C 68 1C 22 24"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 EF CB 53 8F A5 60 D3 70 CA 73 D8 14 DA 6D 3E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 80 F1 61 EC F4 DC 63 C1 3B 37 8A 0D 8B AE AC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E AC F0 94 9F 86 BE F9 64 9E DA 10 3B 63 88 DE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 1F CA 1E 0B FE A0 A7 2D 4F EB D7 F5 19 10 8F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A C9 71 B7 AE 48 27 6C 40 E4 D1 4F F6 D0 F3 F0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 A3 8E F2 23 80 43 13 06 37 93 AE 28 2E 0F A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA E4 66 BC 5C B3 C7 2E BB 94 DB 69 F1 A8 E6 37"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 CE C7 33 E6 D4 B6 33 BB B8 20 20 9C D6 58 1F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:4016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 45 DA 8E 9E 63 86 F6 AD 04 24 9B 0C CA B0 95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 FB B9 6F D9 9D 42 2A 4A 48 DA D0 3B 4D D9 78"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:3576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 41 39 38 BD D5 37 E7 5F 9B 2C 3D 00 15 B2 B8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 C2 9C 29 E0 45 2E 5B FC A1 C4 9D BB A0 75 83"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 DA 97 9A 63 45 49 97 33 A8 5F 26 9D C1 AD 44"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process hkmsvc.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 55 48 20 99 4D E8 94 CC CD 98 B2 13 A8 3C 29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process AppMgmt.exe:2384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 8B 90 75 AB D3 86 78 1C 7C 80 B3 92 32 E1 99"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process AppMgmt.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 E0 D5 C9 1D 72 58 8A B6 EA 70 03 2B 1B CA 0A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft\Windows]
"hkmsvc.exe" = " Health Key and Certificate Management"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\0b6f8cb649b3f077d78d9a6a46cc7445\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 38 85 15 2E 50 A0 9D BE 27 5C 14 C1 10 7B 93"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\0b6f8cb649b3f077d78d9a6a46cc7445\DEBUG]
"Trace Level"
The process %original file name%.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 73 BB 2B 77 D5 AB 48 95 66 C1 63 B0 55 FB EF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft\Windows]
"AppMgmt.exe" = " Application Management"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process vbc.exe:3872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 2C C8 5E 1F A4 44 29 2E A3 A1 2F F9 FB 80 38"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
The process vbc.exe:2348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 9F DE 25 F4 A6 C9 76 2B 2E 6E 17 7D EE 90 C8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Dropped PE files
MD5 | File path |
---|---|
679838bb0e4719d456eac27d910c847e | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Windows\AppMgmt.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
hkmsvc.exe:3716
hkmsvc.exe:2716
hkmsvc.exe:3076
hkmsvc.exe:3712
hkmsvc.exe:3496
hkmsvc.exe:3928
hkmsvc.exe:3288
hkmsvc.exe:2840
hkmsvc.exe:3048
hkmsvc.exe:2096
hkmsvc.exe:3324
hkmsvc.exe:136
hkmsvc.exe:3328
hkmsvc.exe:496
hkmsvc.exe:3808
hkmsvc.exe:2524
hkmsvc.exe:3128
hkmsvc.exe:2320
hkmsvc.exe:2612
hkmsvc.exe:3552
hkmsvc.exe:1944
hkmsvc.exe:404
hkmsvc.exe:2952
hkmsvc.exe:2244
hkmsvc.exe:932
hkmsvc.exe:1916
hkmsvc.exe:2240
hkmsvc.exe:3992
hkmsvc.exe:2408
hkmsvc.exe:3764
hkmsvc.exe:3832
hkmsvc.exe:2704
hkmsvc.exe:2852
hkmsvc.exe:2468
hkmsvc.exe:3484
hkmsvc.exe:3932
hkmsvc.exe:120
hkmsvc.exe:3332
hkmsvc.exe:4032
hkmsvc.exe:1952
hkmsvc.exe:3644
hkmsvc.exe:1068
hkmsvc.exe:2552
hkmsvc.exe:2556
hkmsvc.exe:3568
hkmsvc.exe:2492
hkmsvc.exe:2996
hkmsvc.exe:3244
hkmsvc.exe:2068
hkmsvc.exe:2804
hkmsvc.exe:2060
hkmsvc.exe:2256
hkmsvc.exe:2992
hkmsvc.exe:3000
hkmsvc.exe:3772
hkmsvc.exe:3240
hkmsvc.exe:1324
hkmsvc.exe:2872
hkmsvc.exe:3944
hkmsvc.exe:3440
hkmsvc.exe:3276
hkmsvc.exe:3144
hkmsvc.exe:396
hkmsvc.exe:3672
hkmsvc.exe:2308
hkmsvc.exe:3476
hkmsvc.exe:3472
hkmsvc.exe:2300
hkmsvc.exe:3648
hkmsvc.exe:3024
hkmsvc.exe:4048
hkmsvc.exe:2788
hkmsvc.exe:1856
hkmsvc.exe:3160
hkmsvc.exe:420
hkmsvc.exe:1400
hkmsvc.exe:3744
hkmsvc.exe:912
hkmsvc.exe:3812
hkmsvc.exe:584
hkmsvc.exe:3816
hkmsvc.exe:304
hkmsvc.exe:2448
hkmsvc.exe:2932
hkmsvc.exe:2880
hkmsvc.exe:588
hkmsvc.exe:2764
hkmsvc.exe:384
hkmsvc.exe:240
hkmsvc.exe:3848
hkmsvc.exe:3368
hkmsvc.exe:2832
hkmsvc.exe:3316
hkmsvc.exe:784
hkmsvc.exe:4056
hkmsvc.exe:2276
hkmsvc.exe:4052
hkmsvc.exe:3396
hkmsvc.exe:2576
hkmsvc.exe:3096
hkmsvc.exe:2676
hkmsvc.exe:1972
hkmsvc.exe:2372
hkmsvc.exe:516
hkmsvc.exe:2616
hkmsvc.exe:3596
hkmsvc.exe:3616
hkmsvc.exe:2476
hkmsvc.exe:3804
hkmsvc.exe:1344
hkmsvc.exe:2296
hkmsvc.exe:456
hkmsvc.exe:3756
hkmsvc.exe:3004
hkmsvc.exe:3824
hkmsvc.exe:3256
hkmsvc.exe:2196
hkmsvc.exe:1900
hkmsvc.exe:1588
hkmsvc.exe:2204
hkmsvc.exe:4064
hkmsvc.exe:2056
hkmsvc.exe:2888
hkmsvc.exe:1732
hkmsvc.exe:2564
hkmsvc.exe:3388
hkmsvc.exe:2688
hkmsvc.exe:3088
hkmsvc.exe:2684
hkmsvc.exe:1508
hkmsvc.exe:2680
hkmsvc.exe:2116
hkmsvc.exe:2816
hkmsvc.exe:2420
hkmsvc.exe:460
hkmsvc.exe:2588
hkmsvc.exe:3892
hkmsvc.exe:3072
hkmsvc.exe:2180
hkmsvc.exe:3520
hkmsvc.exe:3996
hkmsvc.exe:3724
hkmsvc.exe:4076
hkmsvc.exe:3528
hkmsvc.exe:3176
hkmsvc.exe:3688
hkmsvc.exe:3376
hkmsvc.exe:2896
hkmsvc.exe:3372
hkmsvc.exe:3684
hkmsvc.exe:3012
hkmsvc.exe:3964
hkmsvc.exe:2108
hkmsvc.exe:3960
hkmsvc.exe:1744
hkmsvc.exe:3272
hkmsvc.exe:2356
hkmsvc.exe:1632
hkmsvc.exe:2860
hkmsvc.exe:2736
hkmsvc.exe:2232
hkmsvc.exe:3900
hkmsvc.exe:600
hkmsvc.exe:3680
hkmsvc.exe:3860
hkmsvc.exe:3908
hkmsvc.exe:3220
hkmsvc.exe:2824
hkmsvc.exe:2944
hkmsvc.exe:3732
hkmsvc.exe:3068
hkmsvc.exe:2340
hkmsvc.exe:876
hkmsvc.exe:3340
hkmsvc.exe:4004
hkmsvc.exe:1136
hkmsvc.exe:3344
hkmsvc.exe:956
hkmsvc.exe:3184
hkmsvc.exe:1692
hkmsvc.exe:2508
hkmsvc.exe:2748
hkmsvc.exe:3192
hkmsvc.exe:1752
hkmsvc.exe:2500
hkmsvc.exe:2648
hkmsvc.exe:3628
hkmsvc.exe:2876
hkmsvc.exe:3624
hkmsvc.exe:2728
hkmsvc.exe:3500
hkmsvc.exe:3352
hkmsvc.exe:3236
hkmsvc.exe:1884
hkmsvc.exe:2332
hkmsvc.exe:3428
hkmsvc.exe:3420
hkmsvc.exe:3548
hkmsvc.exe:4016
hkmsvc.exe:2000
hkmsvc.exe:3576
