mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 40accddf1913377216a4438472c6fb68
SHA1: 7f559fc24ed84c4a8edda92299d31c616df940c8
SHA256: 5d46f7273ce25576bde513b83718a9967a8757529d644f791e743c405525ef3c
SSDeep: 12288:UDdUcnPYUjGDB8YaDwC1ol5BL7DrBWoVw0LvK3jtHhiTn4F5ErkJZs3w:UDdU YdDB8YIwCOl5BL7RW4wuv jDQ7O
Size: 782280 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Canon IT Solutions Inc.
Created at: 2002-08-02 10:01:18
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Worm creates the following process(es):
%original file name%.exe:3304
egui.exe:2604
ekrn.exe:2988
DrvInst.exe:3772
DrvInst.exe:2880
DrvInst.exe:3456
DrvInst.exe:612
DrvInst.exe:2152
DrvInst.exe:1664
Setup.exe:1408
Setup.exe:2788
mobsync.exe:1416
MsiExec.exe:704
MsiExec.exe:3464
MsiExec.exe:3000
The Worm injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3304 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft2463.tmp\pftw1.pkg (550 bytes)
%Program Files% (x86)\ESET\CITSINST\SetupNotification.xml (197 bytes)
%Program Files% (x86)\ESET\CITSINST\Setup.exe (174574 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext2443.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf2442.tmp (4 bytes)
%Program Files% (x86)\ESET\CITSINST\SetupLauncherV2.xml (4 bytes)
%Program Files% (x86)\ESET\CITSINST\eula_ess.txt (20 bytes)
The process ekrn.exe:2988 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\ProgramData\ESET\ESET Smart Security\Logs\epfwlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\urllog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Charon\CACHE.NDB (389233 bytes)
C:\Windows\System32\drivers\eamonm.sys (245 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwUser.dat (720 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata.dat (676 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwTmp2.dat (23 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\ipstree.db-journal (544 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc1.bin.full.2014.11.03.05.11.43 (852 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\ipstree.db (5 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc21.bin.full.2014.10.15.23.36.04 (1 bytes)
C:\ProgramData\ESET\ESET Smart Security\epfwdata.bin (258 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\virlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\local.db (244143 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\hipslog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\parentallog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\warnlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\spamlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc2.bin.full.2005.02.11.04.44.13 (9 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata2.dat (394 bytes)
%Program Files%\ESET\ESET Smart Security\emesj007_32.dat (176 bytes)
C:\Windows\System32\drivers\edevmon.sys (241 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwTemp.dat (285 bytes)
C:\ProgramData\ESET\ESET Smart Security\HipsRules.bin (168 bytes)
%Program Files%\ESET\ESET Smart Security\speclean.new (589 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\devctrllog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\HipsRules.xml (32 bytes)
C:\ProgramData\ESET\ESET Smart Security\local.db-journal (544 bytes)
The process DrvInst.exe:3772 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_neutral_d20c42e70c913283\epfw.PNF (6492 bytes)
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5541.tmp (1 bytes)
C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5540.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1688 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\inf\oem13.inf (1 bytes)
The process DrvInst.exe:2880 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624C.tmp (5 bytes)
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624B.tmp (8 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1867 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1836 bytes)
C:\Windows\inf\oem16.inf (5 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\System32\DriverStore\FileRepository\edevmon.inf_amd64_neutral_b3219a1046723b4d\edevmon.PNF (5703 bytes)
The process DrvInst.exe:3456 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\infpub.dat (248 bytes)
C:\Windows\inf\oem9.inf (1 bytes)
C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET5206.tmp (1 bytes)
C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET51F6.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1532 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (308 bytes)
C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_neutral_de35935fbadc0b42\ehdrv.PNF (5619 bytes)
The process DrvInst.exe:612 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\inf\oem15.inf (2 bytes)
C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D4.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (2396 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1867 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D5.tmp (2 bytes)
C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_neutral_6def4c43f49cc607\eamonm.PNF (6779 bytes)
The process DrvInst.exe:2152 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5735.tmp (2 bytes)
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwlwf.inf_amd64_neutral_82eebfb309dd569f\epfwlwf.PNF (4666 bytes)
C:\Windows\inf\oem14.inf (2 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (2492 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1331 bytes)
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5734.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5736.tmp (44 bytes)
The process DrvInst.exe:1664 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53D9.tmp (8 bytes)
C:\Windows\System32\DriverStore\infpub.dat (248 bytes)
C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53DA.tmp (1 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_neutral_30e8a68da2d9957f\epfwwfp.PNF (8695 bytes)
C:\Windows\inf\oem12.inf (1 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1920 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (884 bytes)
The process Setup.exe:1408 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ess_nt64_JPN.msi (10848492 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\cfg[1].xml (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cfg.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\CheckDriver64[1].exe (225705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DownloadConfig.xml (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\ess_nt64_JPN[1].msi (40838206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ESETDebugLog.txt (151204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\DownloadConfig[1].xml (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CheckDriver64.exe (61540 bytes)
The process Setup.exe:2788 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\eula_ess.txt (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherV2.xml (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Setup[1].dat (4878362 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherV2[1].xml (241 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupNotification[1].xml (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ESETDebugLog.txt (29202 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherVer.xml (759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupNotification.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup.exe (1298341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherVer[1].xml (759 bytes)
The process MsiExec.exe:704 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\Installer\MSIF1F1.tmp (708 bytes)
C:\Windows\Installer\MSIF1E1.tmp (708 bytes)
C:\Windows\Installer\MSIF260.tmp (708 bytes)
C:\Windows\Installer\MSIFCB3.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inxF141.tmp (33 bytes)
C:\Windows\Installer\MSIF104.tmp (708 bytes)
C:\ProgramData\ESET\ESET Smart Security\Installer\c8a.msi (638042 bytes)
C:\Windows\Installer\MSIF172.tmp (708 bytes)
C:\Windows\Installer\MSI7DF6.tmp (708 bytes)
C:\Windows\Installer\MSIF37A.tmp (708 bytes)
C:\Windows\Installer\MSI7D2A.tmp (708 bytes)
The process MsiExec.exe:3464 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\Installer\MSI7894.tmp (180 bytes)
The process MsiExec.exe:3000 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3839.tmp (1327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386A.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12EA.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D1.tmp (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C51.tmp (277 bytes)
%Program Files%\ESET\ESET Smart Security\msvcp110.dll (663 bytes)
%Program Files%\ESET\ESET Smart Security\em023_32.dat (31071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3939.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E91.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BFF.tmp (4073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138C.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1634.tmp (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP386B.tmp (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126A.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FB.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DB.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E49.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35CC.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EE.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13C0.tmp (21585 bytes)
%Program Files%\ESET\ESET Smart Security\em006_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1134.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DC8.tmp (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1114.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E5E.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1258.tmp (260 bytes)
C:\Windows\System32\drivers\SET54B5.tmp (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39EC.tmp (3905 bytes)
C:\Windows\System32\DriverStore\infpub.dat (1488 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3829.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D40.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD2.tmp (8 bytes)
C:\Windows\Installer\MSI5380.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B49.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39C9.tmp (616 bytes)
%Program Files%\ESET\ESET Smart Security\em004_32.dat (7726 bytes)
%Program Files%\ESET\ESET Smart Security\em031_32.dat (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B4A.tmp (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FA1.tmp (749 bytes)
C:\Windows\System32\catroot2\dberr.txt (4929 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3925.tmp (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130D.tmp (272 bytes)
C:\Windows\Installer\MSIFCE3.tmp (708 bytes)
C:\Windows\Installer\MSIFCE4.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1D4B.tmp (34578 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1223.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C50.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DA0.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DCA.tmp (2938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36DA.tmp (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DA5.tmp (209 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwlwf.inf_amd64_neutral_82eebfb309dd569f\epfwlwf.PNF (3650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4557.tmp (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP14AC.tmp (29628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4C.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D5.tmp (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38F5.tmp (2772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BEF.tmp (3821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC6.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1248.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A6A.tmp (996 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4A.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FB2.tmp (2628 bytes)
C:\Windows\System32\drivers\SET52E0.tmp (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EF.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F8F.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A9.tmp (1 bytes)
C:\Windows\Installer\MSIF59F.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1194.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1212.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP394A.tmp (3268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP138B.tmp (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3827.tmp (279 bytes)
%Program Files%\ESET\ESET Smart Security\em015_32.dat (6 bytes)
%Program Files%\ESET\ESET Smart Security\em001_32.dat (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4526.tmp (301 bytes)
%Program Files%\ESET\ESET Smart Security\msvcr110.dll (851 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6218.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B7A.tmp (8729 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CB4.tmp (4 bytes)
C:\Windows\Installer\MSI56DC.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F18.tmp (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDD.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1635.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1667.tmp (75333 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DF4.tmp (12604 bytes)
C:\Windows\System32\drivers\SET61D3.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C7.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CEA.tmp (1038 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1400.tmp (22384 bytes)
C:\Windows\Installer\MSIF4B4.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E92.tmp (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B47.tmp (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF13B0.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3828.tmp (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3ED6.tmp (3 bytes)
%Program Files%\ESET\ESET Smart Security\em020_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D0A.tmp (2 bytes)
C:\Windows\Installer\MSIF5CF.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11FF.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D61.tmp (2380 bytes)
%Program Files%\ESET\ESET Smart Security\em018_32.dat (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5F.tmp (1648 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DFA.tmp (3917 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12B2.tmp (295 bytes)
%Program Files%\ESET\ESET Smart Security\em006_64.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38C0.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35DE.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE2.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F90.tmp (27 bytes)
C:\Windows\System32\drivers\SET590B.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F91.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11A4.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5507.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131F.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DB8.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1331.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF387E.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B7.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A2.tmp (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3C0C.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1259.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36EB.tmp (102 bytes)
C:\Windows\System32\drivers\SET565B.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126B.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3937.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D50.tmp (1848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387D.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A8.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E6F.tmp (1881 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13AF.tmp (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B6.tmp (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C84.tmp (1399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1222.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127F.tmp (294 bytes)
C:\Windows\Installer\MSI636D.tmp (708 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (10099 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E48DDEA3BF68DF580551FA0F27950B54 (1328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F19.tmp (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3826.tmp (102 bytes)
%Program Files%\ESET\ESET Smart Security\em009_64.dat (8281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1646.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1367.tmp (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1247.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39CA.tmp (271 bytes)
%Program Files%\ESET\ESET Smart Security\em010_32.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C8B.tmp (3279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1101.tmp (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF132F.tmp (252 bytes)
%Program Files%\ESET\ESET Smart Security\em003_32.dat (7547 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1342.tmp (274 bytes)
%Program Files%\ESET\ESET Smart Security\em018_64.dat (673 bytes)
C:\Windows\Installer\MSI518C.tmp (708 bytes)
%Program Files%\ESET\ESET Smart Security\em000_64.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E8.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F8E.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FC.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DD1.tmp (169 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3F.tmp (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1379.tmp (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E4B.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DA.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1366.tmp (282 bytes)
C:\Windows\Installer\MSI6205.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1290.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4546.tmp (802 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6217.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1355.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127D.tmp (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3869.tmp (108 bytes)
C:\Windows\Installer\MSI4F0B.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35CB.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D2B.tmp (214 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A8E.tmp (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126D.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DE3.tmp (12 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (5088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BC9.tmp (182 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CB5.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET539E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET538D.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138A.tmp (285 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39DB.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EA3.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A9F.tmp (2077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CD9.tmp (1063 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE4.tmp (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1102.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DC9.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D3E.tmp (252 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D3.tmp (15 bytes)
%Program Files%\ESET\ESET Smart Security\em017_64.dat (30427 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A8D.tmp (37 bytes)
%Program Files%\ESET\ESET Smart Security\em009_32.dat (7726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C0B.tmp (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D0B.tmp (267 bytes)
%Program Files%\ESET\ESET Smart Security\em002_32.dat (259130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB5.tmp (1840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3926.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36FC.tmp (1386 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386C.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6071.tmp (2 bytes)
%Program Files%\ESET\ESET Smart Security\em008_64.dat (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C4.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1235.tmp (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A7B.tmp (553 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4E62.tmp (9890 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131E.tmp (267 bytes)
C:\Windows\System32\config (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3ED7.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126C.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1378.tmp (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387F.tmp (2200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC8.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP473E.tmp (1555561 bytes)
C:\Windows\System32\drivers\SET633B.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35DD.tmp (94 bytes)