hkmsvc.exe:2532
hkmsvc.exe:2604
hkmsvc.exe:1368
AppMgmt.exe:332
%original file name%.exe:1992
vbc.exe:3872
vbc.exe:2348 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\AppMgmt.exe (18 bytes)
%Documents and Settings%\%current user%\Application Data\pid.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe (3361 bytes)
%System%\wbem\Logs\wbemprox.log (150 bytes)
%Documents and Settings%\%current user%\Application Data\pidloc.txt (39 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\hkmsvc.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\holderwb.txt (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\WindowsUpdate.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: hkmsvc
Product Version: 15.0.30373.5119
Legal Copyright: Copyright (c) 2013 - 2015
Legal Trademarks:
Original Filename: hkmsvc.exe
Internal Name: hkmsvc
File Version: 15.0.30274.5111
File Description: Health Key and Certificate Management
Comments:
Language: English (United States)
Company Name: Product Name: hkmsvcProduct Version: 15.0.30373.5119Legal Copyright: Copyright (c) 2013 - 2015Legal Trademarks: Original Filename: hkmsvc.exe Internal Name: hkmsvc File Version: 15.0.30274.5111File Description: Health Key and Certificate Management Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 584900 | 585216 | 5.30553 | f96e2718ba0d82cd8328ce1982cd7842 |
.rsrc | 598016 | 1536 | 1536 | 2.87134 | c8887e386014e9110e621f231590eeac |
.reloc | 606208 | 12 | 512 | 0.056519 | 01b67511afc005f180c4c785361f5051 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://whatismyipaddress.com/ | 66.171.248.172 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Host: whatismyipaddress.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 12 May 2015 23:20:29 GMT
Server: Apache/2.2.29 (Unix) DAV/2 PHP/5.4.38 mod_ssl/2.2.29 OpenSSL/0.9.8zd
Set-Cookie: pt=cfea4c912e46fcc1fad199940d30783d; expires=Wed, 13-May-2015 23:20:29 GMT
Cache-Control: max-age=15
MS-Author-Via: DAV
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
217f..<!doctype html>.<html lang="en">.<head>..<meta charset="windows-1252">..<meta name="robots" content="noarchive">..<title>What Is My IP Address? IP Address Tools and More</title>..<meta name="description" content="IP address lookup, location, proxy detection, email tracing, IP hiding tips, blacklist check, speed test, and forums. Find, get, and show my IP address.">..<meta name="keywords" content="my ip ,ip, address, adress, my, what, is, find, get, show, locate, change, location, how, do, i, ip address, proxy, server, anonymous, hide, conceal, stealth, surf, web, anonymizer, anonymize, changer, privacy, geolocation, geolocate, lookup, look up, locate, trace, track, email, source, headers">..<meta property="fb:admins" content="607824267">..<meta name="thumbnail" content="hXXp://cdn.whatismyipaddress.com/images-v4/globe.png">..<link rel="image_src" type="image/png" href="hXXp://cdn.whatismyipaddress.com/images-v4/globe.png">..<link rel="shortcut icon" href="hXXp://cdn.whatismyipaddress.com/favicon.ico">...<link rel="stylesheet" type="text/css" href="hXXp://cdn.whatismyipaddress.com/css/myip_v4_5.css">..<link rel="publisher" href="hXXps://plus.google.com/ whatismyipaddress">..<link rel="canonical" href="hXXp://whatismyipaddress.com">..<link rel="alternate" hreflang="fr" href="hXXp://whatismyipaddress.com/fr/mon-ip">..<link rel="alternate" hreflang="de" href="hXXp://whatismyipaddress.com/de/meine-ip">.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_640:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
v2.0.50727
CMemoryExecute.dll
CMemoryExecute.dll
CMemoryExecute
CMemoryExecute
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READWRITE
.ctor
.ctor
System.Reflection
System.Reflection
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Security.Permissions
System.Security.Permissions
System.Diagnostics
System.Diagnostics
System.Runtime.CompilerServices
System.Runtime.CompilerServices
DllImportAttribute
DllImportAttribute
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
System.Security
System.Security
$8fcd4931-91a2-4e18-849b-70de34ab75df
$8fcd4931-91a2-4e18-849b-70de34ab75df
1.0.0.0
1.0.0.0
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb
C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb
mscoree.dll
mscoree.dll
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
D$.SPf
D$.SPf
2 34 567
2 34 567
com.apple.Safari
com.apple.Safari
com.apple.WebKit2WebProcess
com.apple.WebKit2WebProcess
SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins
SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins
"Account","Login Name","Password","Web Site","Comments"
"Account","Login Name","Password","Web Site","Comments"
3.7.5
3.7.5
SQLite format 3
SQLite format 3
CREATE TABLE sqlite_master(
CREATE TABLE sqlite_master(
sql text
sql text
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
PK11_GetInternalKeySlot
PK11_GetInternalKeySlot
PK11_CheckUserPassword
PK11_CheckUserPassword
large file support is disabled
large file support is disabled
unknown operation
unknown operation
SQL logic error or missing database
SQL logic error or missing database
foreign_keys
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_compileoption_used
sqlite_source_id
sqlite_source_id
sqlite_version
sqlite_version
sqlite_attach
sqlite_attach
sqlite_detach
sqlite_detach
sqlite_stat1
sqlite_stat1
sqlite_rename_parent
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_trigger
sqlite_rename_table
sqlite_rename_table
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
%Y-%m-%d
%Y-%m-%d
%H:%M:%S
%H:%M:%S
SQLITE_
SQLITE_
failed to allocate %u bytes of memory
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
failed memory resize %u to %u bytes
922337203685477580
922337203685477580
API call with %s database connection pointer
API call with %s database connection pointer
%s-shm
%s-shm
%s\etilqs_
%s\etilqs_
OsError 0x%x (%u)
OsError 0x%x (%u)
Recovered %d frames from WAL file %s
Recovered %d frames from WAL file %s
%s-mjX
%s-mjX
foreign key constraint failed
foreign key constraint failed
unable to use function %s in the requested context
unable to use function %s in the requested context
abort at %d in [%s]: %s
abort at %d in [%s]: %s
constraint failed at %d in [%s]
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
cannot open savepoint - SQL statements in progress
no such savepoint: %s
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
statement aborts at %d: [%s] %s
misuse of aliased aggregate %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s.%s
%s: %s.%s
%s: %s.%s
%s: %s
%s: %s
%r %s BY term out of range - should be between 1 and %d
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
variable number must be between ?1 and ?%d
too many SQL variables
too many SQL variables
too many columns in %s
too many columns in %s
oversized integer: %s%s
oversized integer: %s%s
misuse of aggregate: %s()
misuse of aggregate: %s()
%.*s"%w"%s
%.*s"%w"%s
%s%.*s"%w"
%s%.*s"%w"
%s OR name=%Q
%s OR name=%Q
type='trigger' AND (%s)
type='trigger' AND (%s)
there is already another table or index with this name: %s
there is already another table or index with this name: %s
sqlite_
sqlite_
table %s may not be altered
table %s may not be altered
view %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
DELETE FROM %Q.%s WHERE tbl=%Q
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
invalid name: "%s"
invalid name: "%s"
too many attached databases - max %d
too many attached databases - max %d
database %s is already in use
database %s is already in use
unable to open database: %s
unable to open database: %s
no such database: %s
no such database: %s
cannot detach database %s
cannot detach database %s
database %s is locked
database %s is locked
%s %T cannot reference objects in database %s
%s %T cannot reference objects in database %s
object name reserved for internal use: %s
object name reserved for internal use: %s
there is already an index named %s
there is already an index named %s
too many columns on %s
too many columns on %s
duplicate column name: %s
duplicate column name: %s
default value of column [%s] is not constant
default value of column [%s] is not constant
table "%s" has more than one primary key
table "%s" has more than one primary key
no such collation sequence: %s
no such collation sequence: %s
CREATE %s %.*s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
view %s is circularly defined
view %s is circularly defined
table %s may not be dropped
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
use DROP VIEW to delete view %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
foreign key on %s should reference only one column of table %T
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
unknown column "%s" in foreign key definition
indexed columns are not unique
indexed columns are not unique
table %s may not be indexed
table %s may not be indexed
views may not be indexed
views may not be indexed
virtual tables may not be indexed
virtual tables may not be indexed
there is already a table named %s
there is already a table named %s
index %s already exists
index %s already exists
sqlite_autoindex_%s_%d
sqlite_autoindex_%s_%d
table %s has no column named %s
table %s has no column named %s
CREATE%s INDEX %.*s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
a JOIN clause is required before %s
a JOIN clause is required before %s
unable to identify the object to be reindexed
unable to identify the object to be reindexed
table %s may not be modified
table %s may not be modified
cannot modify %s because it is a view
cannot modify %s because it is a view
foreign key mismatch
foreign key mismatch
table %S has %d columns but %d values were supplied
table %S has %d columns but %d values were supplied
%d values for %d columns
%d values for %d columns
table %S has no column named %s
table %S has no column named %s
%s.%s may not be NULL
%s.%s may not be NULL
PRIMARY KEY must be unique
PRIMARY KEY must be unique
automatic extension loading failed: %s
automatic extension loading failed: %s
foreign_key_list
foreign_key_list
malformed database schema (%s)
malformed database schema (%s)
%s - %s
%s - %s
unsupported file format
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unknown or unsupported join type: %T %T%s%T
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
cannot join using column %s - column not present in both tables
%s.%s
%s.%s
%s:%d
%s:%d
no such index: %s
no such index: %s
sqlite_subquery_%p_
sqlite_subquery_%p_
no such table: %s
no such table: %s
cannot create %s trigger on view: %S
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such trigger: %S
no such column: %s
no such column: %s
cannot VACUUM - SQL statements in progress
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
vtable constructor did not declare schema: %s
no such module: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
table %s: xBestIndex returned an invalid plan
at most %d tables in a join
at most %d tables in a join
cannot use index: %s
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unable to close due to unfinished backup operation
unknown database: %s
unknown database: %s
no such vfs: %s
no such vfs: %s
database corruption at line %d of [%.10s]
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
cannot open file at line %d of [%.10s]
sqlite3_open
sqlite3_open
sqlite3_prepare
sqlite3_prepare
sqlite3_step
sqlite3_step
sqlite3_column_text
sqlite3_column_text
sqlite3_column_int
sqlite3_column_int
sqlite3_column_int64
sqlite3_column_int64
sqlite3_finalize
sqlite3_finalize
sqlite3_close
sqlite3_close
sqlite3_exec
sqlite3_exec
f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb
f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb
msvcrt.dll
msvcrt.dll
_wcmdln
_wcmdln
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
FindCloseUrlCache
FindCloseUrlCache
FindNextUrlCacheEntryW
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryW
WININET.dll
WININET.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
5JEw%Xg
5JEw%Xg
hXXp://VVV.usertrust.com1
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
hXXps://secure.comodo.net/CPS0A
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
hXXp://ocsp.comodoca.com0
support@nirsoft.net0
support@nirsoft.net0
t{SSh
t{SSh
v%SSW
v%SSW
Mail PassView
Mail PassView
Mozilla\Profiles
Mozilla\Profiles
Software\Mozilla\Mozilla Thunderbird
Software\Mozilla\Mozilla Thunderbird
%s\Main
%s\Main
sqlite3.dll
sqlite3.dll
nss3.dll
nss3.dll
%programfiles%\Mozilla Thunderbird
%programfiles%\Mozilla Thunderbird
AddExportHeaderLine
AddExportHeaderLine
%s %s %s
%s %s %s
HTTPMail User Name
HTTPMail User Name
SMTP USer Name
SMTP USer Name
HTTPMail Server
HTTPMail Server
SMTP Server
SMTP Server