%Program Files%\ESET\ESET Smart Security\em024_32.dat (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4547.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDE.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38BF.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C3.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD3.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP396A.tmp (3607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DA1.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C1D.tmp (3124 bytes)
C:\Windows\System32\config\SYSTEM (10952 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5506.tmp (8 bytes)
C:\Windows\Installer\MSI797F.tmp (708 bytes)
C:\Windows\Installer\MSIFD24.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11ED.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FC.tmp (2 bytes)
%Program Files%\ESET\ESET Smart Security\updater.dll (507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38E4.tmp (2920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D7.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F7C.tmp (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1234.tmp (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4569.tmp (1634611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BFB.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1330.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6070.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C8.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1353.tmp (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1200.tmp (259 bytes)
%Program Files%\ESET\ESET Smart Security\em021_32.dat (15019 bytes)
%Program Files%\ESET\ESET Smart Security\em000_32.dat (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDC.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E90.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD4.tmp (564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B5.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B48.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD5.tmp (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127E.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF139E.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1246.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BFA.tmp (714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C5.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3938.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E9.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C64.tmp (2437 bytes)
%Program Files%\ESET\ESET Smart Security\em015_64.dat (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36EC.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C3F.tmp (198 bytes)
C:\Windows\Installer\MSI54E8.tmp (708 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (1024 bytes)
%Program Files%\ESET\ESET Smart Security\em022_32.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C52.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1354.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BE8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF14CC.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BCA.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC5.tmp (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP139D.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A7C.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130C.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FD.tmp (44 bytes)
%Program Files%\ESET\ESET Smart Security\em019_32.dat (1281 bytes)
%Program Files%\ESET\ESET Smart Security\em028_64.dat (8 bytes)
%Program Files%\ESET\ESET Smart Security\em005_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36D9.tmp (1 bytes)
C:\Windows\Installer\MSIFD04.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1211.tmp (271 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1103.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E8F.tmp (3 bytes)
%Program Files%\ESET\ESET Smart Security\em008_32.dat (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FB.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F7D.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39DA.tmp (93 bytes)
%Program Files%\ESET\ESET Smart Security\em017_32.dat (30427 bytes)
C:\Windows\inf\oem14.PNF (4666 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3AEE.tmp (2575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3D.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4525.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1365.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF10F1.tmp (285 bytes)
C:\Windows\Installer\MSI7CF9.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP40EF.tmp (1577253 bytes)
C:\Windows\Temp\OLD60E6.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F08.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DB7.tmp (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38D2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4558.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DA6.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BE9.tmp (301 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E48DDEA3BF68DF580551FA0F27950B54 (573 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11D9.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F07.tmp (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DC.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D6.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1647.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C40.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B36.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B35.tmp (401 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B5A.tmp (7861 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3936.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1389.tmp (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1193.tmp (277 bytes)
C:\Windows\Installer\MSI637E.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A6B.tmp (294 bytes)
C:\Windows\Installer\MSI6030.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F1A.tmp (1597880 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDB.tmp (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35EE.tmp (1185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3EA4.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB6.tmp (2390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC7.tmp (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP389F.tmp (2901 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D2C.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C53.tmp (277 bytes)
C:\Windows\System32\drivers\SET5FEE.tmp (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38E3.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A1.tmp (286 bytes)
Registry activity
The process egui.exe:2604 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\ESET\ESET Security\CurrentVersion\Plugins\01000800]
"OutlookIntegrationChangeCounter" = "96847905"
The process ekrn.exe:2988 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\eamonm\Parameters]
"Flags" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"PluginId" = "16777474"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020104]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"DisplayName" = "EPFW POP3スã‚ÂÂャナã®è¨ÂÂ定"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"ModuleID" = "16778752"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\4.5\Client\AppFS\ServiceInclusions]
"Eset" = "ekrn"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"StartFailSettings" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ArchivesBuild" = "1202"
[HKLM\System\CurrentControlSet\Services\ehdrv\Parameters]
"Flags" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010106]
"DisplayName" = "アイドル状態検査"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ei2" = "Type: REG_QWORD, Length: 8"
"ei3" = "Type: REG_QWORD, Length: 8"
"ei1" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroup" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ei4" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"ActionCode" = "2"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"PluginId" = "16777728"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ScannerBuild" = "21372"
"AdvheurBuild" = "1119"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"Path" = "Filters/Web/HTTP"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"SMTP_Flags" = "4"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"DisplayName" = "EPFW HTTPスã‚ÂÂャナã®è¨ÂÂ定"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"TriggerSettings" = "327680"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"Path" = "Filters/File/AMON"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"RegistrationHiddenFields" = "24576"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"PluginId" = "16777474"
[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"ESET_OPTIONS" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000300\Profiles\@My profile]
"SmonModuleBuild" = "1036"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010104]
"DisplayName" = "ドã‚ÂÂュメントä¿ÂÂè·ã®è¨ÂÂ定"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroupOld" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\100]
"LastExec" = "1422540389"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010104]
"Path" = "Filters/File/DMON"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"TranslatorBuild" = "1331"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\System\CurrentControlSet\services\edevmon\Parameters]
"Flags" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020102]
"PluginId" = "16777474"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerBuild" = "21372"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersion" = "10817 (20141203)"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010107]
"Path" = "Scanners/File/FirstScan"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"UniqueID" = "54CA3E5D45534555"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"DisplayName" = "自動スタートアッãƒâ€â€ÃƒÂ£Ã†â€™Ã¢â‚¬Â¢ÃƒÂ£Ã¢â‚¬Å¡Ã‚¡Ã£â€šÂ¤Ã£Æ’«ã‚¹ã‚ÂÂャナã®è¨ÂÂ定"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020104]
"PluginId" = "16777474"
[HKCU\Software\ESET\ESET Security\CurrentVersion\Plugins\01000300]
"stats" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020102]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020104]
"DisplayName" = ""
[HKLM\System\CurrentControlSet\services\eamonm]
"Start" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020102]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles]
"Enable" = "1"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0A 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1]
"LastExec" = "1422540425"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"TriggerType" = "4"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersionId" = "10817"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010106]
"PluginId" = "16777472"
"Path" = "Scanners/File/IdleScanner"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\4]
"LastExec" = "1422540385"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"CleanerBuild" = "1133"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"PluginId" = "16777473"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"FailSafeServer" = "http://update.eset.com/eset_upd/"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Name" = "自動スタートアッãƒâ€â€ÃƒÂ£Ã†â€™Ã¢â‚¬Â¢ÃƒÂ£Ã¢â‚¬Å¡Ã‚¡Ã£â€šÂ¤Ã£Æ’«ã®ãƒÂÂェック"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020201]
"DisplayName" = "EPFW IMAPスã‚ÂÂャナã®è¨ÂÂ定"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"RegistrationType" = "24"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010107]
"DisplayName" = "最åˆÂÂã®検査"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Params" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020103]
"Path" = "Filters/Email"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000300\Profiles\@My profile]
"SmonAutostart" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020103]
"PluginId" = "16777474"
"DisplayName" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings\RegisteringRequest]
"EvCode" = "01008645-A9D1-5461-6D69-472FE228CACD"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020201]
"Path" = "Filters/Email/IMAP"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler]
"TimeStamp" = "3305826572"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"Path" = "Filters/Email/POP3"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles]
"Active" = "@Smart scan"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"CustomerCareProduct" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Flags" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"ScanExecuteAH" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings\RegisteringRequest]
"CustomCode" = "12"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"Path" = "Scanners/File/Startup"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Enabled" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"PluginId" = "16777728"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010104]
"PluginId" = "16777475"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020201]
"PluginId" = "16777728"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"InstallApp" = "ess_nt64_JPN.msi"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"DisplayName" = ""
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010107]
"PluginId" = "16777472"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"PluginId" = "16777472"
"DisplayName" = "コンãƒâ€Âュータã®検査ã®è¨ÂÂ定"
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"AutoStart" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"CrashDumpSupport" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"AuxParams" = "3C 21 5B 43 44 41 54 41 5B 3C 3F 78 6D 6C 20 76"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"PerseusBuild" = "1671"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000d00\Profiles\@My profile]
"Enable" = "1"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"SpecleanBuild" = "1010"
[HKLM\System\CurrentControlSet\Services\ehdrv\Parameters]
"EsjVer32" = "7"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"ProxyEnabled" = "2"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"PluginId" = "16778752"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000001\Profiles\@My profile]
"selfdefense" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"Path" = "Scanners/File/On-demmand"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000F00\Settings]
"data" = "ED EE 31 1C 1D D9 27 14 2B 2A 20 1E 1F EC DB E8"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000800\Profiles\@My profile]
"OutlookIntegrationChangeCounter" = "946853755"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\5]
The process DrvInst.exe:3772 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
The process DrvInst.exe:2880 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
The process DrvInst.exe:3456 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
The process DrvInst.exe:612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
The process DrvInst.exe:2152 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
The process DrvInst.exe:1664 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
The process Setup.exe:1408 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadNetworkName" = "Network 4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadDecision" = "0"
"WpadDecisionTime" = "7E 25 E9 C8 CC 3B D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "26 56 74 73 CC 3B D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "26 56 74 73 CC 3B D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadDetectedUrl"
The process Setup.exe:2788 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process mobsync.exe:1416 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"SyncTime" = "00 00 00 00 00 00 00 00"
"Connected" = "1"
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr]
"StartAtLogin" = "0"
[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"Enabled" = "1"
The process MsiExec.exe:704 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Exchange\Client\Extensions]
"Eset Outlook Plugin" = "4.0;C:\PROGRA~1\ESET\ESETSM~1\x86\EPLGOU~1.DLL;1;11010111111000"
"Outlook Setup Extension" = "4.0;Outxxx.dll;7;000000000000000;0000000000;OutXXX"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\ESET\Setup]
"CAError"
"CADuration"
The process MsiExec.exe:3000 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\CLASS\{F12D3CF8-B11D-457E-8641-BE2AF2D6D204}]
"UpperFilters" = "edevmon"
[HKLM\System\CurrentControlSet\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}]
"UpperFilters" = "ksthunk, edevmon"
[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterAdapterParams\AdapterParam]
"Type" = "int"
[HKCU\Software\ESET\Setup]
"CADuration" = "InstSupp!CompileModules=20|"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"HelpText" = "ESET NDIS 6.0 LightWeight Filter. This component provides network filtering in ESET Smart Security."
[HKCR\Drives\Shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"CoServices" = "EpfwLWF"
"FilterType" = "2"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{BFC85452-8E68-46B6-9D74-DEE1293E1BE9}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\epfwwfp\EpfwWfp.inf"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "ESET Smart Security - Context Menu Shell Extension"
[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterDriverParams\DriverParam]
"Type" = "int"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"TimeStamp" = "DF 07 01 00 04 00 1D 00 0E 00 06 00 12 00 D9 02"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"UpperBind" = "Ndisuio, RasPppoe, rspndr, lltdio, Tcpip"
"Export" = "\Device\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71340F0E-B554-4C0C-B88A-E53829621ADD}]
"NoRemove" = "1"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi\Interfaces]
"UpperRange" = "noupper"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdateAttempt" = "1422540376"
[HKLM\System\CurrentControlSet\Control\Class\{50DD5230-BA8A-11D1-BF5D-0000F805F530}]
"UpperFilters" = "scfilter, edevmon"
[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterAdapterParams\AdapterParam]
"Default" = "10"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"RootDevice" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"
[HKCR\*\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\C802CA01BC3064BFC0510CC762FFAA20BFE8EC61]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 C8 02 CA 01"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PnP Filter" = "06 00 00 00 01 00 00 00 03 00 00 00 04 00 00 00"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"InstallTimestamp" = "DF 07 01 00 04 00 1D 00 0E 00 06 00 12 00 D9 02"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{BFC85452-8E68-46B6-9D74-DEE1293E1BE9}]
"DriverVer" = "09/11/2014, 8.0.300.0"
[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterDriverParams\DriverParam]
"ParamDesc" = "Driverparam for lwf"
[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"(Default)" = "%Program Files%\ESET\ESET Smart Security\shellExt.dll"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E978-E325-11CE-BFC1-08002BE10318}]
"LowerFilters" = "edevmon"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007]
"NetCfgInstanceId" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\5]
"TriggerSettings" = "1422541555"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"NDIS" = "18 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"
[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Export" = "\Device\NdisWan_{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\NdisWan_{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\NdisWan_{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\NdisWan_{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\NdisWan_{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\NdisWan_{CFCD29B3-A836-426F-8329-8362EC941293}"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"FilterList" = "{B1422D78-82BA-4FD0-B38A-6203899A1A72}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0A 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdateCertTimestamp" = "Type: REG_QWORD, Length: 8"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"FilterClass" = "compression"
[HKCR\Folder\ShellEx\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKLM\System\CurrentControlSet\services\eamonm\Instances]
"DefaultInstance" = "AmonMinifilter Instance"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"InstallTime" = "1422540376"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "PartMgr, edevmon"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{AA904D87-89F6-45E0-A250-58977AF033BC}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\eamonm\eamonm.inf"
[HKLM\System\CurrentControlSet\services\eamonm\Instances\AmonMinifilter Instance]
"Altitude" = "328700"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdate" = "1422540376"
[HKLM\System\CurrentControlSet\Control\CLASS\{EEC5AD98-8080-425F-922A-DABF3DE3F69A}]
"UpperFilters" = "edevmon"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{F6834708-ABE2-4DD3-A2C5-5FF0D8FC8450}]