POP3 Password2
POP3 Password2
IMAP Password2
IMAP Password2
HTTPMail Password2
HTTPMail Password2
SMTP Password2
SMTP Password2
POP3 Port
POP3 Port
IMAP Port
IMAP Port
HTTPMail Port
HTTPMail Port
SMTP Port
SMTP Port
HTTPMail Secure Connection
HTTPMail Secure Connection
SMTP Secure Connection
SMTP Secure Connection
SMTP Display Name
SMTP Display Name
SMTP Email Address
SMTP Email Address
POP3 Password
POP3 Password
IMAP Password
IMAP Password
HTTP Password
HTTP Password
SMTP Password
SMTP Password
HTTP User
HTTP User
SMTP User
SMTP User
HTTP Server URL
HTTP Server URL
HTTP Port
HTTP Port
HTTPMail Use SSL
HTTPMail Use SSL
SMTP Use SSL
SMTP Use SSL
%s\%s
%s\%s
PopPort
PopPort
PopPassword
PopPassword
SMTPAccount
SMTPAccount
SMTPServer
SMTPServer
SMTPPort
SMTPPort
SMTPLogSecure
SMTPLogSecure
SMTPPassword
SMTPPassword
%s\Accounts
%s\Accounts
LoginName
LoginName
SavePasswordText
SavePasswordText
ESMTPUsername
ESMTPUsername
ESMTPPassword
ESMTPPassword
POP3Password
POP3Password
fb.dat
fb.dat
%s@gmail.com
%s@gmail.com
%s@yahoo.com
%s@yahoo.com
Software\Microsoft\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
%s %s
%s %s
smtp
smtp
advapi32.dll
advapi32.dll
comctl32.dll
comctl32.dll
*.ini
*.ini
netmsg.dll
netmsg.dll
Error %d: %s
Error %d: %s
%s (%s)
%s (%s)
menu_%d
menu_%d
dialog_%d
dialog_%d
TranslatorURL
TranslatorURL
_lng.ini
_lng.ini
%-18s: %s
%-18s: %s
%%-%d.%ds
%%-%d.%ds
%s %s %s %s %s%s %s%sbgcolor="%s"
bgcolor="%s"
%s
%s
%s%s>
%s%s>
%s>
%s>
report.html
report.html
*.txt
*.txt
*.htm;*.html
*.htm;*.html
*.xml
*.xml
*.csv
*.csv
Software\NirSoft\MailPassView
Software\NirSoft\MailPassView
MailPassView
MailPassView
/skeepass
/skeepass
/deleteregkey
/deleteregkey
Failed to load the executable file !
Failed to load the executable file !
mail.account.account
mail.account.account
mail.server
mail.server
port
port
mail.identity
mail.identity
signon.signonfilename
signon.signonfilename
mailbox://%s@%s
mailbox://%s@%s
imap://%s@%s
imap://%s@%s
mailbox://%s
mailbox://%s
imap://%s
imap://%s
signons.txt
signons.txt
signons.sqlite
signons.sqlite
prefs.js
prefs.js
Password.NET Messenger Service
Password.NET Messenger Service
User.NET Messenger Service
User.NET Messenger Service
Passport.Net\*
Passport.Net\*
ps:password
ps:password
windowslive:name=
windowslive:name=
Exception %8.8X at address %8.8X in module %s
Exception %8.8X at address %8.8X in module %s
Stack Data: %s
Stack Data: %s
Code Data: %s
Code Data: %s
mozsqlite3.dll
mozsqlite3.dll
psapi.dll
psapi.dll
pstorec.dll
pstorec.dll
5e7e8100-9138-11d1-945a-00c04fc308ff
5e7e8100-9138-11d1-945a-00c04fc308ff
00000000-0000-0000-0000-000000000000
00000000-0000-0000-0000-000000000000
220D5CD0-853A-11D0-84BC-00C04FD43F8F
220D5CD0-853A-11D0-84BC-00C04FD43F8F
220D5CD1-853A-11D0-84BC-00C04FD43F8F
220D5CD1-853A-11D0-84BC-00C04FD43F8F
220D5CC1-853A-11D0-84BC-00C04FD43F8F
220D5CC1-853A-11D0-84BC-00C04FD43F8F
417E2D75-84BD-11D0-84BB-00C04FD43F8F
417E2D75-84BD-11D0-84BB-00C04FD43F8F
shell32.dll
shell32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
shlwapi.dll
shlwapi.dll
%s%s%s%s%s
%s
%s
%s
size="%d"
size="%d"
color="#%s"
color="#%s"
width="%s"
width="%s"
%s%s%s | %s%s%s SOFTWARE\Mozilla SOFTWARE\Mozilla mozilla mozilla %s\bin %s\bin PathToExe PathToExe \sqlite3.dll \sqlite3.dll \mozsqlite3.dll \mozsqlite3.dll Software\Microsoft\Windows Mail Software\Microsoft\Windows Mail Software\Microsoft\Windows Live Mail Software\Microsoft\Windows Live Mail SMTP_Server SMTP_Server SMTP_User_Name SMTP_User_Name POP3_Password2 POP3_Password2 IMAP_Password2 IMAP_Password2 NNTP_Password2 NNTP_Password2 SMTP_Password2 SMTP_Password2 SMTP_Email_Address SMTP_Email_Address SMTP_Port SMTP_Port NNTP_Port NNTP_Port IMAP_Port IMAP_Port POP3_Port POP3_Port SMTP_Secure_Connection SMTP_Secure_Connection *.oeaccount *.oeaccount \Microsoft\Windows Mail \Microsoft\Windows Mail \Microsoft\Windows Live Mail \Microsoft\Windows Live Mail f:\Projects\VS2005\mailpv\Release\mailpv.pdb f:\Projects\VS2005\mailpv\Release\mailpv.pdb _acmdln _acmdln RPCRT4.dll RPCRT4.dll GetWindowsDirectoryA GetWindowsDirectoryA RegDeleteKeyA RegDeleteKeyA RegOpenKeyExA RegOpenKeyExA RegEnumKeyA RegEnumKeyA RegEnumKeyExA RegEnumKeyExA ShellExecuteA ShellExecuteA NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD NirSoftPADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD Debugger.exe Debugger.exe Microsoft.VisualBasic Microsoft.VisualBasic System.Windows.Forms System.Windows.Forms System.Drawing System.Drawing System.Management System.Management tapi32.dll tapi32.dll rtm.dll rtm.dll user32.dll user32.dll Debugger.Debugger.resources Debugger.Debugger.resources Debugger.Resources.resources Debugger.Resources.resources Debugger.My Debugger.My WindowsFormsApplicationBase WindowsFormsApplicationBase Microsoft.VisualBasic.ApplicationServices Microsoft.VisualBasic.ApplicationServices System.ComponentModel System.ComponentModel System.CodeDom.Compiler System.CodeDom.Compiler Microsoft.VisualBasic.Devices Microsoft.VisualBasic.Devices m_MyWebServicesObjectProvider m_MyWebServicesObjectProvider .cctor .cctor get_WebServices get_WebServices HelpKeywordAttribute HelpKeywordAttribute System.ComponentModel.Design System.ComponentModel.Design WebServices WebServices Microsoft.VisualBasic.CompilerServices Microsoft.VisualBasic.CompilerServices System.Collections System.Collections ContainsKey ContainsKey InvalidOperationException InvalidOperationException MyWebServices MyWebServices encryptedpassstring encryptedpassstring encryptedsmtpstring encryptedsmtpstring portstring portstring fakeMSGholder fakeMSGholder encryptedftphost encryptedftphost encryptedftpuser encryptedftpuser encryptedftppass encryptedftppass useftp useftp websitevisitor websitevisitor websiteblocker websiteblocker passstring passstring smtpstring smtpstring ftphost ftphost ftpuser ftpuser ftppass ftppass WM_KEYUP WM_KEYUP WM_KEYDOWN WM_KEYDOWN WM_SYSKEYDOWN WM_SYSKEYDOWN WM_SYSKEYUP WM_SYSKEYUP KeyboardHandle KeyboardHandle KeyLog KeyLog CleanedPasswordsMAIL CleanedPasswordsMAIL CleanedPasswordsWB CleanedPasswordsWB System.IO System.IO get_ExecutablePath get_ExecutablePath set_WindowState set_WindowState FormWindowState FormWindowState UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookEx SetWindowsHookEx SetWindowsHookExA SetWindowsHookExA GetAsyncKeyState GetAsyncKeyState vKey vKey HookKeyboard HookKeyboard UnhookKeyboard UnhookKeyboard Operators Operators get_Keyboard get_Keyboard Keyboard Keyboard get_CtrlKeyDown get_CtrlKeyDown get_AltKeyDown get_AltKeyDown KeyboardCallback KeyboardCallback System.Threading System.Threading System.Collections.Generic System.Collections.Generic Microsoft.VisualBasic.MyServices Microsoft.VisualBasic.MyServices System.Collections.ObjectModel System.Collections.ObjectModel MsgBox MsgBox MsgBoxResult MsgBoxResult MsgBoxStyle MsgBoxStyle ForceSteamLogin ForceSteamLogin System.Net.NetworkInformation System.Net.NetworkInformation get_OperationalStatus get_OperationalStatus OperationalStatus OperationalStatus FakemsgInstall FakemsgInstall System.Net.Mail System.Net.Mail SmtpClient SmtpClient System.Globalization System.Globalization set_Port set_Port System.Net System.Net Microsoft.Win32 Microsoft.Win32 RegistryKey RegistryKey OpenSubKey OpenSubKey System.Security.Cryptography System.Security.Cryptography System.Text System.Text set_Key set_Key stealWebroswers stealWebroswers WebClient WebClient readweb readweb System.IO.Compression System.IO.Compression SendLogsFTP SendLogsFTP FtpWebRequest FtpWebRequest WebRequest WebRequest UploadFTP UploadFTP secretKey secretKey set_KeySize set_KeySize get_KeySize get_KeySize System.Net.Sockets System.Net.Sockets virtualKey virtualKey KeyboardHookDelegate KeyboardHookDelegate get_Msg get_Msg Debugger.My.Resources Debugger.My.Resources System.Resources System.Resources get_CMemoryExecute get_CMemoryExecute get_WebBrowserPassView get_WebBrowserPassView WebBrowserPassView WebBrowserPassView System.Configuration System.Configuration 8.0.0.0 8.0.0.0 My.Computer My.Computer My.Application My.Application My.User My.User My.Forms My.Forms My.WebServices My.WebServices System.Windows.Forms.Form System.Windows.Forms.Form My.MyProject.Forms My.MyProject.Forms 4System.Web.Services.Protocols.SoapHttpClientProtocol 4System.Web.Services.Protocols.SoapHttpClientProtocol 3System.Resources.Tools.StronglyTypedResourceBuilder 3System.Resources.Tools.StronglyTypedResourceBuilder 4.0.0.0 4.0.0.0 KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator 10.0.0.0 10.0.0.0 My.Settings My.Settings $e48811ca-8af8-4e73-85dd-2045b9cca73a $e48811ca-8af8-4e73-85dd-2045b9cca73a _CorExeMain _CorExeMain %%0.ß %%0.ß Apple Computer\Preferences\keychain.plist Apple Computer\Preferences\keychain.plist LoadPasswordsIE LoadPasswordsIE LoadPasswordsFirefox LoadPasswordsFirefox LoadPasswordsChrome LoadPasswordsChrome LoadPasswordsOpera LoadPasswordsOpera LoadPasswordsSafari LoadPasswordsSafari LoadPasswordsSeaMonkey LoadPasswordsSeaMonkey UseFirefoxProfileFolder UseFirefoxProfileFolder UseFirefoxInstallFolder UseFirefoxInstallFolder UseChromeProfileFolder UseChromeProfileFolder UseOperaPasswordFile UseOperaPasswordFile FirefoxProfileFolder FirefoxProfileFolder FirefoxInstallFolder FirefoxInstallFolder ChromeProfileFolder ChromeProfileFolder OperaPasswordFile OperaPasswordFile Aadvapi32.dll Aadvapi32.dll crypt32.dll crypt32.dll 777705555443332 777705555443332 5555443332 5555443332 5555443332 5555443332 wand.dat wand.dat @nss3.dll @nss3.dll SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe %programfiles%\Sea Monkey %programfiles%\Sea Monkey %programfiles%\Mozilla Firefox %programfiles%\Mozilla Firefox -signons.txt -signons.txt signons2.txt signons2.txt signons3.txt signons3.txt @dllhost.exe @dllhost.exe taskhost.exe taskhost.exe taskhostex.exe taskhostex.exe Microsoft\Windows\WebCache\WebCacheV01.dat Microsoft\Windows\WebCache\WebCacheV01.dat Microsoft\Windows\WebCache\WebCacheV24.dat Microsoft\Windows\WebCache\WebCacheV24.dat index.dat index.dat hXXps://VVV.google.com/accounts/servicelogin hXXps://VVV.google.com/accounts/servicelogin hXXp://VVV.facebook.com/ hXXp://VVV.facebook.com/ hXXps://login.yahoo.com/config/login hXXps://login.yahoo.com/config/login hXXp:// hXXp:// hXXps:// hXXps:// PTF:// PTF:// @history.dat @history.dat places.sqlite places.sqlite Mozilla\Firefox\Profiles Mozilla\Firefox\Profiles Mozilla\SeaMonkey\Profiles Mozilla\SeaMonkey\Profiles Mozilla\SeaMonkey Mozilla\SeaMonkey Mozilla\Firefox Mozilla\Firefox profiles.ini profiles.ini Profile%d Profile%d tntdll.dll tntdll.dll sWeb Data sWeb Data Login Data Login Data Google\Chrome\User Data Google\Chrome\User Data Google\Chrome SxS\User Data Google\Chrome SxS\User Data Opera\Opera\wand.dat Opera\Opera\wand.dat Opera\Opera7\profile\wand.dat Opera\Opera7\profile\wand.dat Opera Opera @"%s" @"%s" Ashell32.dll Ashell32.dll \nss3.dll \nss3.dll .save .save vaultcli.dll vaultcli.dll abe2869f-9b47-4cd9-a358-c22904dba7f7 abe2869f-9b47-4cd9-a358-c22904dba7f7 Copy &Password Copy &Password &HTML Report - All Items &HTML Report - All Items HTML R&eport - Selected Items HTML R&eport - Selected Items HTML Report - All Items HTML Report - All Items HTML Report - Selected Items HTML Report - Selected Items Load Passwords From... Load Passwords From... Google Chrome Google Chrome Mozilla Firefox Mozilla Firefox SeaMonkey SeaMonkey Firefox Options Firefox Options Master password: Master password: Firefox Profile: Firefox Profile: Firefox Installation: Firefox Installation: Chrome Options Chrome Options Opera Options Opera Options wand.dat file: wand.dat file: %d Passwords %d Passwords , %d Selected , %d Selected Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat) Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat) Loading... %d Loading... %d KeePass csv file KeePass csv file Opera Password File Opera Password File Firefox 1.x Firefox 1.x Firefox 2.x Firefox 2.x Firefox 3.0 Firefox 3.0 Firefox Firefox Chrome Chrome Web Browser Web Browser Password Password Password Strength Password Strength Password Field Password Field WebBrowserPassView.exe WebBrowserPassView.exe VVV.google.com/Please log in to your Gmail account VVV.google.com/Please log in to your Gmail account VVV.google.com:443/Please log in to your Gmail account VVV.google.com:443/Please log in to your Gmail account VVV.google.com/Please log in to your Google Account VVV.google.com/Please log in to your Google Account VVV.google.com:443/Please log in to your Google Account VVV.google.com:443/Please log in to your Google Account VVV.google.com VVV.google.com dWindowsLive:name=* dWindowsLive:name=* 82BD0E67-9FEA-4748-8672-D5EFE5B779B0 82BD0E67-9FEA-4748-8672-D5EFE5B779B0 Copy Password Copy Password %d items %d items Select