"NetComponentId" = "ESET_EpfwLWF"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"FilterList" = "{360A33D7-AC4E-4F80-8799-45E95D991A99}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"FilterRunType" = "1"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"InfSection" = "Install"
"Characteristics" = "262144"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "edevmon"
[HKLM\System\CurrentControlSet\services\edevmon\Instances\DevmonMinifilter Instance]
"Altitude" = "400800"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"Service" = "EpfwLWF"
[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Route" = "{D720734D-0C14-4C25-829D-F6B4814978B3}, {50CD5E3E-0F08-4519-A9EF-B9802ED12701}, {5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, {B22E8C55-CC74-4FBE-B907-F46D25953BEC}, {CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, {CFCD29B3-A836-426F-8329-8362EC941293}"
"Bind" = "\Device\{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\{CFCD29B3-A836-426F-8329-8362EC941293}"
[HKLM\System\CurrentControlSet\Control\Class\{E0CBF06C-CD8B-4647-BB8A-263B43F0F974}]
"LowerFilters" = "edevmon"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"LocDescription" = "@oem14.inf,%epfwlwf_desc%;Epfw NDIS LightWeight Filter"
[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\5]
"Enabled" = "1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "ESET Smart Security - Context Menu Shell Extension"
[HKCR\Drive\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterDriverParams\DriverParam]
"Default" = "5"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Anti-Virus" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{C93C1454-258D-4656-AEDF-86147BCE4EF3}]
"DriverVer" = "07/18/2014, 8.0.103.0"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"FilterList" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}-{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}-0000, {4AB0D2BA-E805-472C-9283-2A108EC5CAE2}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000, {4AB0D2BA-E805-472C-9283-2A108EC5CAE2}-{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi\Interfaces]
"LowerRange" = "nolower"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"InfPath" = "C:\Windows\INF\oem14.inf"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"Base" = "15 00 00 00 0E 00 00 00 01 00 00 00 02 00 00 00"
"Streams Drivers" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}]
"LowerFilters" = "edevmon"
[HKLM\System\CurrentControlSet\services\EpfwLWF\Parameters\NdisAdapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
"AdapterParam" = "10"
[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterAdapterParams\AdapterParam]
"ParamDesc" = "Adapterparam for lwf"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{F6834708-ABE2-4DD3-A2C5-5FF0D8FC8450}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\epfwlwf\EpfwLwf.inf"
[HKLM\System\CurrentControlSet\services\eamonm\Instances\AmonMinifilter Instance]
"Flags" = "0"
[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.dev.log" = "4096"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{F6834708-ABE2-4DD3-A2C5-5FF0D8FC8450}]
"DriverVer" = "07/18/2014, 8.0.103.0"
[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}]
"(Default)" = "ESET Smart Security - Context Menu Shell Extension"
[HKLM\System\CurrentControlSet\services\edevmon\Instances]
"DefaultInstance" = "DevmonMinifilter Instance"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "edevmon"
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]
"(Default)" = "ESET Setup"
[HKCR\Wow6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"(Default)" = "%Program Files%\ESET\ESET Smart Security\x86\shellExt.dll"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{2FA4DECB-D060-41F6-AFCC-770F7D0F1FFD}]
"DriverVer" = "07/18/2014, 8.0.103.0"
[HKLM\System\CurrentControlSet\Control\Network]
"Config" = "00 00 00 00 00 00 00 00 2B 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{2FA4DECB-D060-41F6-AFCC-770F7D0F1FFD}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\ehdrv\ehdrv.inf"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"FilterList" = "{0D252192-084F-4C37-8DED-14986BA82F63}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{C93C1454-258D-4656-AEDF-86147BCE4EF3}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\epfw\epfw.inf"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"ComponentID" = "ESET_EpfwLWF"
[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi\Interfaces]
"FilterMediaTypes" = "ethernet"
[HKLM\System\CurrentControlSet\services\edevmon\Instances\DevmonMinifilter Instance]
"Flags" = "0"
[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Groups]
"Groups" = "core,win,amon,epfw,antispam,systemstatus,hips,protoscan,parental,horus,lic_suite_c,iris,speclean"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{085DA68B-B60F-4A1D-80ED-247E78B67DAA}]
"DriverVer" = "07/18/2014, 8.0.103.0"
[HKLM\System\CurrentControlSet\services\eamonm]
"SupportedFeatures" = "3"
[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"Description" = "Epfw NDIS LightWeight Filter"
[HKLM\System\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "edevmon"
[HKLM\System\CurrentControlSet\services\EpfwLWF\Parameters\NdisAdapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
"InterfaceGuid" = "F4 CF E2 E5 F9 81 E4 11 A3 B3 00 50 56 21 01 74"
[HKCR\Wow6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}]
"(Default)" = "ESET Smart Security - Context Menu Shell Extension"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{AA904D87-89F6-45E0-A250-58977AF033BC}]
"DriverVer" = "07/31/2014, 8.0.105.0"
[HKCR\Wow6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\ESET\Setup\Drivers\{085DA68B-B60F-4A1D-80ED-247E78B67DAA}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\edevmon\edevmon.inf"
The Worm deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates]
"C802CA01BC3064BFC0510CC762FFAA20BFE8EC61"
[HKLM\System\CurrentControlSet\services\eamonm]
"DeleteFlag"
[HKLM\System\CurrentControlSet\services\ehdrv]
"DeleteFlag"
[HKLM\System\CurrentControlSet\services\edevmon]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\ekrn]
"DeleteFlag"
[HKLM\System\CurrentControlSet\services\epfwwfp]
"DeleteFlag"
[HKLM\System\CurrentControlSet\services\epfw]
"DeleteFlag"
Dropped PE files
| MD5 | File path |
|---|---|
| eb366cfcfd8f5606bcd07f5e1cc53f47 | c:\Program Files (x86)\ESET\CITSINST\Setup.exe |
| c4667ec44941489d5171681988f55e8d | c:\Program Files\ESET\ESET Smart Security\DMON.dll |
| d47e023b543d9fa72ebaad4d30e499b3 | c:\Program Files\ESET\ESET Smart Security\Drivers\eamonm\eamonm.sys |
| 9fb0479d9398c785c607b1196307f782 | c:\Program Files\ESET\ESET Smart Security\Drivers\edevmon\edevmon.sys |
| ede769200779a9746a0f1425ebee59fe | c:\Program Files\ESET\ESET Smart Security\Drivers\ehdrv\ehdrv.sys |
| d8a6b4caa5e240878d65e0eaee6d9082 | c:\Program Files\ESET\ESET Smart Security\Drivers\epfw\epfw.sys |
| c581debb25220862d325be141f02e989 | c:\Program Files\ESET\ESET Smart Security\Drivers\epfwlwf\EpfwLwf.sys |
| dc4e3c33a00af1165e7bda9ce147ed2d | c:\Program Files\ESET\ESET Smart Security\Drivers\epfwwfp\EpfwWfp.sys |
| 3cb26c4a4dd07b3ad15a3fd3ec3da371 | c:\Program Files\ESET\ESET Smart Security\ShellExtLang.dll |
| 31c300b2878d4d7dd6de55d83e75532a | c:\Program Files\ESET\ESET Smart Security\SysInspector.exe |
| df0614fbf4b9d95fb1ff8e2d67a0c0fa | c:\Program Files\ESET\ESET Smart Security\SysInspectorLang.dll |
| 511717ae40926fdc8b70a6b451fedeac | c:\Program Files\ESET\ESET Smart Security\SysRescue.exe |
| 3b04b025e50a97713d64b7ec5aa0b1a3 | c:\Program Files\ESET\ESET Smart Security\SysRescueLang.dll |
| 692fe6f01f61bc32f33f1a8262db0464 | c:\Program Files\ESET\ESET Smart Security\ToastNotify.dll |
| e0ba0d21e0c31301d9255a9293922bd7 | c:\Program Files\ESET\ESET Smart Security\callmsi.exe |
| 2aa44a603975ef4278fc177a02594764 | c:\Program Files\ESET\ESET Smart Security\ecls.exe |
| 256f14a35dfbb1c37dd717812add2220 | c:\Program Files\ESET\ESET Smart Security\eclsLang.dll |
| f417571dfe73e9e17706634a5491b48e | c:\Program Files\ESET\ESET Smart Security\ecmd.exe |
| 9ebfcb9761f40dbfff61096360e9f54e | c:\Program Files\ESET\ESET Smart Security\eeclnt.exe |
| c019e2feb48a2b618e03a9fcd879b72a | c:\Program Files\ESET\ESET Smart Security\egui.exe |
| 4512cdb73b133d168ae2b6ba28671a43 | c:\Program Files\ESET\ESET Smart Security\eguiAmon.dll |
| d05a6e65539c850f0a2abbd38d2e93a8 | c:\Program Files\ESET\ESET Smart Security\eguiAmonLang.dll |
| f688a723b897b2cab55c23bc22f8ce1a | c:\Program Files\ESET\ESET Smart Security\eguiDevmon.dll |
| cb1fe0cc514ddf5a792fb2853e6dd830 | c:\Program Files\ESET\ESET Smart Security\eguiDevmonLang.dll |
| fad55f01c0c0ac4273eae41a087a838b | c:\Program Files\ESET\ESET Smart Security\eguiDmon.dll |
| f45bd201f2046b7fd6195336973f1989 | c:\Program Files\ESET\ESET Smart Security\eguiDmonLang.dll |
| e2c202a5f8db88e4f891ae08db11bebf | c:\Program Files\ESET\ESET Smart Security\eguiEmon.dll |
| 004ef5b6bb8089f04901682b61094401 | c:\Program Files\ESET\ESET Smart Security\eguiEmonLang.dll |
| c6a28aec961675815002da6238a346a5 | c:\Program Files\ESET\ESET Smart Security\eguiEpfw.dll |
| e9ff6842a9fef46a6231ecf25cfbda47 | c:\Program Files\ESET\ESET Smart Security\eguiEpfwLang.dll |
| c73ecbc4674a84132298f5ad4e534377 | c:\Program Files\ESET\ESET Smart Security\eguiHips.dll |
| 85dee9009fadb14e1efeebd93b8ca328 | c:\Program Files\ESET\ESET Smart Security\eguiHipsLang.dll |
| 459338ca9d0b4e90c1458116b258d86b | c:\Program Files\ESET\ESET Smart Security\eguiLang.dll |
| 5e533f03005c42fad5e03adf73e6cce5 | c:\Program Files\ESET\ESET Smart Security\eguiMailPlugins.dll |
| 9c0309300783db654e12e379a5ba30d0 | c:\Program Files\ESET\ESET Smart Security\eguiMailPluginsLang.dll |
| 580550c0166c0871b17093159d7d4147 | c:\Program Files\ESET\ESET Smart Security\eguiParental.dll |
| d2ab594ee9a41069accaf893897e155c | c:\Program Files\ESET\ESET Smart Security\eguiParentalLang.dll |
| 699915d7e2c03b7873dac2b0b6583c38 | c:\Program Files\ESET\ESET Smart Security\eguiProduct.dll |
| 50febb39baff5c81624dd253dd877c21 | c:\Program Files\ESET\ESET Smart Security\eguiProductRcd.dll |
| 67d0f90e42e83f1a6d387f5afd13acf4 | c:\Program Files\ESET\ESET Smart Security\eguiScan.dll |
| 332e59c62fbb5f4e76cbe78c5830ceed | c:\Program Files\ESET\ESET Smart Security\eguiScanLang.dll |
| 2f257a1e0a135e7041cc6c87e7363cdf | c:\Program Files\ESET\ESET Smart Security\eguiSmon.dll |
| 173fed6f24dc2fd23fd1d3ce08945678 | c:\Program Files\ESET\ESET Smart Security\eguiSmonLang.dll |
| 34abf2725490ca280e7d822a76a3ddd1 | c:\Program Files\ESET\ESET Smart Security\eguiUpdate.dll |
| aa88ea10a591b4f4cc325d5bf4b43398 | c:\Program Files\ESET\ESET Smart Security\eguiUpdateLang.dll |
| 2b2ac912335127bc457ffac5a59c1bcd | c:\Program Files\ESET\ESET Smart Security\eh64.exe |
| a1274495c3179e43032ac870cbd45e6d | c:\Program Files\ESET\ESET Smart Security\ekrnDmonLang.dll |
| 3050b8996bb7a501e73328b89df8599c | c:\Program Files\ESET\ESET Smart Security\ekrnEpfwLang.dll |
| 39c07719d4fde612caa3e74e843cdae8 | c:\Program Files\ESET\ESET Smart Security\ekrnHipsLang.dll |
| 1a35e8c5131a4a805b8279f72e84d989 | c:\Program Files\ESET\ESET Smart Security\ekrnLang.dll |
| 382fbc02c099d8eff48c7df35321325d | c:\Program Files\ESET\ESET Smart Security\ekrnMailPluginsLang.dll |
| f59e3aa0faf7d914a1d5588ca52c3c7c | c:\Program Files\ESET\ESET Smart Security\ekrnParentalLang.dll |
| facdf1e1bfc7375df9475626c6da5f1e | c:\Program Files\ESET\ESET Smart Security\ekrnScanLang.dll |
| 4b1d453908ff357b8ff0489c37f83fe0 | c:\Program Files\ESET\ESET Smart Security\ekrnSmonLang.dll |
| 635046d9e254c12f2cec342b6a05d8b0 | c:\Program Files\ESET\ESET Smart Security\ekrnUpdateLang.dll |
| 4c8427f0d05dde8aa316d787672b6dc8 | c:\Program Files\ESET\ESET Smart Security\emesj007_32.dat |
| 2beb36ba5f7d318ce12ec5951e25567a | c:\Program Files\ESET\ESET Smart Security\eplgHooks.dll |
| a24133ec9936b7e9317c69a10b45b914 | c:\Program Files\ESET\ESET Smart Security\eplgOE.dll |
| 6301395eedfa56a4fe8387e5cc6a9051 | c:\Program Files\ESET\ESET Smart Security\eplgOEEmon.dll |
| 36fbab2a952cbd03ddc99b91fc0271ea | c:\Program Files\ESET\ESET Smart Security\eplgOELang.dll |
| 2052e9458432cab7726589c754be7e56 | c:\Program Files\ESET\ESET Smart Security\eplgOESmon.dll |
| cecb6363b2a73ef42febf88f8e0897de | c:\Program Files\ESET\ESET Smart Security\eplgOESmonLang.dll |
| d055d2209391ba24f2ccf901f686e8b6 | c:\Program Files\ESET\ESET Smart Security\eplgOutlook.dll |
| 466bbda017f729b6dec9867161c56324 | c:\Program Files\ESET\ESET Smart Security\eplgOutlookEmon.dll |
| 5fd524f0a5dae970f7e7df0a408c3d25 | c:\Program Files\ESET\ESET Smart Security\eplgOutlookEmonLang.dll |
| fe14dfc385174047af33cfd52a7c3385 | c:\Program Files\ESET\ESET Smart Security\eplgOutlookLang.dll |
| 4c31e48b9bcc1a43a4eefbdffc25799f | c:\Program Files\ESET\ESET Smart Security\eplgOutlookSmon.dll |
| 66fc6c462dad80f80b978ad6038e58c2 | c:\Program Files\ESET\ESET Smart Security\eplgOutlookSmonLang.dll |
| f110cf19d56f58606eaae8a685279338 | c:\Program Files\ESET\ESET Smart Security\mfc110u.dll |
| 7caa1b97a3311eb5a695e3c9028616e7 | c:\Program Files\ESET\ESET Smart Security\msvcp110.dll |
| 7c3b449f661d99a9b1033a14033d2987 | c:\Program Files\ESET\ESET Smart Security\msvcr110.dll |
| dde2c78173535ca8ca8cbf8eb80ff78f | c:\Program Files\ESET\ESET Smart Security\shellExt.dll |
| 65565b7ec5b08f91b608949a06d27920 | c:\Program Files\ESET\ESET Smart Security\speclean.exe |
| 65cca3fd5bc4ebe3e4c4d376aafb397b | c:\Program Files\ESET\ESET Smart Security\updater.dll |
| 36aab2d37ccb732068a478ae734802bd | c:\Program Files\ESET\ESET Smart Security\x86\DMON.dll |
| 6d62813dccd7c2baba9401fc5242efed | c:\Program Files\ESET\ESET Smart Security\x86\EModCmd.exe |
| a35fc17b883c686146b4b3a9477ae413 | c:\Program Files\ESET\ESET Smart Security\x86\eCapture.exe |
| 58fbda10fc403cf9f82abd0a68129ba3 | c:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe |
| e4ab9eafdbb8f73f05f1b6e57b5ec0bd | c:\Program Files\ESET\ESET Smart Security\x86\ekrnAmon.dll |
| 2cefded5616218f17a9f23fefc299096 | c:\Program Files\ESET\ESET Smart Security\x86\ekrnAntitheft.dll |
| a392cbe8772775327d3a6bc774e25027 | c:\Program Files\ESET\ESET Smart Security\x86\ekrnDevmon.dll |
| 6fe269eafa47eb7369acd9932e9a0edf | c:\Program Files\ESET\ESET Smart Security\x86\ekrnDmon.dll |
| f9142c5c90b19f229cc6cbea36371e7b | c:\Program Files\ESET\ESET Smart Security\x86\ekrnEmon.dll |
| ddb8c06fc4315509a1f5eb4b7b9f7ed0 | c:\Program Files\ESET\ESET Smart Security\x86\ekrnEpfw.dll |
| 54877234736d60fe329ea94e31491b97 | c:\Program Files\ESET\ESET Smart Security\x86\ekrnHips.dll |
| efb123ad63f122512032cbece9e8cdcb | c:\Program Files\ESET\ESET Smart Security\x86\ekrnMailPlugins.dll |
| 2fef40b0d39abb1659b578928c01e17f | c:\Program Files\ESET\ESET Smart Security\x86\ekrnParental.dll |
| 369b6d7e4a31f07d0544d905fc1ff4cc | c:\Program Files\ESET\ESET Smart Security\x86\ekrnScan.dll |
| 025f0db99d2f71e9edb0a6c5f27e4c21 | c:\Program Files\ESET\ESET Smart Security\x86\ekrnSmon.dll |
| bc561deb9ddba995b953511ac9c8327c | c:\Program Files\ESET\ESET Smart Security\x86\ekrnSmonEngine.dll |
| e0a3553142c9a750f55f52c63f23a2c2 | c:\Program Files\ESET\ESET Smart Security\x86\ekrnUpdate.dll |
| 99fc0d1b5a0931d17c9cf622b471f03c | c:\Program Files\ESET\ESET Smart Security\x86\eplgOE.dll |
| 1eec19a1bb7fb8193509ee7239dc8d3b | c:\Program Files\ESET\ESET Smart Security\x86\eplgOEEmon.dll |
| cfcb3505815382554a8d872bebd6fb7d | c:\Program Files\ESET\ESET Smart Security\x86\eplgOESmon.dll |
| 252732296038213b71d01a2583d46afe | c:\Program Files\ESET\ESET Smart Security\x86\eplgOutlook.dll |
| ab5760b71abad9ffe29601b78ef0af09 | c:\Program Files\ESET\ESET Smart Security\x86\eplgOutlookEmon.dll |
| 64d0d717b412c993ff8c62e09ae2a066 | c:\Program Files\ESET\ESET Smart Security\x86\eplgOutlookSmon.dll |
| 3e29914113ec4b968ba5eb1f6d194a0a | c:\Program Files\ESET\ESET Smart Security\x86\msvcp110.dll |
| 4ba25d2cbe1587a841dcfb8c8c4a6ea6 | c:\Program Files\ESET\ESET Smart Security\x86\msvcr110.dll |
| ebbb193195f887584e50a6ac113422ea | c:\Program Files\ESET\ESET Smart Security\x86\shellExt.dll |
| 3b5a31a0b74f80f9598647d34f1e832c | c:\Program Files\ESET\ESET Smart Security\x86\updater.dll |
| 38626347a09aa38da32800bcf171d7e9 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CheckDriver64.exe |
| 331e374dff5d39687261babde003fa6f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup.exe |
| f166dee39f40329478b3497b2c1e1d79 | c:\Windows\Installer\{71340F0E-B554-4C0C-B88A-E53829621ADD}\Icon_Product |
| c581debb25220862d325be141f02e989 | c:\Windows\System32\DriverStore\FileRepository\epfwlwf.inf_amd64_neutral_82eebfb309dd569f\EpfwLWF.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\epfw.sys" the Worm controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls operations with a system registry by installing the registry notifier.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3304
egui.exe:2604
ekrn.exe:2988
DrvInst.exe:3772
DrvInst.exe:2880
DrvInst.exe:3456
DrvInst.exe:612
DrvInst.exe:2152
DrvInst.exe:1664
Setup.exe:1408
Setup.exe:2788
mobsync.exe:1416
MsiExec.exe:704
MsiExec.exe:3464
MsiExec.exe:3000 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft2463.tmp\pftw1.pkg (550 bytes)
%Program Files% (x86)\ESET\CITSINST\SetupNotification.xml (197 bytes)
%Program Files% (x86)\ESET\CITSINST\Setup.exe (174574 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext2443.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf2442.tmp (4 bytes)
%Program Files% (x86)\ESET\CITSINST\SetupLauncherV2.xml (4 bytes)
%Program Files% (x86)\ESET\CITSINST\eula_ess.txt (20 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\epfwlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\urllog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Charon\CACHE.NDB (389233 bytes)
C:\Windows\System32\drivers\eamonm.sys (245 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwUser.dat (720 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata.dat (676 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwTmp2.dat (23 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\ipstree.db-journal (544 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc1.bin.full.2014.11.03.05.11.43 (852 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc21.bin.full.2014.10.15.23.36.04 (1 bytes)
C:\ProgramData\ESET\ESET Smart Security\epfwdata.bin (258 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\virlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\local.db (244143 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\hipslog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\parentallog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\warnlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\spamlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc2.bin.full.2005.02.11.04.44.13 (9 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata2.dat (394 bytes)
%Program Files%\ESET\ESET Smart Security\emesj007_32.dat (176 bytes)
C:\Windows\System32\drivers\edevmon.sys (241 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwTemp.dat (285 bytes)
C:\ProgramData\ESET\ESET Smart Security\HipsRules.bin (168 bytes)
%Program Files%\ESET\ESET Smart Security\speclean.new (589 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\devctrllog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\HipsRules.xml (32 bytes)
C:\ProgramData\ESET\ESET Smart Security\local.db-journal (544 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_neutral_d20c42e70c913283\epfw.PNF (6492 bytes)
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5541.tmp (1 bytes)
C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5540.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1688 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\inf\oem13.inf (1 bytes)
C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624C.tmp (5 bytes)
C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624B.tmp (8 bytes)
C:\Windows\inf\oem16.inf (5 bytes)
C:\Windows\System32\DriverStore\FileRepository\edevmon.inf_amd64_neutral_b3219a1046723b4d\edevmon.PNF (5703 bytes)
C:\Windows\inf\oem9.inf (1 bytes)
C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET5206.tmp (1 bytes)
C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET51F6.tmp (8 bytes)
C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_neutral_de35935fbadc0b42\ehdrv.PNF (5619 bytes)
C:\Windows\inf\oem15.inf (2 bytes)
C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D4.tmp (8 bytes)
C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D5.tmp (2 bytes)
C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_neutral_6def4c43f49cc607\eamonm.PNF (6779 bytes)
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5735.tmp (2 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwlwf.inf_amd64_neutral_82eebfb309dd569f\epfwlwf.PNF (4666 bytes)
C:\Windows\inf\oem14.inf (2 bytes)
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5734.tmp (8 bytes)
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5736.tmp (44 bytes)
C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53D9.tmp (8 bytes)
C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53DA.tmp (1 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_neutral_30e8a68da2d9957f\epfwwfp.PNF (8695 bytes)
C:\Windows\inf\oem12.inf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ess_nt64_JPN.msi (10848492 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\cfg[1].xml (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cfg.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\CheckDriver64[1].exe (225705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DownloadConfig.xml (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\ess_nt64_JPN[1].msi (40838206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ESETDebugLog.txt (151204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\DownloadConfig[1].xml (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CheckDriver64.exe (61540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\eula_ess.txt (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherV2.xml (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Setup[1].dat (4878362 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherV2[1].xml (241 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupNotification[1].xml (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherVer.xml (759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupNotification.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup.exe (1298341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherVer[1].xml (759 bytes)
C:\Windows\Installer\MSIF1F1.tmp (708 bytes)
C:\Windows\Installer\MSIF1E1.tmp (708 bytes)
C:\Windows\Installer\MSIF260.tmp (708 bytes)
C:\Windows\Installer\MSIFCB3.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inxF141.tmp (33 bytes)
C:\Windows\Installer\MSIF104.tmp (708 bytes)
C:\ProgramData\ESET\ESET Smart Security\Installer\c8a.msi (638042 bytes)
C:\Windows\Installer\MSIF172.tmp (708 bytes)
C:\Windows\Installer\MSI7DF6.tmp (708 bytes)
C:\Windows\Installer\MSIF37A.tmp (708 bytes)
C:\Windows\Installer\MSI7D2A.tmp (708 bytes)
C:\Windows\Installer\MSI7894.tmp (180 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3839.tmp (1327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386A.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12EA.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D1.tmp (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C51.tmp (277 bytes)
%Program Files%\ESET\ESET Smart Security\msvcp110.dll (663 bytes)
%Program Files%\ESET\ESET Smart Security\em023_32.dat (31071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3939.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E91.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BFF.tmp (4073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138C.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1634.tmp (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP386B.tmp (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126A.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FB.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DB.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E49.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35CC.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EE.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13C0.tmp (21585 bytes)
%Program Files%\ESET\ESET Smart Security\em006_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1134.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DC8.tmp (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1114.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E5E.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1258.tmp (260 bytes)
C:\Windows\System32\drivers\SET54B5.tmp (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39EC.tmp (3905 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3829.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D40.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD2.tmp (8 bytes)
C:\Windows\Installer\MSI5380.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B49.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39C9.tmp (616 bytes)
%Program Files%\ESET\ESET Smart Security\em004_32.dat (7726 bytes)
%Program Files%\ESET\ESET Smart Security\em031_32.dat (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B4A.tmp (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FA1.tmp (749 bytes)
C:\Windows\System32\catroot2\dberr.txt (4929 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3925.tmp (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130D.tmp (272 bytes)
C:\Windows\Installer\MSIFCE3.tmp (708 bytes)
C:\Windows\Installer\MSIFCE4.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1D4B.tmp (34578 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1223.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C50.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DA0.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DCA.tmp (2938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36DA.tmp (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DA5.tmp (209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4557.tmp (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP14AC.tmp (29628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4C.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D5.tmp (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38F5.tmp (2772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BEF.tmp (3821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC6.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1248.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A6A.tmp (996 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4A.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FB2.tmp (2628 bytes)
C:\Windows\System32\drivers\SET52E0.tmp (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EF.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F8F.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A9.tmp (1 bytes)
C:\Windows\Installer\MSIF59F.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1194.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1212.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP394A.tmp (3268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP138B.tmp (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3827.tmp (279 bytes)
%Program Files%\ESET\ESET Smart Security\em015_32.dat (6 bytes)
%Program Files%\ESET\ESET Smart Security\em001_32.dat (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4526.tmp (301 bytes)
%Program Files%\ESET\ESET Smart Security\msvcr110.dll (851 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6218.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B7A.tmp (8729 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CB4.tmp (4 bytes)
C:\Windows\Installer\MSI56DC.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F18.tmp (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDD.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1635.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1667.tmp (75333 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DF4.tmp (12604 bytes)
C:\Windows\System32\drivers\SET61D3.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C7.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CEA.tmp (1038 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1400.tmp (22384 bytes)
C:\Windows\Installer\MSIF4B4.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E92.tmp (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B47.tmp (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF13B0.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3828.tmp (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3ED6.tmp (3 bytes)
%Program Files%\ESET\ESET Smart Security\em020_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D0A.tmp (2 bytes)
C:\Windows\Installer\MSIF5CF.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11FF.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D61.tmp (2380 bytes)
%Program Files%\ESET\ESET Smart Security\em018_32.dat (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5F.tmp (1648 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DFA.tmp (3917 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12B2.tmp (295 bytes)
%Program Files%\ESET\ESET Smart Security\em006_64.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38C0.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35DE.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE2.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F90.tmp (27 bytes)
C:\Windows\System32\drivers\SET590B.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F91.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11A4.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5507.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131F.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DB8.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1331.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF387E.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B7.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A2.tmp (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3C0C.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1259.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36EB.tmp (102 bytes)
C:\Windows\System32\drivers\SET565B.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126B.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3937.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D50.tmp (1848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387D.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A8.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E6F.tmp (1881 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13AF.tmp (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B6.tmp (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C84.tmp (1399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1222.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127F.tmp (294 bytes)
C:\Windows\Installer\MSI636D.tmp (708 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (10099 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E48DDEA3BF68DF580551FA0F27950B54 (1328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F19.tmp (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3826.tmp (102 bytes)
%Program Files%\ESET\ESET Smart Security\em009_64.dat (8281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1646.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1367.tmp (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1247.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39CA.tmp (271 bytes)
%Program Files%\ESET\ESET Smart Security\em010_32.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C8B.tmp (3279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1101.tmp (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF132F.tmp (252 bytes)
%Program Files%\ESET\ESET Smart Security\em003_32.dat (7547 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1342.tmp (274 bytes)
%Program Files%\ESET\ESET Smart Security\em018_64.dat (673 bytes)
C:\Windows\Installer\MSI518C.tmp (708 bytes)
%Program Files%\ESET\ESET Smart Security\em000_64.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E8.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F8E.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FC.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DD1.tmp (169 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3F.tmp (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1379.tmp (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E4B.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DA.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1366.tmp (282 bytes)
C:\Windows\Installer\MSI6205.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1290.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4546.tmp (802 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6217.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1355.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127D.tmp (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3869.tmp (108 bytes)
C:\Windows\Installer\MSI4F0B.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35CB.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D2B.tmp (214 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A8E.tmp (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126D.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DE3.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BC9.tmp (182 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CB5.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET539E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET538D.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138A.tmp (285 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39DB.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EA3.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A9F.tmp (2077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CD9.tmp (1063 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE4.tmp (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1102.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DC9.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D3E.tmp (252 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D3.tmp (15 bytes)
%Program Files%\ESET\ESET Smart Security\em017_64.dat (30427 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A8D.tmp (37 bytes)
%Program Files%\ESET\ESET Smart Security\em009_32.dat (7726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C0B.tmp (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D0B.tmp (267 bytes)
%Program Files%\ESET\ESET Smart Security\em002_32.dat (259130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB5.tmp (1840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3926.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36FC.tmp (1386 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386C.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6071.tmp (2 bytes)
%Program Files%\ESET\ESET Smart Security\em008_64.dat (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C4.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1235.tmp (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A7B.tmp (553 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4E62.tmp (9890 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131E.tmp (267 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3ED7.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126C.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1378.tmp (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387F.tmp (2200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC8.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP473E.tmp (1555561 bytes)
C:\Windows\System32\drivers\SET633B.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35DD.tmp (94 bytes)
%Program Files%\ESET\ESET Smart Security\em024_32.dat (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4547.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDE.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38BF.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C3.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD3.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP396A.tmp (3607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DA1.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C1D.tmp (3124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5506.tmp (8 bytes)
C:\Windows\Installer\MSI797F.tmp (708 bytes)
C:\Windows\Installer\MSIFD24.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11ED.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FC.tmp (2 bytes)
%Program Files%\ESET\ESET Smart Security\updater.dll (507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38E4.tmp (2920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D7.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F7C.tmp (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1234.tmp (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4569.tmp (1634611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BFB.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1330.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6070.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C8.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1353.tmp (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1200.tmp (259 bytes)
%Program Files%\ESET\ESET Smart Security\em021_32.dat (15019 bytes)
%Program Files%\ESET\ESET Smart Security\em000_32.dat (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDC.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E90.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD4.tmp (564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B5.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B48.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD5.tmp (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127E.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF139E.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1246.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BFA.tmp (714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C5.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3938.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E9.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C64.tmp (2437 bytes)
%Program Files%\ESET\ESET Smart Security\em015_64.dat (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36EC.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C3F.tmp (198 bytes)
C:\Windows\Installer\MSI54E8.tmp (708 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (1024 bytes)
%Program Files%\ESET\ESET Smart Security\em022_32.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C52.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1354.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BE8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF14CC.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BCA.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC5.tmp (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP139D.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A7C.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130C.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FD.tmp (44 bytes)
%Program Files%\ESET\ESET Smart Security\em019_32.dat (1281 bytes)
%Program Files%\ESET\ESET Smart Security\em028_64.dat (8 bytes)
%Program Files%\ESET\ESET Smart Security\em005_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36D9.tmp (1 bytes)
C:\Windows\Installer\MSIFD04.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1211.tmp (271 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1103.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E8F.tmp (3 bytes)
%Program Files%\ESET\ESET Smart Security\em008_32.dat (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FB.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F7D.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39DA.tmp (93 bytes)
%Program Files%\ESET\ESET Smart Security\em017_32.dat (30427 bytes)
C:\Windows\inf\oem14.PNF (4666 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3AEE.tmp (2575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3D.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4525.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1365.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF10F1.tmp (285 bytes)
C:\Windows\Installer\MSI7CF9.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP40EF.tmp (1577253 bytes)
C:\Windows\Temp\OLD60E6.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F08.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DB7.tmp (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38D2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4558.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DA6.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BE9.tmp (301 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E48DDEA3BF68DF580551FA0F27950B54 (573 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11D9.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F07.tmp (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DC.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D6.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1647.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C40.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B36.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B35.tmp (401 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B5A.tmp (7861 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3936.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1389.tmp (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1193.tmp (277 bytes)
C:\Windows\Installer\MSI637E.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A6B.tmp (294 bytes)
C:\Windows\Installer\MSI6030.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F1A.tmp (1597880 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDB.tmp (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35EE.tmp (1185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3EA4.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB6.tmp (2390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC7.tmp (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP389F.tmp (2901 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D2C.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C53.tmp (277 bytes)
C:\Windows\System32\drivers\SET5FEE.tmp (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38E3.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A1.tmp (286 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui" = "%Program Files%\ESET\ESET Smart Security\egui.exe /hide /waitservice" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Canon IT Solutions Inc.