Eudora.ini filename/Select the location of Thunderbird installation Select Eudora.ini filename/Select the location of Thunderbird installation Eudora.ini file Eudora.ini file SMTP SMTP Windows Mail Windows Mail Windows Live Mail Windows Live Mail Server Port Server Port SMTP Server Port SMTP Server Port Mail Password Recovery Mail Password Recovery mailpv.exe mailpv.exe 3, 7 #,) 3, 7 #,) 2400000 2400000 MessageBoxIcon.Error MessageBoxIcon.Error noftp noftp filename.exe filename.exe hXXp://VVV.example.com/directory/file.exe hXXp://VVV.example.com/directory/file.exe Disablecmd Disablecmd \Windows Update.exe \Windows Update.exe \WindowsUpdate.exe \WindowsUpdate.exe SysInfo.txt SysInfo.txt \pid.txt \pid.txt \pidloc.txt \pidloc.txt \Mozilla\Firefox\Profiles \Mozilla\Firefox\Profiles 127.0.0.1 127.0.0.1 \SteamAppData.vdf \SteamAppData.vdf \ClientRegistry.blob \ClientRegistry.blob MessageBoxIcon.Exclamation MessageBoxIcon.Exclamation Keylogger Enabled: Keylogger Enabled: Operating System: Operating System: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced autorun.inf autorun.inf open=Sys.exe open=Sys.exe Sys.exe Sys.exe Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run Windows Update Windows Update C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Microsoft.NET\Framework\v2.0.50727\vbc.exe Microsoft.NET\Framework\v2.0.50727\vbc.exe holdermail.txt" holdermail.txt" holdermail.txt holdermail.txt Operating System Intel Recovery Operating System Intel Recovery Operating System Platform: Operating System Platform: Operating System Version: Operating System Version: WEB Browser Password Recovery WEB Browser Password Recovery Mail Messenger Password Recovery Mail Messenger Password Recovery Jdownloader Password Recovery Jdownloader Password Recovery holderwb.txt" holderwb.txt" holderwb.txt holderwb.txt \.minecraft\lastlogin \.minecraft\lastlogin There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor Logger - Key Recorder - [ Logger - Key Recorder - [ Keylogger Log Keylogger Log .jpeg .jpeg Logger_KeyLog_ Logger_KeyLog_ hXXp://whatismyipaddress.com/ hXXp://whatismyipaddress.com/ Debugger.Resources Debugger.Resources :\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe :\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe %original file name%.exe_640_rwx_00400000_00084000: .text .text `.rsrc `.rsrc @.reloc @.reloc lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet v2.0.50727 v2.0.50727 CMemoryExecute.dll CMemoryExecute.dll CMemoryExecute CMemoryExecute PAGE_EXECUTE_READWRITE PAGE_EXECUTE_READWRITE .ctor .ctor System.Reflection System.Reflection System.Runtime.InteropServices System.Runtime.InteropServices System.Security.Permissions System.Security.Permissions System.Diagnostics System.Diagnostics System.Runtime.CompilerServices System.Runtime.CompilerServices DllImportAttribute DllImportAttribute kernel32.dll kernel32.dll ntdll.dll ntdll.dll System.Security System.Security $8fcd4931-91a2-4e18-849b-70de34ab75df $8fcd4931-91a2-4e18-849b-70de34ab75df 1.0.0.0 1.0.0.0 System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb mscoree.dll mscoree.dll `.rdata `.rdata @.data @.data .rsrc .rsrc D$.SPf D$.SPf 2 34 567 2 34 567 com.apple.Safari com.apple.Safari com.apple.WebKit2WebProcess com.apple.WebKit2WebProcess SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins "Account","Login Name","Password","Web Site","Comments" "Account","Login Name","Password","Web Site","Comments" 3.7.5 3.7.5 SQLite format 3 SQLite format 3 CREATE TABLE sqlite_master( CREATE TABLE sqlite_master( sql text sql text REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins PK11_GetInternalKeySlot PK11_GetInternalKeySlot PK11_CheckUserPassword PK11_CheckUserPassword large file support is disabled large file support is disabled unknown operation unknown operation SQL logic error or missing database SQL logic error or missing database foreign_keys foreign_keys sqlite_compileoption_get sqlite_compileoption_get sqlite_compileoption_used sqlite_compileoption_used sqlite_source_id sqlite_source_id sqlite_version sqlite_version sqlite_attach sqlite_attach sqlite_detach sqlite_detach sqlite_stat1 sqlite_stat1 sqlite_rename_parent sqlite_rename_parent sqlite_rename_trigger sqlite_rename_trigger sqlite_rename_table sqlite_rename_table %Y-%m-%d %H:%M:%S %Y-%m-%d %H:%M:%S %Y-%m-%d %Y-%m-%d %H:%M:%S %H:%M:%S SQLITE_ SQLITE_ failed to allocate %u bytes of memory failed to allocate %u bytes of memory failed memory resize %u to %u bytes failed memory resize %u to %u bytes 922337203685477580 922337203685477580 API call with %s database connection pointer API call with %s database connection pointer %s-shm %s-shm %s\etilqs_ %s\etilqs_ OsError 0x%x (%u) OsError 0x%x (%u) Recovered %d frames from WAL file %s Recovered %d frames from WAL file %s %s-mjX %s-mjX foreign key constraint failed foreign key constraint failed unable to use function %s in the requested context unable to use function %s in the requested context abort at %d in [%s]: %s abort at %d in [%s]: %s constraint failed at %d in [%s] constraint failed at %d in [%s] cannot open savepoint - SQL statements in progress cannot open savepoint - SQL statements in progress no such savepoint: %s no such savepoint: %s cannot %s savepoint - SQL statements in progress cannot %s savepoint - SQL statements in progress cannot rollback transaction - SQL statements in progress cannot rollback transaction - SQL statements in progress cannot commit transaction - SQL statements in progress cannot commit transaction - SQL statements in progress sqlite_master sqlite_master SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid cannot change %s wal mode from within a transaction cannot change %s wal mode from within a transaction statement aborts at %d: [%s] %s statement aborts at %d: [%s] %s misuse of aliased aggregate %s misuse of aliased aggregate %s %s: %s.%s.%s %s: %s.%s.%s %s: %s.%s %s: %s.%s %s: %s %s: %s %r %s BY term out of range - should be between 1 and %d %r %s BY term out of range - should be between 1 and %d too many terms in %s BY clause too many terms in %s BY clause Expression tree is too large (maximum depth %d) Expression tree is too large (maximum depth %d) variable number must be between ?1 and ?%d variable number must be between ?1 and ?