Product Name: ESET Smart Security
Product Version: 8.0
Legal Copyright:
Legal Trademarks:
Original Filename: stub32i.exe
Internal Name: stub32
File Version: 8.0
File Description:
Comments:
Language: Language Neutral
Company Name: Canon IT Solutions Inc. Product Name: ESET Smart SecurityProduct Version: 8.0Legal Copyright: Legal Trademarks: Original Filename: stub32i.exe Internal Name: stub32 File Version: 8.0File Description: Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 74806 | 77824 | 4.53047 | 5c5060bef67ebb81f05c17a35ec12872 |
| .rdata | 81920 | 6578 | 8192 | 3.37694 | 1fa22713014a16f333a15283f667d28b |
| .data | 90112 | 28260 | 16384 | 0.93577 | a208c1abc7e4034fdfe9e0052f48914b |
| .rsrc | 118784 | 182952 | 184320 | 4.86809 | 8fbadcdaf1754a531af5b41961796869 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 23
ade12b7f6d249b7041a83d1e1ea0f538
91f5d4f37d60d820430034d5c9e5cd6a
06daf6ddb3e48031f93215e168f26dd8
03d284177b1d6ee5d2c4d3a46a0f034d
0bc91e0b13d6663d3120bb06a1c6871f
509b9f3a1d3d100c7ffbba3dd7979dbf
1c74d7b22e032778bb017edf9ac75291
a9dbb9d4402b929ddd45169cd1af361d
1a4abb53488268be17dd94040ad85a07
7dd7a25e422fa6f7c8efa63e16586ace
f0a9d972298a64b6d161628e1891e57c
fc0666a84dbeadc8a44e0957c2894099
814742fdf3c4d4774b7a0800c80f20d0
fdc372bc94375a8599fca86fa98ea17c
19ed66518c51eced1cfa0cb11e8aebfb
a754a01ed2f105f709425fc217db1e5c
13ed73d1b556d86cb0ff88bed0fbc76b
4a1531d0d0ee5bc704e66be394fa207c
4ed36626785be88e6ee85ba7ee96553a
46d7285a59eaf4e183fa42609b36d749
11599378a69e43886037507bc0f372a9
0c295b8872c939184ab0ac86395b5f50
cc77ef78fbe70e0595ed16e49aea8e7f
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupLauncherVer.xml | 54.231.225.64 |
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/Setup.dat | 54.231.225.64 |
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupLauncherV2.xml | 54.231.225.64 |
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupNotification.xml | 54.231.225.64 |
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/DownloadConfig.xml | 54.231.225.64 |
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver64.exe | 54.231.225.64 |
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/cfg.xml | 54.231.225.64 |
| hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/latest/ess_nt64_JPN.msi | 54.231.225.64 |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11d044446177b573 | |
| hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c2cb19876e000e1 | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | |
| hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEB/j3kABn4M6/11VuZjXEqg= | |
| hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
| hxxp://e10088.dscb.akamaiedge.net/pki/CRL/products/Microsoft Windows Hardware Compatibility PCA(1).crl | |
| hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= | 23.42.27.27 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c2cb19876e000e1 | 87.245.202.24 |
| hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEB/j3kABn4M6/11VuZjXEqg= | 23.42.27.27 |
| hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11d044446177b573 | 87.245.202.24 |
| hxxp://www.microsoft.com/pki/CRL/products/Microsoft Windows Hardware Compatibility PCA(1).crl | 23.64.223.148 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=418493, public, no-transform, must-revalidate
Last-Modified: Tue, 27 Jan 2015 10:17:02 GMT
Expires: Tue, 3 Feb 2015 10:17:02 GMT
Date: Thu, 29 Jan 2015 14:05:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..20150127101702Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...313..R...%V.......K3.....20150127101702Z....20150203101702Z0...*.H.............A8~....@.........C..l..2....#:....U.^.....`.DE.....!F....7..u..Q.r...!R......?......ajn...k.....K.(..ZmP..QK@........W.R..HP........F..,...]%..zA.<..I.....K.?...Y.`.....\............:B.\......d....R.e|..t.~.$...>3./m>.@.....ZM{?.....N......%b.{UUb>.t.q..4/....0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G50...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Certificate 30.."0...*.H.............0...............2&..PL...,..2....:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http://VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve.
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEB/j3kABn4M6/11VuZjXEqg= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=361385, public, no-transform, must-revalidate
Last-Modified: Mon, 26 Jan 2015 18:27:04 GMT
Expires: Mon, 2 Feb 2015 18:27:04 GMT
Date: Thu, 29 Jan 2015 14:05:30 GMT
Connection: keep-alive
0..........0..... .....0......0...0......u\..3Oo?U...H.....O!..20150126182704Z0s0q0I0... ...................F....0.yV......{&.K......&..........@...:.]U.........20150126182704Z....20150202182704Z0...*.H.............D.go,....N...bE!.......4e.....gi.....k.D...k.............ba32x.x.m....c.7..78WJ...l.Ge.{.....9.L. ...3(....c5..8..`{n:Fv.~?.S.........sJ.............7u>.yE.......EM.P.@E.h'.OK..).j{%:...."...F".E....\.y..@./hwv..b}@D=....f..........nd........?C..........}p....0...0...0........../...nj0...}..i..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA0...141204000000Z..150304235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Class 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0.........4.4...........o....?..f.........I.!.b.L...L..U.........rM.,.....=..cR4d.~*..k..x......=.WT.<.A2n1.qZyM.M..Q_...8....9....d.... ...'.........h..Z..I...(.b.jK..DO.ra..gb..j..A.(....mrzU.w.......Bv...l.:s..L....y.....u..n.)W......Y!....Q...,.i|.....:.Mu..DD1.........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24600...*.H..............pjd....VpE.6.tO..@.....7.=.. ...........hi.......>....Q.?
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11d044446177b573 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT
If-None-Match: "0b2464b1797cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
ETag: "0b2464b1797cf1:0"
Cache-Control: max-age=86400
Date: Thu, 29 Jan 2015 14:05:30 GMT
Connection: keep-alive
....
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c2cb19876e000e1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Thu, 29 Jan 2015 14:05:30 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/DownloadConfig.xml HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: 4FwE137l MHp61PRfhFRBpj8e9CObM2o2iKiZwaMp56ZUGBTTDp49S1bzBKaIgY8GXs96LqIQnc=
x-amz-request-id: 49FCC778966F35AB
Date: Thu, 29 Jan 2015 14:03:48 GMT
Last-Modified: Mon, 26 Jan 2015 03:02:52 GMT
ETag: "dfc4125c3b35ffd0f95bc1d5eef5461a"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 10768
Server: AmazonS3
<?xml version="1.0" encoding="UTF-8"?>..<DownloadConfig>...<PackageDownloadServerCount>16</PackageDownloadServerCount>...<Package00>....<PackageDownloadURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver86.exe</PackageDownloadURL>....<PackageVersion>8.0</PackageVersion>....<PackageName>Driver Check Tool</PackageName>....<PackageFileName>CheckDriver86.exe</PackageFileName>....<PackageFileSize>316</PackageFileSize>....<ProductType>1</ProductType>....<Architecture>0</Architecture>....<ExecType>2</ExecType>....<SaveFilePath>*USERTEMP*CheckDriver86.exe</SaveFilePath>....<ExecCommand>*USERTEMP*CheckDriver86.exe</ExecCommand>....<PackageHash>421609822a77d8ac594125dcaa144b85</PackageHash>....<TargetOS>0</TargetOS>....<ErrorSkip>0</ErrorSkip>...</Package00>...<Package01>....<PackageDownloadURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver64.exe</PackageDownloadURL>....<PackageVersion>8.0</PackageVersion>....<PackageName>Driver Check Tool</PackageName>....<PackageFileName>CheckDriver64.exe</PackageFileName>....<PackageFileSize>457</PackageFileSize>....<ProductType>1</ProductType>....<Architecture>1</Architecture>....<ExecType>2</ExecType>....<SaveFilePath
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/tools/CheckDriver64.exe HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: j38fk6YeQFsZzNJL15cLgvMmsSjv0ZDGeE25chnrjqOdljX5NCl p16sOyND1UrsQ2UGECSFJgA=
x-amz-request-id: BD93EE8A8A6D40F8
Date: Thu, 29 Jan 2015 14:03:50 GMT
Last-Modified: Fri, 05 Dec 2014 09:10:09 GMT
ETag: "38626347a09aa38da32800bcf171d7e9"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 467024
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{.kA{.kA{.kA...Aq.kA...A`.kA{.jAP.kA\M.A..kA\M.Ar.kA\M.A..kA\M.A~.kA\M.Az.kA\M.Az.kARich{.kA................PE..d....?.Q..........#......^.....................@.....................................D..................................................................T........Q......P...........`|...............................................p.. .......@....................text....\.......^.................. ..`.rdata...w...p...x...b..............@..@.data...P........8..................@....pdata...Q.......R..................@..@.rsrc...T............d..............@..@................................................................................................................................................................................................................................................................................................................................H...............H.\$.WH.. ..H....%.....t.H.......H..H.\$0H.. _..@SUVWATAUAVH......H.D$h....L...D$@.....D$D....H.L$@..._..I...c...3..t\..H..A...I....e..3.D....;..H....H.......u...@........H..H...P.H.x.H..$.....S;..L....H.......u...@...r....H..I...P.H...H.D$0.";..L....H.......u...@...A....H..I...P.H...H.D$8..:..L....H.......u...@........H..I...P.H...H..$....A..@...H.T$XI........H..H.r.H...H...H;.................H..H;.......H...P H...~..|.H;.u.L....F...BH..A......V...L..H..u........F.A.D$..F....Hc.L...L.F.H..I
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/tools/cfg.xml HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: 8kEwxzZLv EJeP yoRApSb0WGL0PJvThdtHCYDXPcTMO3WQvMNlXIt5h1Y5zMe aIfoGRLI4tzI=
x-amz-request-id: 99222B4CDD7201B4
Date: Thu, 29 Jan 2015 14:03:51 GMT
Last-Modified: Thu, 08 Jan 2015 05:49:13 GMT
ETag: "a74dde7c0d759ca808a2f4130bfcd9ca"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 3169
Server: AmazonS3
<?xml version="1.0" encoding="utf-8"?>.<ESET>. <SECTION ID="1000103">. <SETTINGS>. <PLUGINS>. <PLUGIN ID="1000600">. <PROFILES>. <NODE NAME="@My profile" TYPE="SUBNODE">. <NODE NAME="SMTP_Flags" VALUE="4" TYPE="DWORD" />. <NODE NAME="CloudEnabled" VALUE="1" TYPE="DWORD" />. <NODE NAME="CloudFlags" VALUE="0" TYPE="DWORD" />. <NODE NAME="Scheduler" TYPE="SUBNODE">. <NODE NAME="Reset" VALUE="0" TYPE="DWORD" />. <NODE NAME="ElevationFlags" VALUE="2" TYPE="DWORD" />. <TASK>. <NODE NAME="Name" VALUE="...................................................... " TYPE="STRING" />. <NODE NAME="ActionCode" VALUE="2" TYPE="DWORD" />. <NODE NAME="ModuleID" VALUE="1000600" TYPE="DWORD" />. <NODE NAME="TriggerType" VALUE="4" TYPE="DWORD" />. <NODE NAME="TriggerSettings" VALUE="50000" TYPE="DWORD" />. <NODE NAME="StartFailSettings" VALUE="0" TYPE="DWORD" />. <NODE NAME="Enabled" VALUE="0" TYPE="DWORD" />. <NODE NAME="LastExec" VALUE="FFFFFFFF" TYPE="DWORD" />. <NODE NAME="Flags" VALUE="1" TYPE="DWORD" />. <NODE NAME="RegId" VALUE="3" TYPE="DWORD" />. <NODE NAME="DeleteThis" VALUE="0" TYPE="DWORD" />. <NODE NAME="EnableThis" VALUE="0" TYPE="DWORD" />. <NODE NAME="DisableThis" VALUE="0" TYPE="DWORD" />.
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/latest/ess_nt64_JPN.msi HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: zxv4XH1OUcmPQM/SUGs/xkefjr 9gaj2K3aUWgPCZdg27PU5OHRgv8a7GpUCYB6h6K/KHfjf3Ns=
x-amz-request-id: 41DCFE4E9B6B286A
Date: Thu, 29 Jan 2015 14:03:52 GMT
Last-Modified: Thu, 08 Jan 2015 05:43:38 GMT
ETag: "c8f9f8726b44d98123a22f0d062d9e93-2"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 83861504
Server: AmazonS3
........................>.................................................................................... ...$...(...,...0...4...8...<...@...D...H...L................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /pki/CRL/products/Microsoft Windows Hardware Compatibility PCA(1).crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 03 Jan 2015 06:02:10 GMT
Accept-Ranges: bytes
ETag: "c9b2f1cf1a27d01:0"
Server: Microsoft-IIS/8.0
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
VTag: 43820326300000000
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 573
Cache-Control: max-age=112
Date: Thu, 29 Jan 2015 14:05:55 GMT
Connection: keep-alive
X-CCC: PL
X-CID: 2
0..90..!...0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1503..U...,Microsoft Windows Hardware Compatibility PCA..150102214534Z..150502220534Z.a0_0...U.#..0...(..a.|.?.k..".j ..>-0... .....7.........0...U......m0... .....7......150402215534Z0...*.H.............[.0.92W..'..E..,ew..o.Z......F$a.n...5m....I.........7..hl..u...j._aI.....kjo.O4..Q......Jn.^.<(..............4..t........ ....f.S.Q.%....{......."/......o..........-..M.........ld...5..#9 ..t<.X.F...<.%..)...i.B....{..m..._.|...k..o.....nq.p~..pXk|<..X..,HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Sat, 03 Jan 2015 06:02:10 GMT..Accept-Ranges: bytes..ETag: "c9b2f1cf1a27d01:0"..Server: Microsoft-IIS/8.0..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..VTag: 43820326300000000..X-Powered-By: ASP.NET..X-Powered-By: ARR/2.5..X-Powered-By: ASP.NET..Content-Length: 573..Cache-Control: max-age=112..Date: Thu, 29 Jan 2015 14:05:55 GMT..Connection: keep-alive..X-CCC: PL..X-CID: 2..0..90..!...0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1503..U...,Microsoft Windows Hardware Compatibility PCA..150102214534Z..150502220534Z.a0_0...U.#..0...(..a.|.?.k..".j ..>-0... .....7.........0...U......m0... .....7......150402215534Z0...*.H.............[.0.92W..'..E..,ew..o.Z......F$a.n...5m....I.........7..hl..u...j._aI.....kjo.O4..Q......Jn.^.<(............
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT
Accept-Ranges: bytes
ETag: "88c4768d3f2ad01:0"
Server: Microsoft-IIS/8.0
VTag: 438542942000000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Thu, 29 Jan 2015 14:05:55 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M........z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Qw......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.....HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT..Accept-Ranges: bytes..ETag: "88c4768d3f2ad01:0"..Server: Microsoft-IIS/8.0..VTag: 438542942000000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..Cache-Control: max-age=900..Date: Thu, 29 Jan 2015 14:05:55 GMT..Connection: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/DownloadConfig.xml HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: B59Ub1cHK6O9VGqS889GVG32O4dE1Mbx/b35FryYj2QQb24z8hJCP fQ nQXtKdysAv4Q06L2PU=
x-amz-request-id: 0F82194ED31E2EA1
Date: Thu, 29 Jan 2015 14:03:47 GMT
Last-Modified: Mon, 26 Jan 2015 03:02:52 GMT
ETag: "dfc4125c3b35ffd0f95bc1d5eef5461a"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 10768
Server: AmazonS3
<?xml version="1.0" encoding="UTF-8"?>..<DownloadConfig>...<PackageDownloadServerCount>16</PackageDownloadServerCount>...<Package00>....<PackageDownloadURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver86.exe</PackageDownloadURL>....<PackageVersion>8.0</PackageVersion>....<PackageName>Driver Check Tool</PackageName>....<PackageFileName>CheckDriver86.exe</PackageFileName>....<PackageFileSize>316</PackageFileSize>....<ProductType>1</ProductType>....<Architecture>0</Architecture>....<ExecType>2</ExecType>....<SaveFilePath>*USERTEMP*CheckDriver86.exe</SaveFilePath>....<ExecCommand>*USERTEMP*CheckDriver86.exe</ExecCommand>....<PackageHash>421609822a77d8ac594125dcaa144b85</PackageHash>....<TargetOS>0</TargetOS>....<ErrorSkip>0</ErrorSkip>...</Package00>...<Package01>....<PackageDownloadURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver64.exe</PackageDownloadURL>....<PackageVersion>8.0</PackageVersion>....<PackageName>Driver Check Tool</PackageName>....<PackageFileName>CheckDriver64.exe</PackageFileName>....<PackageFileSize>457</PackageFileSize>....<ProductType>1</ProductType>....<Architecture>1</Architecture>....<ExecType>2</ExecType>....<SaveFilePath
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/SetupLauncherVer.xml HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: NUn2RtwutcFNtNriysVdbDjup2rdLxN6bVsB/2IUwrj4osFSU2HJZaruIaQ 2bhv
x-amz-request-id: FB2E43318108B71C
Date: Thu, 29 Jan 2015 14:02:32 GMT
Last-Modified: Thu, 08 Jan 2015 06:00:33 GMT
ETag: "6d7d0b88bb3d4d97afbcdf869911c55e"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 759
Server: AmazonS3
<?xml version="1.0" encoding="UTF-8"?>..<SetupLauncherVer>...<SetupLauncherVerData>....<LastVersion>30803</LastVersion>....<SetupExe>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/Setup.dat</SetupExe>....<SetupLauncherXMLVersion>00802</SetupLauncherXMLVersion>....<SetupLauncherURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupLauncherV2.xml</SetupLauncherURL>....<SetupNotificationVersion>00802</SetupNotificationVersion>....<SetupNotificationURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupNotification.xml</SetupNotificationURL>....<ESSLatestVersion>8.00.304.07</ESSLatestVersion>....<EAVLatestVersion>8.00.304.07</EAVLatestVersion>...</SetupLauncherVerData>..</SetupLauncherVer>......
GET /c-its/download/eset/cw/v8he/Setup.dat HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: AgpKJ9S7NrRGWuMaBDorgKNEoEDtd3XBzTUPQPlg/g9Rc22B51Sw3c483cem8aw0
x-amz-request-id: 41FA081651E8874A
Date: Thu, 29 Jan 2015 14:02:32 GMT
Last-Modified: Wed, 17 Dec 2014 05:06:50 GMT
ETag: "331e374dff5d39687261babde003fa6f"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 10131816
Server: AmazonS3
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..T................................`...,E......,E......,E......,E..$...,E......,E......Rich............................PE..L......T.....................`......r#....... ....@.........................................................................<........p...@..............h...........P'..............................h4..@............ ..........@....................text............................... ..`.rdata..`.... ....... ..............@..@.data...Xn.......0..................@....rsrc....@...p...P...0..............@..@.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/SetupLauncherV2.xml HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: yDZoFhrU18 XrtyHMfOyeADRHySqtGBdPtotTiw07kpX3iIG6JgaIYjcea0v1fe
x-amz-request-id: 7CDDF9C2A908B104
Date: Thu, 29 Jan 2015 14:02:56 GMT
Last-Modified: Wed, 17 Dec 2014 05:06:53 GMT
ETag: "05baed2454892dd2e37e9b317bfd3ef8"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 4638
Server: AmazonS3
...<?xml version="1.0" encoding="UTF-8"?>..<LaunchData>...<LaunchBase>....<ProductType>1</ProductType>....<PackageType>7</PackageType>....<ManualType>1</ManualType>....<PackageVersionWin>7.0</PackageVersionWin>....<PackageVersionMac>5.0</PackageVersionMac>....<DownloaderVersion>30803</DownloaderVersion>....<SetupLauncherXMLVersion>00802</SetupLauncherXMLVersion>....<ProviderType>CW</ProviderType>....<ShowOnlineUserRegistButton>0</ShowOnlineUserRegistButton>....<EnableServerCheck>0</EnableServerCheck>....<InstallType>0</InstallType>...</LaunchBase>...<DownloadServerData>....<DownloadServerCount>2</DownloadServerCount>....<DownloadServer0>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he</DownloadServer0>....<DownloadServer1>hXXp://download.canon-its.jp/download/eset/cw/v8he</DownloadServer1>...</DownloadServerData>...<ConfrictRegistory>....<ConfrictDataCount>18</ConfrictDataCount>....<ConfrictPackage00 PackageName="G DATA Software">SYSTEM\CurrentControlSet\Services\AVKWCtl</ConfrictPackage00>....<ConfrictPackage01 PackageName="AVAST Antivirus">Software\ALWIL Software\Avast\4.0</ConfrictPackage01>....<ConfrictPackage02 PackageName="AVAST Antivirus">Software\Wow6432Node\ALWIL Software\Avast\4.0</ConfrictPackage02>....<ConfrictPackage03 Packa
<<< skipped >>>
GET /c-its/download/eset/cw/v8he/SetupNotification.xml HTTP/1.1
User-Agent: CITS Install Launcher
Host: s3-ap-northeast-1.amazonaws.com
HTTP/1.1 200 OK
x-amz-id-2: 5yx7BHWGKGrKKFmVQ63p8gm7IuX2gNO4svYcwOsQ8SfReF3bUBtwCI36XTvlnPVx
x-amz-request-id: 37592F96B77220FF
Date: Thu, 29 Jan 2015 14:02:56 GMT
Last-Modified: Fri, 05 Dec 2014 09:05:14 GMT
ETag: "78fa9cca99944b28f9a9b5a9c0d44fe3"
Accept-Ranges: bytes
Content-Type: text/xml
Content-Length: 2294
Server: AmazonS3
...<?xml version="1.0" encoding="UTF-8"?>..<NotificationDataSet>...<NotificationVersion>00802</NotificationVersion>...<NotificationDataValueCount>5</NotificationDataValueCount>...<NotificationDataValue00>....<NFDTitle>...2014...12...11.........................................._BR_...................................................V8.0............................................................_BR_</NFDTitle>....<NFDURL>hXXp://canon-its.jp/product/eset/</NFDURL>....<NFDConditionType>2</NFDConditionType>....<NFDConditionValue>99</NFDConditionValue>....<STRCOLOR>23,55,94</STRCOLOR>...</NotificationDataValue00>...<NotificationDataValue01>....<NFDTitle>..........................................................................................................................................</NFDTitle>....<NFDURL>hXXp://canon-its.jp/supp/eset/etpc40137.html</NFDURL>....<NFDConditionType>2</NFDConditionType>....<NFDConditionValue>99</NFDConditionValue>....<STRCOLOR>23,55,94</STRCOLOR>...</NotificationDataValue01>...<NotificationDataValue02>....<NFDTitle>...ESET.......................................................................................Web...........................</NFDTitle>....<NFDURL></NFDURL>....<NFDConditionType>2</NFDConditionType>....<NFDConditionValue>99</NFDConditionValue&g
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
ekrn.exe_2988:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
!"#$%..&'()* ,-
!"#$%..&'()* ,-
t.WVj
t.WVj
.uIC;
.uIC;
RtlFormatCurrentUserKeyPath
RtlFormatCurrentUserKeyPath
RegCreateKeyExW
RegCreateKeyExW
CryptCATCatalogInfoFromContext
CryptCATCatalogInfoFromContext
CertOpenStore
CertOpenStore
CertCloseStore
CertCloseStore
CertEnumCertificatesInStore
CertEnumCertificatesInStore
CertEnumCRLsInStore
CertEnumCRLsInStore
CertControlStore
CertControlStore
MsiViewExecute
MsiViewExecute
WTHelperGetProvCertFromChain
WTHelperGetProvCertFromChain
CertNameToStrW
CertNameToStrW
CryptUIDlgViewCertificateW
CryptUIDlgViewCertificateW
CertAddCertificateContextToStore
CertAddCertificateContextToStore
CertAddEncodedCertificateToStore
CertAddEncodedCertificateToStore
CertCreateCertificateChainEngine
CertCreateCertificateChainEngine
CertGetCertificateChain
CertGetCertificateChain
CertFreeCertificateContext
CertFreeCertificateContext
CertFreeCertificateChain
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertFreeCertificateChainEngine
WerReportCreate
WerReportCreate
WerReportAddDump
WerReportAddDump
WerReportSubmit
WerReportSubmit
ReportFault
ReportFault
WerReportCloseHandle
WerReportCloseHandle
NtAcceptConnectPort
NtAcceptConnectPort
NtRequestPort
NtRequestPort
NtRequestWaitReplyPort
NtRequestWaitReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePort
NtReplyPort
NtReplyPort
NtImpersonateClientOfPort
NtImpersonateClientOfPort
NtCreatePort
NtCreatePort
NtConnectPort
NtConnectPort
NtCompleteConnectPort
NtCompleteConnectPort
RegDeleteKeyExW
RegDeleteKeyExW
CertCreateCertificateContext
CertCreateCertificateContext
CertSetCertificateContextProperty
CertSetCertificateContextProperty
PFXImportCertStore
PFXImportCertStore
CertDuplicateCertificateContext
CertDuplicateCertificateContext
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
00006666
00006666
####====
####====
&&&&6666????
&&&&6666????