%d too many SQL variables too many SQL variables too many columns in %s too many columns in %s oversized integer: %s%s oversized integer: %s%s misuse of aggregate: %s() misuse of aggregate: %s() %.*s"%w"%s %.*s"%w"%s %s%.*s"%w" %s%.*s"%w" %s OR name=%Q %s OR name=%Q type='trigger' AND (%s) type='trigger' AND (%s) there is already another table or index with this name: %s there is already another table or index with this name: %s sqlite_ sqlite_ table %s may not be altered table %s may not be altered view %s may not be altered view %s may not be altered UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s; UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s; UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; Cannot add a PRIMARY KEY column Cannot add a PRIMARY KEY column UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q sqlite_altertab_%s sqlite_altertab_%s CREATE TABLE %Q.%s(%s) CREATE TABLE %Q.%s(%s) DELETE FROM %Q.%s WHERE tbl=%Q DELETE FROM %Q.%s WHERE tbl=%Q SELECT tbl, idx, stat FROM %Q.sqlite_stat1 SELECT tbl, idx, stat FROM %Q.sqlite_stat1 invalid name: "%s" invalid name: "%s" too many attached databases - max %d too many attached databases - max %d database %s is already in use database %s is already in use unable to open database: %s unable to open database: %s no such database: %s no such database: %s cannot detach database %s cannot detach database %s database %s is locked database %s is locked %s %T cannot reference objects in database %s %s %T cannot reference objects in database %s object name reserved for internal use: %s object name reserved for internal use: %s there is already an index named %s there is already an index named %s too many columns on %s too many columns on %s duplicate column name: %s duplicate column name: %s default value of column [%s] is not constant default value of column [%s] is not constant table "%s" has more than one primary key table "%s" has more than one primary key no such collation sequence: %s no such collation sequence: %s CREATE %s %.*s CREATE %s %.*s UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d view %s is circularly defined view %s is circularly defined table %s may not be dropped table %s may not be dropped use DROP TABLE to delete table %s use DROP TABLE to delete table %s use DROP VIEW to delete view %s use DROP VIEW to delete view %s DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger' DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger' DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q foreign key on %s should reference only one column of table %T foreign key on %s should reference only one column of table %T number of columns in foreign key does not match the number of columns in the referenced table number of columns in foreign key does not match the number of columns in the referenced table unknown column "%s" in foreign key definition unknown column "%s" in foreign key definition indexed columns are not unique indexed columns are not unique table %s may not be indexed table %s may not be indexed views may not be indexed views may not be indexed virtual tables may not be indexed virtual tables may not be indexed there is already a table named %s there is already a table named %s index %s already exists index %s already exists sqlite_autoindex_%s_%d sqlite_autoindex_%s_%d table %s has no column named %s table %s has no column named %s CREATE%s INDEX %.*s CREATE%s INDEX %.*s INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); no such index: %S no such index: %S index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped DELETE FROM %Q.%s WHERE name=%Q AND type='index' DELETE FROM %Q.%s WHERE name=%Q AND type='index' DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q a JOIN clause is required before %s a JOIN clause is required before %s unable to identify the object to be reindexed unable to identify the object to be reindexed table %s may not be modified table %s may not be modified cannot modify %s because it is a view cannot modify %s because it is a view foreign key mismatch foreign key mismatch table %S has %d columns but %d values were supplied table %S has %d columns but %d values were supplied %d values for %d columns %d values for %d columns table %S has no column named %s table %S has no column named %s %s.%s may not be NULL %s.%s may not be NULL PRIMARY KEY must be unique PRIMARY KEY must be unique automatic extension loading failed: %s automatic extension loading failed: %s foreign_key_list foreign_key_list malformed database schema (%s) malformed database schema (%s) %s - %s %s - %s unsupported file format unsupported file format SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid unknown or unsupported join type: %T %T%s%T unknown or unsupported join type: %T %T%s%T RIGHT and FULL OUTER JOINs are not currently supported RIGHT and FULL OUTER JOINs are not currently supported a NATURAL join may not have an ON or USING clause a NATURAL join may not have an ON or USING clause cannot have both ON and USING clauses in the same join cannot have both ON and USING clauses in the same join cannot join using column %s - column not present in both tables cannot join using column %s - column not present in both tables %s.%s %s.%s %s:%d %s:%d no such index: %s no such index: %s sqlite_subquery_%p_ sqlite_subquery_%p_ no such table: %s no such table: %s cannot create %s trigger on view: %S cannot create %s trigger on view: %S cannot create INSTEAD OF trigger on table: %S cannot create INSTEAD OF trigger on table: %S INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q') INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q') no such trigger: %S no such trigger: %S no such column: %s no such column: %s cannot VACUUM - SQL statements in progress cannot VACUUM - SQL statements in progress PRAGMA vacuum_db.synchronous=OFF PRAGMA vacuum_db.synchronous=OFF SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0 SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0 SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %' SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0 SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0 SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0) INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0) UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d vtable constructor failed: %s vtable constructor failed: %s vtable constructor did not declare schema: %s vtable constructor