""""****
""""****
2222::::
2222::::
$$$$\\\\
$$$$\\\\
G1.3.6.1.4.1.311.2.1.4
G1.3.6.1.4.1.311.2.1.4
#hXXp://logo.verisign.com/vslogo.gif0
#hXXp://logo.verisign.com/vslogo.gif0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
=hXXp://VVV.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt0
=hXXp://VVV.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt0
.Class 3 Public Primary Certification Authority0
.Class 3 Public Primary Certification Authority0
Thawte Certification1
Thawte Certification1
ESET Module Signing Certificate
ESET Module Signing Certificate
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
application/x-www-form-urlencoded
application/x-www-form-urlencoded
NtCreateKey
NtCreateKey
NtDeleteKey
NtDeleteKey
NtDeleteValueKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateKey
NtEnumerateValueKey
NtEnumerateValueKey
NtOpenKey
NtOpenKey
NtQueryValueKey
NtQueryValueKey
NtSetValueKey
NtSetValueKey
%H:%M:%S
%H:%M:%S
SupportRequestXML_GZ
SupportRequestXML_GZ
SupportRequestXML
SupportRequestXML
SupportRequest
SupportRequest
SupportRequestAttachment_GZ
SupportRequestAttachment_GZ
SupportRequestAttachment
SupportRequestAttachment
/supportrequest/
/supportrequest/
"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Robert Wilensky
"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Robert Wilensky
hXXp://
hXXp://
multipart/form-data; boundary=%s
multipart/form-data; boundary=%s
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
1.2.840.113549.1.7.2
1.2.840.113549.1.7.2
1.2.840.113549.1.9.3
1.2.840.113549.1.9.3
1.2.840.113549.1.9.4
1.2.840.113549.1.9.4
1.3.6.1.4.1.311.10.1
1.3.6.1.4.1.311.10.1
1.2.840.113549.1.9.6
1.2.840.113549.1.9.6
1.2.840.113549.1.9.5
1.2.840.113549.1.9.5
1.2.840.113549.1.7.1
1.2.840.113549.1.7.1
1.2.840.113549.2.2
1.2.840.113549.2.2
1.2.840.113549.2.5
1.2.840.113549.2.5
1.3.14.3.2.26
1.3.14.3.2.26
2.16.840.1.101.3.4.2.4
2.16.840.1.101.3.4.2.4
2.16.840.1.101.3.4.2.1
2.16.840.1.101.3.4.2.1
2.16.840.1.101.3.4.2.2
2.16.840.1.101.3.4.2.2
2.16.840.1.101.3.4.2.3
2.16.840.1.101.3.4.2.3
%u.%u
%u.%u
1.2.840.113549.1.1.2
1.2.840.113549.1.1.2
1.2.840.113549.1.1.4
1.2.840.113549.1.1.4
1.2.840.113549.1.1.5
1.2.840.113549.1.1.5
1.3.14.3.2.29
1.3.14.3.2.29
1.2.840.10040.4.3
1.2.840.10040.4.3
CERTIFICATE
CERTIFICATE
1.2.840.113549.1.1.14
1.2.840.113549.1.1.14
1.2.840.113549.1.1.11
1.2.840.113549.1.1.11
1.2.840.113549.1.1.12
1.2.840.113549.1.1.12
1.2.840.113549.1.1.13
1.2.840.113549.1.1.13
-----BEGIN %s-----
-----BEGIN %s-----
-----END %s-----
-----END %s-----
2.5.29.35
2.5.29.35
2.5.29.14
2.5.29.14
2.5.29.19
2.5.29.19
s=0x%p,0x%x,0x%x
s=0x%p,0x%x,0x%x
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegEnumKeyExW
RegEnumKeyExW
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
HTTP/
HTTP/
X-Bypass-Cache
X-Bypass-Cache
hXXps://
hXXps://
%d.%d %d
%d.%d %d
HTTP/1.1
HTTP/1.1
MS Windows
MS Windows
00000001
00000001
smtp/%s
smtp/%s
charset=%s,
charset=%s,
username="%s",
username="%s",
realm="%s",
realm="%s",
nonce="%s",
nonce="%s",
nc=%s,
nc=%s,
cnonce="%s",
cnonce="%s",
digest-uri="%s",
digest-uri="%s",
response=%s,
response=%s,
qop=%s
qop=%s
EHLO %s
EHLO %s
LOGIN
LOGIN
AUTH LOGIN
AUTH LOGIN
HELO %s
HELO %s
MAIL FROM:
MAIL FROM:
%COMPUTERNAME%
%COMPUTERNAME%
RCPT TO:
RCPT TO:
From: %S
From: %S
To: %S
To: %S
Date: %s, %d %s %d d:d:d %cdd
Date: %s, %d %s %d d:d:d %cdd
boundary="%s"
boundary="%s"
Content-Type: text/plain; charset="Windows-%d"
Content-Type: text/plain; charset="Windows-%d"
ntdll.dll
ntdll.dll
KERNEL32.DLL
KERNEL32.DLL
kernel32.dll
kernel32.dll
msvcr80.dll
msvcr80.dll
x:
x:
ekrn.pdb
ekrn.pdb
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
GDI32.dll
GDI32.dll
RegOpenKeyW
RegOpenKeyW
ReportEventW
ReportEventW
RegOpenKeyA
RegOpenKeyA
RegUnLoadKeyW
RegUnLoadKeyW
RegLoadKeyW
RegLoadKeyW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
MSVCP110.dll
MSVCP110.dll
MSVCR110.dll
MSVCR110.dll
_calloc_crt
_calloc_crt
_crt_debugger_hook
_crt_debugger_hook
__crtUnhandledException
__crtUnhandledException
__crtTerminateProcess
__crtTerminateProcess
__crtGetShowWindowMode
__crtGetShowWindowMode
_amsg_exit
_amsg_exit
_acmdln
_acmdln
__crtSetUnhandledExceptionFilter
__crtSetUnhandledExceptionFilter
GetProcessHeap
GetProcessHeap
.?AVCCrashDumpSupport@@
.?AVCCrashDumpSupport@@
.?AVCAppCrashDumpSupport@@
.?AVCAppCrashDumpSupport@@
.?AV?$CParamStructHelper@U_CCE_REPORT_EVENT_PARAMS@@@@
.?AV?$CParamStructHelper@U_CCE_REPORT_EVENT_PARAMS@@@@
.?AV?$CArrayNoThrow@U_URL_CONTROL_PLUGIN_ELEM@@ABU1@@@
.?AV?$CArrayNoThrow@U_URL_CONTROL_PLUGIN_ELEM@@ABU1@@@
.?AV?$CSortedArray@U_URL_CONTROL_PLUGIN_ELEM@@ABU1@@@
.?AV?$CSortedArray@U_URL_CONTROL_PLUGIN_ELEM@@ABU1@@@
.?AV?$CAutoFree@UECP_REQ_MSG_DATA@CECPMsgDataStorage@@$1?free@@YAXPAX@Z@@
.?AV?$CAutoFree@UECP_REQ_MSG_DATA@CECPMsgDataStorage@@$1?free@@YAXPAX@Z@@
.?AV?$CAutoFreePtr@UECP_REQ_MSG_DATA@CECPMsgDataStorage@@$1?free@@YAXPAX@Z@@
.?AV?$CAutoFreePtr@UECP_REQ_MSG_DATA@CECPMsgDataStorage@@$1?free@@YAXPAX@Z@@
.?AV?$CParamStructHelper@U_CCE_WEB_LOGIN_ASSOCIATION_NOTIFY_PARAMS@@@@
.?AV?$CParamStructHelper@U_CCE_WEB_LOGIN_ASSOCIATION_NOTIFY_PARAMS@@@@
.?AVCECPRequestMessageWebloginDissociation@@
.?AVCECPRequestMessageWebloginDissociation@@
.?AVCECPRequestMessageWebloginAssociation@@
.?AVCECPRequestMessageWebloginAssociation@@
.?AVCECPRequestMessageWebloginAuthentication@@
.?AVCECPRequestMessageWebloginAuthentication@@
.?AVCECPResponseCommandWebloginAssociation@@
.?AVCECPResponseCommandWebloginAssociation@@
.?AV?$CExportConfigList@VCShowMessagesConfig@@@@
.?AV?$CExportConfigList@VCShowMessagesConfig@@@@
.?AVCExportConfig@@
.?AVCExportConfig@@
.?AV?$CParamStructHelper@U_CCE_EXECUTE_GUI_CMD_DATA_PARAMS@@@@
.?AV?$CParamStructHelper@U_CCE_EXECUTE_GUI_CMD_DATA_PARAMS@@@@
.?AV?$CArray@U_ONE_REQUEST@CSupportRequests@@ABU12@@@
.?AV?$CArray@U_ONE_REQUEST@CSupportRequests@@ABU12@@@
.?AV?$RefCountObj@VX509CertificateCollection@@@@
.?AV?$RefCountObj@VX509CertificateCollection@@@@
.?AVWinCertStoreImpl@@
.?AVWinCertStoreImpl@@
.?AVCertStoreInterface@@
.?AVCertStoreInterface@@
.?AV?$RefCountObj@VX509Certificate@@@@
.?AV?$RefCountObj@VX509Certificate@@@@
.?AV?$CArrayNoThrow@V?$CountedPtr@VX509Certificate@@@@ABV1@@@
.?AV?$CArrayNoThrow@V?$CountedPtr@VX509Certificate@@@@ABV1@@@
.?AVAuthorityKeyIdentifierExtension@@
.?AVAuthorityKeyIdentifierExtension@@
.?AVSubjectKeyIdentifierExtension@@
.?AVSubjectKeyIdentifierExtension@@
.?AV?$CArray@VCHTTPBuffer@@ABV1@@@
.?AV?$CArray@VCHTTPBuffer@@ABV1@@@
.?AVCHTTPBuffer@@
.?AVCHTTPBuffer@@
.?AVCTransport@@
.?AVCTransport@@
.?AVCTransportSSL@@
.?AVCTransportSSL@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@ABV12@@@
.?AVCECPRequestCommandWebloginDissociation@@
.?AVCECPRequestCommandWebloginDissociation@@
.?AVCECPRequestCommandWebloginAssociation@@
.?AVCECPRequestCommandWebloginAssociation@@
.?AVCECPRequestCommandWebloginAuthentication@@
.?AVCECPRequestCommandWebloginAuthentication@@
7Å’8N8d8q8~8
7Å’8N8d8q8~8
2 2$2(2,2024282
2 2$2(2,2024282
1 1%1 111
1 1%1 111
7&8-8V8f8}8
7&8-8V8f8}8
9 9$9(9,90949
9 9$9(9,90949
=!=2>|>6?
=!=2>|>6?
5$5(5,5054585
5$5(5,5054585
9 9$9(9,9094989
9 9$9(9,9094989
7 7$7(7,70747
7 7$7(7,70747
>,>0>4>8>\>`>
>,>0>4>8>\>`>
5!5R5C5J5T5\5`5r5v5
5!5R5C5J5T5\5`5r5v5
6 6%6U6_6e6o6
6 6%6U6_6e6o6
4%5U5
4%5U5
:0:4:8:<:>
:0:4:8:<:>
3 3$3(3,3034383
3 3$3(3,3034383
7 7$7(7,7074787
7 7$7(7,7074787
5 5
5 5
requested feature requires XML_DTD support in Expat
requested feature requires XML_DTD support in Expat
unexpected parser state - please send a bug report
unexpected parser state - please send a bug report
xml=hXXp://VVV.w3.org/XML/1998/namespace
xml=hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/2000/xmlns/
hXXp://VVV.w3.org/2000/xmlns/
msi.dll
msi.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
userenv.dll
userenv.dll
user32.dll
user32.dll
wtsapi32.dll
wtsapi32.dll
secur32.dll
secur32.dll
Security.dll
Security.dll
iphlpapi.dll
iphlpapi.dll
ws2_32.dll
ws2_32.dll
wintrust.dll
wintrust.dll
crypt32.dll
crypt32.dll
cryptui.dll
cryptui.dll
powrprof.dll
powrprof.dll
wer.dll
wer.dll
faultrep.dll
faultrep.dll
netapi32.dll
netapi32.dll
rasapi32.dll
rasapi32.dll
mpr.dll
mpr.dll
rpcrt4.dll
rpcrt4.dll
wlanapi.dll
wlanapi.dll
setupapi.dll
setupapi.dll
dbghelp.dll
dbghelp.dll
psapi.dll
psapi.dll
%seset_x_%x.%s
%seset_x_%x.%s
%u,%d
%u,%d
%d.%d.%d
%d.%d.%d
PasswordChangedFlag
PasswordChangedFlag
LinkUrl
LinkUrl
UsernamePassword
UsernamePassword
Windows
Windows
%d.%d
%d.%d
\\.\ehdrv
\\.\ehdrv
SupportMail
SupportMail
SupportCompany
SupportCompany
SupportCountry
SupportCountry
CustomerCareWeb
CustomerCareWeb
RAClientPort
RAClientPort
RAClientPassword
RAClientPassword
RAClientPortAlt
RAClientPortAlt
RAClientPasswordAlt
RAClientPasswordAlt
SMTP_Enabled
SMTP_Enabled
SMTP_Flags
SMTP_Flags
SMTP_Server
SMTP_Server
SMTP_SenderAddress
SMTP_SenderAddress
SMTP_Address
SMTP_Address
SMTP_Username
SMTP_Username
SMTP_Password
SMTP_Password
MsgFormatVirus
MsgFormatVirus
MsgFormatError
MsgFormatError
MsgMinStatusSend
MsgMinStatusSend
MsgMinStatusLog
MsgMinStatusLog
ProxyPort
ProxyPort
ProxyPassword
ProxyPassword
NapSupportEnabled
NapSupportEnabled
CrashDumpSupport
CrashDumpSupport
*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc|*.doc?|*.dot?|*.xls?|*.xlt?|*.ppt?|*.pot?|*.pps?
*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc|*.doc?|*.dot?|*.xls?|*.xlt?|*.ppt?|*.pot?|*.pps?
WebClientID
WebClientID
WebClientComputerName
WebClientComputerName
WebClientToken
WebClientToken
LockPassword
LockPassword
Node_d
Node_d
LastExec
LastExec
Software\ESET\ESET Security\CurrentVersion\Scheduler\%u
Software\ESET\ESET Security\CurrentVersion\Scheduler\%u
.DEFAULT
.DEFAULT
virlog.dat
virlog.dat
warnlog.dat
warnlog.dat
HIPS: P=%u R=%u
HIPS: P=%u R=%u
EHttpSrv
EHttpSrv
shellExt.dll
shellExt.dll
{B089FE88-FB52-11D3-BDF1-0050DA34150D}
{B089FE88-FB52-11D3-BDF1-0050DA34150D}
SECTION;ID=#01000103\STATUS\RECORD;PLUGIN=#%X;UNIQUEID=#%X
SECTION;ID=#01000103\STATUS\RECORD;PLUGIN=#%X;UNIQUEID=#%X
SYSTEM\CurrentControlSet\Services\%s
SYSTEM\CurrentControlSet\Services\%s
SUPPORT
SUPPORT
PASSWORD
PASSWORD
ppeset.dll
ppeset.dll
SECTION;ID=#01000103\BACKGROUND_ACTIVITY\RECORD;PLUGIN=#%X;UNIQUEID=#%X
SECTION;ID=#01000103\BACKGROUND_ACTIVITY\RECORD;PLUGIN=#%X;UNIQUEID=#%X
ecmd.exe
ecmd.exe
%Y-%m-%dT%H:%M:%SZ
%Y-%m-%dT%H:%M:%SZ
nomsg
nomsg
edf.eset.com
edf.eset.com
%sMSG_X_X_X.ecm
%sMSG_X_X_X.ecm
e%s*.ecm
e%s*.ecm
CMDLINE
CMDLINE
WEB_USER_ID
WEB_USER_ID
%sdd%c.dat
%sdd%c.dat
%u.%u.%u %s
%u.%u.%u %s
%u MB
%u MB
P=%u R=%u
P=%u R=%u
%d min
%d min
eguiProduct.dll
eguiProduct.dll
Software\ESET\ESET Security\CurrentVersion\Scanners\X
Software\ESET\ESET Security\CurrentVersion\Scanners\X
%s\X
%s\X
SECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=%X\PROFILES\NODE;NAME="%s";TYPE=SUBNODE
SECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=%X\PROFILES\NODE;NAME="%s";TYPE=SUBNODE
ekrnLang.dll
ekrnLang.dll
explorer.exe
explorer.exe
egui.exe
egui.exe
startupcore.exe
startupcore.exe
nt4ldr.exe" "
nt4ldr.exe" "
nt4ldr.exe
nt4ldr.exe
egui.exe" /hide
egui.exe" /hide
startupcore.exe"
startupcore.exe"
${Username}=%s|${DistributorGUID}=%s|${ExpirationState}=%u|${ExpirationDate}=%s|${LicenseType}=%u|${LicenseCancelled}=%u|${PasswordChanged}=%u|${ProductName}=%s|${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${AdditionalArguments}=%s|${DaysToExpire}=%u|${DaysExpired}=%u|${ExpireDaysWord}=%s|${ExpiredDaysWord}=%s
${Username}=%s|${DistributorGUID}=%s|${ExpirationState}=%u|${ExpirationDate}=%s|${LicenseType}=%u|${LicenseCancelled}=%u|${PasswordChanged}=%u|${ProductName}=%s|${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${AdditionalArguments}=%s|${DaysToExpire}=%u|${DaysExpired}=%u|${ExpireDaysWord}=%s|${ExpiredDaysWord}=%s
nod32api.dll
nod32api.dll
nod32aui.dll
nod32aui.dll
Software\ESET\ESET Security\CurrentVersion\Plugins\APIx
Software\ESET\ESET Security\CurrentVersion\Plugins\APIx
${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%i|${EvalId}=%u
${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%i|${EvalId}=%u
eScan\*.dat
eScan\*.dat
ekrn.exe
ekrn.exe
TypesSupported
TypesSupported
Import settings failed in plugin: X
Import settings failed in plugin: X
*.lic
*.lic
GROUP;NAME=PLUGIN_INFO_X
GROUP;NAME=PLUGIN_INFO_X
%USERNAME%
%USERNAME%
%SCANNER%
%SCANNER%
reqX.xml
reqX.xml
*.xml
*.xml
EKRN/EGUI.support.form.req
EKRN/EGUI.support.form.req
EKRN/SCHEDULER.req
EKRN/SCHEDULER.req
EKRN/RA.req
EKRN/RA.req
*.zip
*.zip
OID.Unknown=
OID.Unknown=
NODX.lic
NODX.lic
xem000_32.dat
xem000_32.dat
iploc.eset.com
iploc.eset.com
%i.%i.%i.%i%c%c
%i.%i.%i.%i%c%c
\??\PHYSICALDRIVE%d
\??\PHYSICALDRIVE%d
\\.\PHYSICALDRIVE%d
\\.\PHYSICALDRIVE%d
NOD_SHMEM_%s%x
NOD_SHMEM_%s%x
SERVER;NAME=X_X
SERVER;NAME=X_X
OPTION;OPTNAME=ListeningPort
OPTION;OPTNAME=ListeningPort
OPTION;OPTNAME=CertificateChainFile
OPTION;OPTNAME=CertificateChainFile
OPTION;OPTNAME=CertificateType
OPTION;OPTNAME=CertificateType
OPTION;OPTNAME=PrivateKeyFile
OPTION;OPTNAME=PrivateKeyFile
OPTION;OPTNAME=PrivateKeyType
OPTION;OPTNAME=PrivateKeyType
GLOBAL\OPTION;OPTNAME=ListeningPort
GLOBAL\OPTION;OPTNAME=ListeningPort
SYSTEM\CurrentControlSet\Services\%s\Parameters
SYSTEM\CurrentControlSet\Services\%s\Parameters
%s\%s
%s\%s
SupportRequests\
SupportRequests\
\\%s\mailslot\messngr
\\%s\mailslot\messngr
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
\BaseNamedObjects\NODCOMMXToXCommPort
\BaseNamedObjects\NODCOMMXToXCommPort
NODCOMMXToXReceiverMutex
NODCOMMXToXReceiverMutex
NODCOMMXToXCommMutex
NODCOMMXToXCommMutex
NODCOMMXToXSendEvent
NODCOMMXToXSendEvent
NODCOMMXToXAckEvent
NODCOMMXToXAckEvent
NODCOMMXToXSection
NODCOMMXToXSection
%sNODCOMMXToXBroadcastMutex
%sNODCOMMXToXBroadcastMutex
%sNODCOMMXToXBroadcast
%sNODCOMMXToXBroadcast
\Device\LanmanRedirector\;%c:
\Device\LanmanRedirector\;%c:
\\.\MountPointManager
\\.\MountPointManager
{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}
{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
\\.\root\SecurityCenter
\\.\root\SecurityCenter
pathToSignedProductExe
pathToSignedProductExe
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
(%u MHz)
(%u MHz)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
NTUSER.DAT
NTUSER.DAT
%s_%s
%s_%s
RegUnLoadKey key='%s' Result=%x
RegUnLoadKey key='%s' Result=%x
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer
%s_%s\%s\%s
%s_%s\%s\%s
%s\%s\%s
%s\%s\%s
%USERPROFILE%
%USERPROFILE%
'GetUserProfileInt' subkey '%s' failed!
'GetUserProfileInt' subkey '%s' failed!
comctl32.dll
comctl32.dll
wzcsapi.dll
wzcsapi.dll
%s
%s
0fa1201d-4330-4fa8-8ae9-b877473b6441
0fa1201d-4330-4fa8-8ae9-b877473b6441
e6cf1350-c01b-414d-a61f-263d14d133b4
e6cf1350-c01b-414d-a61f-263d14d133b4
Important
Important
boot.ini
boot.ini
\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\Microsoft\Windows\CurrentVersion
\Microsoft\Windows\CurrentVersion
\Microsoft\Windows NT\CurrentVersion
\Microsoft\Windows NT\CurrentVersion
\\.\physicaldrive%lu
\\.\physicaldrive%lu
{830B4F09-F236-4c2e-96BF-D4C0191A9B4F}
{830B4F09-F236-4c2e-96BF-D4C0191A9B4F}
{524032E4-E071-44c8-9139-E99FC2697F44}
{524032E4-E071-44c8-9139-E99FC2697F44}
{60042969-6CCA-46cd-81D4-22A056C989F3}
{60042969-6CCA-46cd-81D4-22A056C989F3}
{5C70CD3A-8913-4d93-94F7-79182EF1B930}
{5C70CD3A-8913-4d93-94F7-79182EF1B930}
{46B223A0-8EB6-47ba-AD5D-B69E3C1511D9}
{46B223A0-8EB6-47ba-AD5D-B69E3C1511D9}
{45210F63-3ABB-49ec-9E1F-6BE0C6EFAA39}
{45210F63-3ABB-49ec-9E1F-6BE0C6EFAA39}
{03400AF0-EB11-4b87-B204-49168F392DC9}
{03400AF0-EB11-4b87-B204-49168F392DC9}
{7EA86DCE-8271-4417-AA6C-526E8A4B748B}
{7EA86DCE-8271-4417-AA6C-526E8A4B748B}
{92147EEA-7C84-4055-9E6A-F32CD6A609C0}
{92147EEA-7C84-4055-9E6A-F32CD6A609C0}
{BAADCF1E-4EFB-4116-9F05-58F6D23C2E0D}
{BAADCF1E-4EFB-4116-9F05-58F6D23C2E0D}
{9F6A9C27-9CCD-4236-9B36-974D9D7F3442}
{9F6A9C27-9CCD-4236-9B36-974D9D7F3442}
{1EDE29DD-DC3F-426c-8021-0596D6696639}
{1EDE29DD-DC3F-426c-8021-0596D6696639}
EventSystem.EventSubscription
EventSystem.EventSubscription
{d5978630-5b9f-11d1-8dd2-00aa004abd5e}
{d5978630-5b9f-11d1-8dd2-00aa004abd5e}
{d5978650-5b9f-11d1-8dd2-00aa004abd5e}
{d5978650-5b9f-11d1-8dd2-00aa004abd5e}
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
(lX-X-X-XX-XXXXXX)
(lX-X-X-XX-XXXXXX)
{lX-X-X-XX-XXXXXX}
{lX-X-X-XX-XXXXXX}
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX
report-suspicion
report-suspicion
lpasswd
lpasswd
passwd
passwd
hXXp://VVV.eset.com/2012/02/ecp
hXXp://VVV.eset.com/2012/02/ecp
weblogin-authentication
weblogin-authentication
weblogin-association
weblogin-association
send-webcam-snapshot
send-webcam-snapshot
weblogin-dissociation
weblogin-dissociation
AntiVirusProduct.instanceGuid="{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}"
AntiVirusProduct.instanceGuid="{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}"
AntiSpywareProduct.instanceGuid="{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}"
AntiSpywareProduct.instanceGuid="{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}"
FirewallProduct.instanceGuid="{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}"
FirewallProduct.instanceGuid="{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}"
gui.webpurchase.show
gui.webpurchase.show
gui.webrenew.show
gui.webrenew.show
-ddd-dd
-ddd-dd
-ddd-dd-%d
-ddd-dd-%d
SysInspector.exe
SysInspector.exe
"%s" /gen="%s" /supersilent %s %s %s %s %s
"%s" /gen="%s" /supersilent %s %s %s %s %s
8.0.304.0
8.0.304.0
{%TimeStamp% - Module %Scanner% - Threat Alert triggered on computer %ComputerName%: %InfectedObject% contains %VirusName%.
{%TimeStamp% - Module %Scanner% - Threat Alert triggered on computer %ComputerName%: %InfectedObject% contains %VirusName%.
%TimeStamp% - During execution of %ProgramName% on the computer %ComputerName%, the following warning occurred: %ErrorDescription%
%TimeStamp% - During execution of %ProgramName% on the computer %ComputerName%, the following warning occurred: %ErrorDescription%
Operating system information
Operating system information
Operating system:
Operating system:
Operating system version:
Operating system version:
Operating system type:
Operating system type:
%s(Version of common control components:
%s(Version of common control components:
%s %s
%s %s
once, %s.
once, %s.
repeatedly, every minutes.
repeatedly, every minutes.
Every day at %s.
Every day at %s.
at %s on the following days:
at %s on the following days:
at .
at .
Task will not be run.%Task will be run as soon as possible.LTask will be run if it has not completed within the last hours.
Task will not be run.%Task will be run as soon as possible.LTask will be run if it has not completed within the last hours.
& (At maximum every hours)
& (At maximum every hours)
%s!Remaining trial period:
%s!Remaining trial period:
%s day(s)
%s day(s)
dUser does not have administrator privileges. The Anti-Stealth technology is working in limited mode.qAnti-Stealth initialization could not be fully completed. The Anti-Stealth technology is working in limited mode.
dUser does not have administrator privileges. The Anti-Stealth technology is working in limited mode.qAnti-Stealth initialization could not be fully completed. The Anti-Stealth technology is working in limited mode.
4Error submitting ThreatSense.Net data to RA: TimeoutIError submitting ThreatSense.Net data to RA: Synchronization lost on exitKError submitting ThreatSense.Net data to RA: Synchronization lost on submit
4Error submitting ThreatSense.Net data to RA: TimeoutIError submitting ThreatSense.Net data to RA: Synchronization lost on exitKError submitting ThreatSense.Net data to RA: Synchronization lost on submit
Could not retrieve MAC address.:Authentication to ESET Remote Administrator Server failed.GAuthentication to ESET Remote Administrator Server ended up with error.6Connection to ESET Remote Administrator Server failed.
Could not retrieve MAC address.:Authentication to ESET Remote Administrator Server failed.GAuthentication to ESET Remote Administrator Server ended up with error.6Connection to ESET Remote Administrator Server failed.
but could not be deleted from their original location!0The file %s is too large to submit for analysis!.%d files are too large to submit for analysis!
but could not be deleted from their original location!0The file %s is too large to submit for analysis!.%d files are too large to submit for analysis!
OAn error occurred while running a service script. No operations were performed.LThe service script "%s" was run successfully. All operations were processed.
OAn error occurred while running a service script. No operations were performed.LThe service script "%s" was run successfully. All operations were processed.
[The service script "%s" was processed partially. %s completed successfully while %d failed.MThe service script "%s" ran unsuccessfully. No operations could be processed.(%d operation|%d operations|%d operations(%d operation|%d operations|%d operations
[The service script "%s" was processed partially. %s completed successfully while %d failed.MThe service script "%s" ran unsuccessfully. No operations could be processed.(%d operation|%d operations|%d operations(%d operation|%d operations|%d operations
Gaming mode enabled. All pop-up windows are suppressed and scheduled tasks paused. Gaming mode can be disabled here: Disable Gaming mode
Gaming mode enabled. All pop-up windows are suppressed and scheduled tasks paused. Gaming mode can be disabled here: Disable Gaming mode
Enable email protection&Email protection is currently disabledVEnable Email client protection Web access protection is currently disabled
Enable email protection&Email protection is currently disabledVEnable Email client protection Web access protection is currently disabled
Web access antivirus protection disabled by user. Enable Web access protection
Web access antivirus protection disabled by user. Enable Web access protection
Enable web access protection Web access protection is currently disabledTEnable web access protection
Enable web access protection Web access protection is currently disabledTEnable web access protection
Gaming mode enabledLDisable Gaming mode"Operating system is not up to date
Gaming mode enabledLDisable Gaming mode"Operating system is not up to date
This computer does not have all available operating system updates installed. Please install the missing updates by means of the Windows Update service. For more information, click here.)Display information about missing updates
This computer does not have all available operating system updates installed. Please install the missing updates by means of the Windows Update service. For more information, click here.)Display information about missing updates
pThe latest version of Windows Update is not installed. To update the operating system, click here.
pThe latest version of Windows Update is not installed. To update the operating system, click here.
Run operating system update"Operating system is not up to date
Run operating system update"Operating system is not up to date
The lifetime of this version will end in ${DaysToExpire} day(s). We recommend that you download a newer version from here. Your license will expire shortly
The lifetime of this version will end in ${DaysToExpire} day(s). We recommend that you download a newer version from here. Your license will expire shortly
The lifetime of this trial version will end in ${DaysToExpire} day(s). To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
The lifetime of this trial version will end in ${DaysToExpire} day(s). To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
The lifetime of this version has ended. We recommend that you download a newer version from here.
The lifetime of this version has ended. We recommend that you download a newer version from here.
The lifetime of this trial version has ended. To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
The lifetime of this trial version has ended. To purchase the full version of the program, visit our website. If you have already acquired a license, you can upgrade the program to the full version.
Your license expire shortlymRenew license
Your license expire shortlymRenew license
License expiredmRenew license
License expiredmRenew license
To ensure up-to-date protection, contact your network administrator or renew your license online. If you have already received a new license (Username and Password), enter it here.
To ensure up-to-date protection, contact your network administrator or renew your license online. If you have already received a new license (Username and Password), enter it here.
Enable ESET Anti-Theft Do not remind me again
Enable ESET Anti-Theft Do not remind me again
ESET Anti-Theft is availableKEnable ESET Anti-TheftCProtection of your device ends in ${DaysToExpire} ${ExpireDaysWord}
ESET Anti-Theft is availableKEnable ESET Anti-TheftCProtection of your device ends in ${DaysToExpire} ${ExpireDaysWord}
Buy a new license today to make sure you are protected.
Buy a new license today to make sure you are protected.
Buy a new license today to make sure you are protected or activate your new license.$Protection of your device ends today
Buy a new license today to make sure you are protected or activate your new license.$Protection of your device ends today
Buy a new license today to make sure you are protected or activate your new license.&Protection of your device ends shortly
Buy a new license today to make sure you are protected or activate your new license.&Protection of your device ends shortly
Buy a new license today to make sure you are protected or activate your new license.
Buy a new license today to make sure you are protected or activate your new license.