did not declare schema: %s no such module: %s no such module: %s table %s: xBestIndex returned an invalid plan table %s: xBestIndex returned an invalid plan at most %d tables in a join at most %d tables in a join cannot use index: %s cannot use index: %s the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers unable to close due to unfinished backup operation unable to close due to unfinished backup operation unknown database: %s unknown database: %s no such vfs: %s no such vfs: %s database corruption at line %d of [%.10s] database corruption at line %d of [%.10s] misuse at line %d of [%.10s] misuse at line %d of [%.10s] cannot open file at line %d of [%.10s] cannot open file at line %d of [%.10s] sqlite3_open sqlite3_open sqlite3_prepare sqlite3_prepare sqlite3_step sqlite3_step sqlite3_column_text sqlite3_column_text sqlite3_column_int sqlite3_column_int sqlite3_column_int64 sqlite3_column_int64 sqlite3_finalize sqlite3_finalize sqlite3_close sqlite3_close sqlite3_exec sqlite3_exec f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb msvcrt.dll msvcrt.dll _wcmdln _wcmdln COMCTL32.dll COMCTL32.dll VERSION.dll VERSION.dll FindCloseUrlCache FindCloseUrlCache FindNextUrlCacheEntryW FindNextUrlCacheEntryW FindFirstUrlCacheEntryW FindFirstUrlCacheEntryW WININET.dll WININET.dll GetWindowsDirectoryW GetWindowsDirectoryW KERNEL32.dll KERNEL32.dll EnumChildWindows EnumChildWindows USER32.dll USER32.dll GDI32.dll GDI32.dll comdlg32.dll comdlg32.dll RegCloseKey RegCloseKey RegOpenKeyExW RegOpenKeyExW RegEnumKeyExW RegEnumKeyExW ADVAPI32.dll ADVAPI32.dll ShellExecuteW ShellExecuteW SHELL32.dll SHELL32.dll ole32.dll ole32.dll 5JEw%Xg 5JEw%Xg hXXp://VVV.usertrust.com1 hXXp://VVV.usertrust.com1 3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05 3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05 hXXp://ocsp.usertrust.com0 hXXp://ocsp.usertrust.com0 1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05 1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05 1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t 1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t 1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0% 1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0% hXXps://secure.comodo.net/CPS0A hXXps://secure.comodo.net/CPS0A 0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r 0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r 0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$ 0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$ hXXp://ocsp.comodoca.com0 hXXp://ocsp.comodoca.com0 support@nirsoft.net0 support@nirsoft.net0 t{SSh t{SSh v%SSW v%SSW Mail PassView Mail PassView Mozilla\Profiles Mozilla\Profiles Software\Mozilla\Mozilla Thunderbird Software\Mozilla\Mozilla Thunderbird %s\Main %s\Main sqlite3.dll sqlite3.dll nss3.dll nss3.dll %programfiles%\Mozilla Thunderbird %programfiles%\Mozilla Thunderbird AddExportHeaderLine AddExportHeaderLine %s %s %s %s %s %s HTTPMail User Name HTTPMail User Name SMTP USer Name SMTP USer Name HTTPMail Server HTTPMail Server SMTP Server SMTP Server POP3 Password2 POP3 Password2 IMAP Password2 IMAP Password2 HTTPMail Password2 HTTPMail Password2 SMTP Password2 SMTP Password2 POP3 Port POP3 Port IMAP Port IMAP Port HTTPMail Port HTTPMail Port SMTP Port SMTP Port HTTPMail Secure Connection HTTPMail Secure Connection SMTP Secure Connection SMTP Secure Connection SMTP Display Name SMTP Display Name SMTP Email Address SMTP Email Address POP3 Password POP3 Password IMAP Password IMAP Password HTTP Password HTTP Password SMTP Password SMTP Password HTTP User HTTP User SMTP User SMTP User HTTP Server URL HTTP Server URL HTTP Port HTTP Port HTTPMail Use SSL HTTPMail Use SSL SMTP Use SSL SMTP Use SSL %s\%s %s\%s PopPort PopPort PopPassword PopPassword SMTPAccount SMTPAccount SMTPServer SMTPServer SMTPPort SMTPPort SMTPLogSecure SMTPLogSecure SMTPPassword SMTPPassword %s\Accounts %s\Accounts LoginName LoginName SavePasswordText SavePasswordText ESMTPUsername ESMTPUsername ESMTPPassword ESMTPPassword POP3Password POP3Password fb.dat fb.dat %s@gmail.com %s@gmail.com %s@yahoo.com %s@yahoo.com Software\Microsoft\Windows Messaging Subsystem\Profiles Software\Microsoft\Windows Messaging Subsystem\Profiles Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles %s %s%s %ssmtp smtp advapi32.dll advapi32.dll comctl32.dll comctl32.dll *.ini *.ini netmsg.dll netmsg.dll Error %d: %s Error %d: %s %s (%s) %s (%s) menu_%d menu_%d dialog_%d dialog_%d TranslatorURL TranslatorURL _lng.ini _lng.ini %-18s: %s %-18s: %s %%-%d.%ds %%-%d.%ds | %s | %s | %s | %s |
---|---|---|---|---|---|
%s | %s | ||||
%s | %s bgcolor="%s" bgcolor="%s" %s %s %s%s> %s%s> %s> %s> report.html report.html *.txt *.txt *.htm;*.html *.htm;*.html *.xml *.xml *.csv *.csv Software\NirSoft\MailPassView Software\NirSoft\MailPassView MailPassView MailPassView /skeepass /skeepass /deleteregkey /deleteregkey Failed to load the executable file ! Failed to load the executable file ! mail.account.account mail.account.account mail.server mail.server port port mail.identity mail.identity signon.signonfilename signon.signonfilename mailbox://%s@%s mailbox://%s@%s imap://%s@%s imap://%s@%s mailbox://%s mailbox://%s imap://%s imap://%s signons.txt signons.txt signons.sqlite signons.sqlite prefs.js prefs.js Password.NET Messenger Service Password.NET Messenger Service User.NET Messenger Service User.NET Messenger Service Passport.Net\* Passport.Net\* ps:password ps:password windowslive:name= windowslive:name= Exception %8.8X at address %8.8X in module %s Exception %8.8X at address %8.8X in module %s Stack Data: %s Stack Data: %s Code Data: %s Code Data: %s mozsqlite3.dll mozsqlite3.dll psapi.dll psapi.dll pstorec.dll pstorec.dll 5e7e8100-9138-11d1-945a-00c04fc308ff 5e7e8100-9138-11d1-945a-00c04fc308ff 00000000-0000-0000-0000-000000000000 00000000-0000-0000-0000-000000000000 220D5CD0-853A-11D0-84BC-00C04FD43F8F 220D5CD0-853A-11D0-84BC-00C04FD43F8F 220D5CD1-853A-11D0-84BC-00C04FD43F8F 220D5CD1-853A-11D0-84BC-00C04FD43F8F 220D5CC1-853A-11D0-84BC-00C04FD43F8F 220D5CC1-853A-11D0-84BC-00C04FD43F8F 417E2D75-84BD-11D0-84BB-00C04FD43F8F 417E2D75-84BD-11D0-84BB-00C04FD43F8F shell32.dll shell32.dll Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders shlwapi.dll shlwapi.dll %s%s%s%s%s %s%s %ssize="%d" size="%d" color="#%s" color="#%s" width="%s" width="%s"
|